09-13-2006 07:13 PM - edited 03-09-2019 04:11 PM
Before 3 weeks,it works well all along.
But these days,it need to reboot or clear xlate to all inside host access internet.
Thanks for all your reply!
09-13-2006 08:04 PM
Hi,
How many users you have connecting through the box for internet access? Basically, PIX 506E support max of 25,000 concurrent connections.
The could be few reasons why you need to clear the xlate (not necessary reboot) such as it already hit max concurrent session due to users activities, or viruses/worms attempting to open thousands of simultaneous sessions to outside, or memory utilization too high.
What you need to do is to monitor the PIX. Get the info before conclude the actual reason.
You can use CLI or PDM to monitor various stats such as total no of connection, translation, memory/cpu utilization and so on.
From CLI:
sh conn - check current and maximum connection
sh cpu usage - check cpu usa
sh memory - check memory usa
sh xla - current translation table
sh local-host - display the network states of local hosts
sh tcpstat - display the status of the security appliance TCP stack and the TCP connections
sh traffic - display interface transmit and receive activity, amount of tranceiving data
Rgds,
AK
09-13-2006 08:24 PM
Thanks a lot!
I'll go to monitor for days
Rgds,
Jason
09-13-2006 11:34 PM
09-14-2006 12:13 AM
Hi,
Looks like the PIX is not under any 'overuse' situation when you captured the info/stats.
The session has 169 active connection and maximum recorded was 572 (under 'sh conn'):
169 in use, 572 most used
Do you still have similar problem when you captured the stats today? I do not see any sign of max conn of 25,000 happening here. Maybe it is best to capture the info when the PIX started to show sign of 'degraded performance'.
What you need to do is to console in and capture those info again (or use PDM).
In the meantime, you can probably apply the anti-spoofing feature and IDS to monitor and prevent undesired access/attack using the following config:
ip verify reverse-path interface outside --> anti spoofing
ip audit name Monitor info action alarm --> IDS to monitor
ip audit name Response attack action alarm drop reset --> IDS response to attack
ip audit interface outside Monitor --> apply IDS monitor to outside intf
ip audit interface outside Response --> apply IDS response to attack
Use "show ip audit count" to view the IDS stats, or show ip audit count [global | interface interface_name], and 'sh log | i IDS' to view the log entry. But you must enable your logging first.
logging on
logging buffer info
PIX has less than 60 well-known IDS signatures.
Also, you may want to remove the "access-list 2 permit icmp any any" if you don't need it. This can be manipulated by attacker and can caused your PIX to busy handled (dropping) the incoming ICMP that has no destination. You can leave the outside interface without any ACL. Use it if you need to allow outsider to access your internal servers/services.
Keep/save the log. Pls let me know the outcome.
Rgds,
AK
09-14-2006 04:12 AM
Hi,
Maybe the problem is not with your PIX but with the router between your PIX and Internet?
Khay
10-08-2006 01:04 AM
Dear,All
I found that the hosts using Proxy(insideIP_10.236.146.24)can access internet through pix normally,but,sometimes,other hosts not using proxy(using pix nat) cann't access internet through pix,and,after several minutes,it comeback.
Confused!:-(
Thanks a lot for your help.
Jason
10-08-2006 08:29 AM
check the nat commands, just had the same problem, turned out to be a NAT confusion issue with the nat,global and static cmmnds...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: