Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
2
Replies

connection limits on pix 525 , high cpu usage

mle
Level 1
Level 1

‎07-23-2002 01:46 AM - edited ‎02-20-2020 10:10 PM

Hi to all of you!

Have anybody informations about "realworld" connection limits on a PIX?

We experienced high cpu utilization (99%) if we reached connetion counts above 70000. Our highest counts are about 135000 connections. (!!! No yoke, and no DOS/DDOS, we have so much hits!!!)

At this time we tuned our connection timeouts to minimum, but this seems as we try to buy us time :-).

Any hint would be great.

bye

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.0(2)

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0006.d75c.ea04, irq 10

1: ethernet1: address is 0006.d75c.ea05, irq 11

2: ethernet2: address is 0002.b303.bec2, irq 5

3: ethernet3: address is 00e0.b603.468c, irq 11

4: ethernet4: address is 00e0.b603.468b, irq 10

5: ethernet5: address is 00e0.b603.468a, irq 9

6: ethernet6: address is 00e0.b603.4689, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 8

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-23-2002 09:48 PM

The 525 will max out at around 500,000 connections, although this is a rough estimate. I've seen them go up higher, but you wouldn't want to do that. There shouldn't be any issue at around 70,000 connections. How much traffic are you seeing thru this PIX? Are you doing stateful failover? Can you provide a config? And a "sho tech" when the problem is occurring?

0 Helpful

mle
Level 1
Level 1
In response to gfullage

‎07-24-2002 02:59 AM

Hi Glenn!

Thanks for your reply.

We experience a mostly linear rise of cpu usage and connections. For example 10000 conn / 10 % cpu and 70000 / 99. If we are reaching 60000 conn free memory on PIX decreases about 1 MB.

After an update of our webpages we have per client about 10 TCP (HTTP/HTTPS) and 10 UDP (RPC/..) connections on PIX. Seems 3 times more than before. Our traffic rates are about 5 - 8 Mbit/s normal and 10 -12 Mbit/s at peak rate. We have a 34 Mbit/s connection to our provider.

Yes, we have stateful failover and http replication with dedicated interface, but NOT LAN-based failover.

Maybe i found another limitation of our system, our customers reach our webfarm over one IP-Address and we balance on several servers. Do you think there are another limitiation about port allocation and addressing?

About show tech and config i ´ll have to discuss with my colleagues.

Thank a lot for your kind response

Mathias

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card