Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix firewall blocking Internet access once in a while;

Hi,

I have a pix 515E, 3.6(3). The pix blocking a Internet access sometims. I can not ping Interfaces at blocking time. And my syslog logging shows that connection are stopped. How can I find out the resen why. To make pix work igen, I have to turn off and on igen. What is wroung? Can anybody give me some advise? Tanks in advance!

Sfanayei

Sfanayei

9 REPLIES

Re: Pix firewall blocking Internet access once in a while;

mmm ... perhaps you have connection limits on your nat statements. that will stop outgoing connections for the whole subnet once the limited is reached. Can you post the output of sh run | inc nat

"max_conns Specifies the maximum number of simultaneous TCP and UDP connections for

the entire subnet. The default is 0, which means unlimited connections. (Idle

connections are closed after the idle timeout specified by the timeout conn

command.)

Note This option does not apply to outside NAT. The firewall only tracks

connections from a higher security interface to a lower security interface.

If you set max_conns as well as the outside option, the max_conns option

is ignored. "

If you are NOT having any connection limits then ... it sounds like your PIX could be running out of resources ... I suggest you checking that your PIX satisfies the minimum requirements for the version of OS you are running. I believe is 6.3 (3) right ..?

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/prod_release_note09186a0080579fd2.html

Also you can perform some performance analysis to find out the overall consition of your PIX.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

I hope it helps ... please rate it it if it does !!!

New Member

Re: Pix firewall blocking Internet access once in a while;

Hi, Tanks a lot. I will examine it.

Sfanayei

New Member

Re: Pix firewall blocking Internet access once in a while;

What is your license? If your license is not unrestricted then you are probebly running out of outbound sessions and by resetting, you clear it and start over eventualy running out and then requiring a reset. Run the PDM and it will shouw you your license and how many sessions you have open.

New Member

Re: Pix firewall blocking Internet access once in a while;

Hi, Tanks a lot for your replay. I have restricted license, but what is limits for outbound sessions numbers for a restricted license? And how can I finde out?

Sfanayei

Re: Pix firewall blocking Internet access once in a while;

Hi .. maximum concurrent connections are 48.000

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

I hope it helps ..please rate it if it does !!!

New Member

Re: Pix firewall blocking Internet access once in a while;

Hi,

Reduce the connection timeout using timeout conn command.

Try to clear the transalations using clear xlate and clear arp command insted of rebooting the device.

Manoj

New Member

Re: Pix firewall blocking Internet access once in a while;

Hi,

I have these line in my configuration.

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

How much can I Reduce den without effecting somting els?

Tanks in advance

Sfanayei

New Member

Re: Pix firewall blocking Internet access once in a while;

Changing the xlate to 1:00:00 and conn timeout to 0:30:00 will not create any problem

Manoj

New Member

Re: Pix firewall blocking Internet access once in a while;

Hi,

I will run with this new parameters som days to see how pix will react. Tanks again.

Sfanayei

125
Views
0
Helpful
9
Replies