I have a pix 515E, 3.6(3). The pix blocking a Internet access sometims. I can not ping Interfaces at blocking time. And my syslog logging shows that connection are stopped. How can I find out the resen why. To make pix work igen, I have to turn off and on igen. What is wroung? Can anybody give me some advise? Tanks in advance!
mmm ... perhaps you have connection limits on your nat statements. that will stop outgoing connections for the whole subnet once the limited is reached. Can you post the output of sh run | inc nat
"max_conns Specifies the maximum number of simultaneous TCP and UDP connections for
the entire subnet. The default is 0, which means unlimited connections. (Idle
connections are closed after the idle timeout specified by the timeout conn
Note This option does not apply to outside NAT. The firewall only tracks
connections from a higher security interface to a lower security interface.
If you set max_conns as well as the outside option, the max_conns option
is ignored. "
If you are NOT having any connection limits then ... it sounds like your PIX could be running out of resources ... I suggest you checking that your PIX satisfies the minimum requirements for the version of OS you are running. I believe is 6.3 (3) right ..?
Also you can perform some performance analysis to find out the overall consition of your PIX.
I hope it helps ... please rate it it if it does !!!
What is your license? If your license is not unrestricted then you are probebly running out of outbound sessions and by resetting, you clear it and start over eventualy running out and then requiring a reset. Run the PDM and it will shouw you your license and how many sessions you have open.
Hi, Tanks a lot for your replay. I have restricted license, but what is limits for outbound sessions numbers for a restricted license? And how can I finde out?
Hi .. maximum concurrent connections are 48.000
I hope it helps ..please rate it if it does !!!
Reduce the connection timeout using timeout conn command.
Try to clear the transalations using clear xlate and clear arp command insted of rebooting the device.
I have these line in my configuration.
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
How much can I Reduce den without effecting somting els?
Tanks in advance