Pix firewall blocking Internet access once in a while;

sfanayei · ‎05-25-2006

Hi,

I have a pix 515E, 3.6(3). The pix blocking a Internet access sometims. I can not ping Interfaces at blocking time. And my syslog logging shows that connection are stopped. How can I find out the resen why. To make pix work igen, I have to turn off and on igen. What is wroung? Can anybody give me some advise? Tanks in advance!

Sfanayei

Fernando_Meza · ‎05-25-2006

mmm ... perhaps you have connection limits on your nat statements. that will stop outgoing connections for the whole subnet once the limited is reached. Can you post the output of sh run | inc nat

"max_conns Specifies the maximum number of simultaneous TCP and UDP connections for

the entire subnet. The default is 0, which means unlimited connections. (Idle

connections are closed after the idle timeout specified by the timeout conn

command.)

Note This option does not apply to outside NAT. The firewall only tracks

connections from a higher security interface to a lower security interface.

If you set max_conns as well as the outside option, the max_conns option

is ignored. "

If you are NOT having any connection limits then ... it sounds like your PIX could be running out of resources ... I suggest you checking that your PIX satisfies the minimum requirements for the version of OS you are running. I believe is 6.3 (3) right ..?

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/prod_release_note09186a0080579fd2.html

Also you can perform some performance analysis to find out the overall consition of your PIX.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

I hope it helps ... please rate it it if it does !!!

sfanayei · ‎05-26-2006

Hi, Tanks a lot. I will examine it.

Sfanayei

john.king · ‎05-26-2006

What is your license? If your license is not unrestricted then you are probebly running out of outbound sessions and by resetting, you clear it and start over eventualy running out and then requiring a reset. Run the PDM and it will shouw you your license and how many sessions you have open.

sfanayei · ‎05-28-2006

Hi, Tanks a lot for your replay. I have restricted license, but what is limits for outbound sessions numbers for a restricted license? And how can I finde out?

Sfanayei

Fernando_Meza · ‎05-28-2006

Hi .. maximum concurrent connections are 48.000

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

I hope it helps ..please rate it if it does !!!

manoj.kv · ‎05-29-2006

Hi,

Reduce the connection timeout using timeout conn command.

Try to clear the transalations using clear xlate and clear arp command insted of rebooting the device.

Manoj

sfanayei · ‎05-30-2006

Hi,

I have these line in my configuration.

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

How much can I Reduce den without effecting somting els?

Tanks in advance

Sfanayei

manoj.kv · ‎06-01-2006

Changing the xlate to 1:00:00 and conn timeout to 0:30:00 will not create any problem

Manoj

sfanayei · ‎06-05-2006

Hi,

I will run with this new parameters som days to see how pix will react. Tanks again.

Sfanayei