pix 501 10 user license icmp causes inside addresses to fill up

We are running a vpn tunnel between several sites and have 10 user licences at many of these sites. When someone pings an address that is behind the pix we see the local table increase by one address (show local), it then stays in the local table, this is causing normal users to not be allowed access to the tunnel as there are too many connections.

Even though we have less than 10 devices behind the pix, the pix seems to fill up, doing a "clear local x.x.x.x" removes the offending address but this is a real pain. Anyone know why?


(running 6.1.3 pix software)


Hi – As you may or may not know,

The PIX 501 uses a connection licence based on the number of machines that you want to allow access through you PIX.

10 User Licence or 50 User Licence, In either situation, the PIX keeps track of the machines that send traffic through the PIX based on their addressing information. Once the PIX reaches the licence limit, it will not allow any more machines to send traffic through the PIX.

One annoying problem with this function is that the process the 501 uses to keep track of machines is not dynamic. In other words, the PIX doesn’t restrict connections based on a total of 10 or 50 machines, but an ABSOLUTE restriction.

With absolute restriction, once the PIX has seen the first 10 or 50 machines, it will not let traffic travel trough the PIX for any other machines, even if the first set of machines are not transmitting traffic, therefore, if you have an office with 60 PC’s and a 50 user licence, only the first 50 PC’s that send traffic through the PIX will be allowed – the last 10 PC’s will have their traffic dropped by the PIX.

You can get around this by rebooting the PIX, which will cause it to erase its table of learned addresses, but you are still stuck with the absolute limit. Therefore you need to carefully consider your licencing needs with PIX 501. If you need more than 50 user connections you are better off buying a 506 model or higher.

Hope this explains it -

I know about the 10/50/unlimited options for the firewalls, it doesn't explain that pinging an address of a pc that doesn't exist still fills up a local table. ie 8 pc's behind a firewall addressesd for instance, If I ping then that appears when I do a "show local". I can clear it manually with a clear local but that is not a solution just a quick fix, the pix shouldn't hold an entry for an address that doesn't exist, if it did then a DOS is pretty easy with outbound connections being filled up



