Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
5
Helpful
7
Replies

PIX Maxed Out

vanagon2tdi
Level 1
Level 1

‎05-02-2006 07:34 AM - edited ‎02-21-2020 12:52 AM

I have a PIX-515, 64 MB RAM, CPU Pentium 200 MHz and Flash i28F640J5 @ 0x300, 16MB, BIOS Flash AT29C257 @ 0xfffd8000, 32KB. I am running Cisco PIX Firewall Version 6.3(4) on it currently.

Right now my CPU usage is around 88% and fluctuates up into the 90% range and thus customer internet speeds are fairly slow. How can I tell if I am maxing out on the number of connections or if there is some other problem with it?

0 Helpful
7 Replies 7

jmia
Level 7
Level 7

‎05-02-2006 07:44 AM

What sort of connection is chewing up your bandwidth is it TCP or UDP - issue: sho conn det plus sho xlate det, also if you have access to an internal or external router that's connected to the PIX you could enable IP Accounting on the router to see what's consuming your bandwidth.

You could also speak to your ISP for advice/help. Have you got syslog enabled?

Let us know if you need any further help.

0 Helpful

jmia
Level 7
Level 7
In response to jmia

‎05-02-2006 07:48 AM

...sorry forgot to add helpful URL link..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

Jay

0 Helpful

vanagon2tdi
Level 1
Level 1
In response to jmia

‎05-02-2006 07:58 AM

I just checked and I have:

1914 x TCP connections

3909 x UDP connections

Does this indicate anything?

What syslogs should I enable?

0 Helpful

jmia
Level 7
Level 7
In response to vanagon2tdi

‎05-02-2006 08:27 AM

Dave -

All the information is in the URL that I posted. When you issue sho conn det are the connection being made from one internal host or is it random? And which port are these connections being made from/to? Is the connection being formed to one destination ip address or random addresses plus which port?

How many internal hosts do you have? How may servers? I'm just thinking it might/might not be some sort of DoS attack - of course I might be wrong.

If you enable syslog - post the syslog info here (taking out any sensitive info), post only the high number conenctions i.e. UDP in your case.

0 Helpful

vanagon2tdi
Level 1
Level 1
In response to jmia

‎05-02-2006 12:24 PM

Thanks again for your help.

We have easily 1000 internal hosts, as we have multiple companies behind our FW. Do you think we could mearly be at capacity?

What level of syslog should I enable and send?

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to vanagon2tdi

‎05-02-2006 11:11 PM

Hello,

Setup a syslog server on a machine issue the following commands on your pix.

logging on

logging host inside x.x.x.x

logging trap debugging

your logging trap should be set to warning during normal periods.

Everything else should be fine.

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card