Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
18
Helpful
5
Replies

PIX 501 - 10 Licenses - Web Access Issue

grance
Level 1
Level 1

‎04-07-2003 12:01 PM - edited ‎02-20-2020 10:40 PM

At the start of the day, all the systems can get to the internet just fine but as the day progresses, less and less systems are able to connect. They have only 10 systems that would connect to the internet and by the end of the day only 4 or 5 are able to get on the internet. I can't think of what would possibly be causing this issue other than some sort of time out.

0 Helpful
5 Replies 5

tvanginneken
Level 4
Level 4

‎04-07-2003 12:17 PM

Hi,

use the following commands to show/count the active connections and translations:

sh conn

sh xlate

There should a maximum of 10 entries in the tables.

Kind Regards,

Tom

grance
Level 1
Level 1
In response to tvanginneken

‎04-07-2003 01:49 PM

Ok For the sh conn there are 5 in use and for the sh xlate 7 are in use... and still only 4 or 5 can get out.

gfullage
Cisco Employee
Cisco Employee
In response to grance

‎04-07-2003 09:33 PM

The previous post is incorrect, the 501 can support 100's of connections and translations, but only 10 internal hosts. Keep in mind that one internal host can open up a large number of connections/xlates just by going to a single web page, and even more if they have multiple browser windows open.

The correct command to make sure you're not exceeding your user licence is "sho local", this will show you how many internal hosts the PIX has seen. If you see 10 here, then anyone new will not be able to get through until all the conns/xlates on one of the existing hosts time out.

The best way to see what's going on is to enable syslogging on the PIX, then try a connection outbound. You'll get a clear message as to what's happening and it should point you in the right direction.

OverSeer
Level 1
Level 1
In response to gfullage

‎04-08-2003 06:14 AM

One last question to make sure I'm on the right track... So essentially, it boils down to a licensing issue. They could order a pack of like 50 (since I know it comes in 10, 50, or unlimited). and they should be a lot better off (not necessarily fixed but better off)?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to OverSeer

‎04-08-2003 04:47 PM

I'm not sure it is a licensing issue in this case, since they mentioned that the problem was occurring even though the xlates/conns were under 10, so I doubt they were actually hitting the 10-user licence at this time also.

In general though, always check the output of "sho local" to see how many internal hosts the PIX is seeing. The syslog will also show additional hosts trying to get out and you'll get obvious syslogs messages telling you so.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card