Solved: PIX License Count

dro · ‎04-23-2003

I've noticed some odd activity in regards to the user license features with the PIX's.

I have two networks connected to each other over VPN. One side is a 515 (unrestricted) the other is a 501 (50 users). I noticed that if I do an ICMP ping scan against the IP Range of the 501's internal network, I use up all of the connection licenses on their PIX, even though I only have 30 physical machines on that network.

This seems a bit odd to me. Has anyone else run into this before? Even though no machines were using the majority of the address space that was probed, the PIX takes each IP as a user license and restricts access for any more connections.

I think it would have made more sense to wait until an ARP entry is successfully created to be able to count it against the user license on the device. Anyone have any comments?

Regards,

-Joshua

gfullage · ‎04-23-2003

This is expected behaviour, although some would argue it's a bit odd.

The ping packet is allowed through because it's part of the VPN tunnel (I'm assuming you have the command "sysopt connection permit-ipsec" in place which allows any IPSec packet in). Since the packet gets through the PIX and an xlate/conn is created, the PIX legitimately uses up a license for it, regardless of whether the packet is actually replied to or not. Changing that behaviour would change the whole concept of how the licensing works. Note that this wouldn't happen if someone on the Internet (not over the VPN tunnel) did a ping sweep, cause the packet would be dropped at the outside interface and no xlate/conn would be created for it.

You could lower your xlate/conn timeout to 5 minutes or so, that way they'll time out quicker and free up the licenses, but at this point the PIX is doing what it's been told to do and that is to use up a license for a host that has an xlate/conn. Unfortunately with it coming in over a VPN, there's no way for it to tell if that host actually exists or not BEFORE creating the xlate/conn.

View solution in original post

gfullage · ‎04-23-2003

This is expected behaviour, although some would argue it's a bit odd.

The ping packet is allowed through because it's part of the VPN tunnel (I'm assuming you have the command "sysopt connection permit-ipsec" in place which allows any IPSec packet in). Since the packet gets through the PIX and an xlate/conn is created, the PIX legitimately uses up a license for it, regardless of whether the packet is actually replied to or not. Changing that behaviour would change the whole concept of how the licensing works. Note that this wouldn't happen if someone on the Internet (not over the VPN tunnel) did a ping sweep, cause the packet would be dropped at the outside interface and no xlate/conn would be created for it.

You could lower your xlate/conn timeout to 5 minutes or so, that way they'll time out quicker and free up the licenses, but at this point the PIX is doing what it's been told to do and that is to use up a license for a host that has an xlate/conn. Unfortunately with it coming in over a VPN, there's no way for it to tell if that host actually exists or not BEFORE creating the xlate/conn.