08-08-2003 06:39 AM - edited 02-20-2020 10:55 PM
We are running a vpn tunnel between several sites and have 10 user licences at many of these sites. When someone pings an address that is behind the pix we see the local table increase by one address (show local), it then stays in the local table, this is causing normal users to not be allowed access to the tunnel as there are too many connections.
Even though we have less than 10 devices behind the pix, the pix seems to fill up, doing a "clear local x.x.x.x" removes the offending address but this is a real pain. Anyone know why?
thanks
(running 6.1.3 pix software)
08-08-2003 07:15 AM
Hi As you may or may not know,
The PIX 501 uses a connection licence based on the number of machines that you want to allow access through you PIX.
10 User Licence or 50 User Licence, In either situation, the PIX keeps track of the machines that send traffic through the PIX based on their addressing information. Once the PIX reaches the licence limit, it will not allow any more machines to send traffic through the PIX.
One annoying problem with this function is that the process the 501 uses to keep track of machines is not dynamic. In other words, the PIX doesnt restrict connections based on a total of 10 or 50 machines, but an ABSOLUTE restriction.
With absolute restriction, once the PIX has seen the first 10 or 50 machines, it will not let traffic travel trough the PIX for any other machines, even if the first set of machines are not transmitting traffic, therefore, if you have an office with 60 PCs and a 50 user licence, only the first 50 PCs that send traffic through the PIX will be allowed the last 10 PCs will have their traffic dropped by the PIX.
You can get around this by rebooting the PIX, which will cause it to erase its table of learned addresses, but you are still stuck with the absolute limit. Therefore you need to carefully consider your licencing needs with PIX 501. If you need more than 50 user connections you are better off buying a 506 model or higher.
Hope this explains it -
08-11-2003 05:13 AM
I know about the 10/50/unlimited options for the firewalls, it doesn't explain that pinging an address of a pc that doesn't exist still fills up a local table. ie 8 pc's behind a firewall addressesd 192.168.1.1-8 for instance, If I ping 192.168.1.9 then that appears when I do a "show local". I can clear it manually with a clear local 192.168.1.9 but that is not a solution just a quick fix, the pix shouldn't hold an entry for an address that doesn't exist, if it did then a DOS is pretty easy with outbound connections being filled up
thanks
andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: