05-02-2006 07:34 AM - edited 02-21-2020 12:52 AM
I have a PIX-515, 64 MB RAM, CPU Pentium 200 MHz and Flash i28F640J5 @ 0x300, 16MB, BIOS Flash AT29C257 @ 0xfffd8000, 32KB. I am running Cisco PIX Firewall Version 6.3(4) on it currently.
Right now my CPU usage is around 88% and fluctuates up into the 90% range and thus customer internet speeds are fairly slow. How can I tell if I am maxing out on the number of connections or if there is some other problem with it?
05-02-2006 07:44 AM
What sort of connection is chewing up your bandwidth is it TCP or UDP - issue: sho conn det plus sho xlate det, also if you have access to an internal or external router that's connected to the PIX you could enable IP Accounting on the router to see what's consuming your bandwidth.
You could also speak to your ISP for advice/help. Have you got syslog enabled?
Let us know if you need any further help.
05-02-2006 07:48 AM
...sorry forgot to add helpful URL link..
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
Jay
05-02-2006 07:48 AM
...sorry forgot to add helpful URL link..
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
Jay
05-02-2006 07:58 AM
I just checked and I have:
1914 x TCP connections
3909 x UDP connections
Does this indicate anything?
What syslogs should I enable?
05-02-2006 08:27 AM
Dave -
All the information is in the URL that I posted. When you issue sho conn det are the connection being made from one internal host or is it random? And which port are these connections being made from/to? Is the connection being formed to one destination ip address or random addresses plus which port?
How many internal hosts do you have? How may servers? I'm just thinking it might/might not be some sort of DoS attack - of course I might be wrong.
If you enable syslog - post the syslog info here (taking out any sensitive info), post only the high number conenctions i.e. UDP in your case.
05-02-2006 12:24 PM
Thanks again for your help.
We have easily 1000 internal hosts, as we have multiple companies behind our FW. Do you think we could mearly be at capacity?
What level of syslog should I enable and send?
05-02-2006 11:11 PM
Hello,
Setup a syslog server on a machine issue the following commands on your pix.
logging on
logging host inside x.x.x.x
logging trap debugging
your logging trap should be set to warning during normal periods.
Everything else should be fine.
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide