At the start of the day, all the systems can get to the internet just fine but as the day progresses, less and less systems are able to connect. They have only 10 systems that would connect to the internet and by the end of the day only 4 or 5 are able to get on the internet. I can't think of what would possibly be causing this issue other than some sort of time out.
The previous post is incorrect, the 501 can support 100's of connections and translations, but only 10 internal hosts. Keep in mind that one internal host can open up a large number of connections/xlates just by going to a single web page, and even more if they have multiple browser windows open.
The correct command to make sure you're not exceeding your user licence is "sho local", this will show you how many internal hosts the PIX has seen. If you see 10 here, then anyone new will not be able to get through until all the conns/xlates on one of the existing hosts time out.
The best way to see what's going on is to enable syslogging on the PIX, then try a connection outbound. You'll get a clear message as to what's happening and it should point you in the right direction.
One last question to make sure I'm on the right track... So essentially, it boils down to a licensing issue. They could order a pack of like 50 (since I know it comes in 10, 50, or unlimited). and they should be a lot better off (not necessarily fixed but better off)?
I'm not sure it is a licensing issue in this case, since they mentioned that the problem was occurring even though the xlates/conns were under 10, so I doubt they were actually hitting the 10-user licence at this time also.
In general though, always check the output of "sho local" to see how many internal hosts the PIX is seeing. The syslog will also show additional hosts trying to get out and you'll get obvious syslogs messages telling you so.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :