Every couple of weeks or so, after a weekend, I arrive at work to find the PIX is 'Disallowing New Connections'.
If I then reload the PIX all is OK again until another couple of weeks away!
Does anyone know why this would be happening?
are you using the restricted version of the PIX? Maybe you have reached the maximum number of connection.
Use the 'show local-host' command to check this.
I have done a 'show local-host' but am still unsure if I have the resticted PIX or not! There is a line which says - Interface inside: 3 active, 13 maximum active, 0 denied.
Would that mean I only have 13 connections available to me?
I also did a 'show ver' and there is a line in here which states - Throughput: unlimited.
Am I looking in the wrong place?
Many thanks for your help.
what type of pix do you have? The user restriction is only applicable for the 501 models. Try doing a 'sh ver', it should display if you have a restriction for the max number of users.
Are you using tcp syslogging? If you are, and the log server is unavailable, the pix will block all new connections. If you cannot keep the log server available, just switch to standards based udp syslogging
Here is a printout of the conf of the PIX.
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password N51JqWodsWmI5V9u encrypted
passwd N51JqWodsWmI5V9u encrypted
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name ***.***.***.*** Pipex
name 192.168.0.0 Law-Resources
name 192.168.0.1 TimeServer
name 192.168.0.2 MailServer
access-list 101 permit tcp any host ***.***.***.*** eq smtp
access-list 101 deny icmp any host ***.***.***.*** echo-reply
pager lines 24
logging trap alerts
logging history alerts
interface ethernet0 10baset
interface ethernet1 10full
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside ***.***.***.*** 255.255.255.248
ip address inside ***.***.***.*** 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location TimeServer 255.255.255.255 inside
pdm location MailServer 255.255.255.255 inside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 192.168.0.25 255.255.255.255 inside
pdm location Law-Resources 255.255.0.0 inside
pdm location 192.168.0.30 255.255.255.255 inside
pdm logging warnings 20
pdm history enable
arp timeout 14400
global (outside) 1 ***.***.***.***-***.***.***.*** netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ***.***.***.*** MailServer netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no sysopt route dnat
auth-prompt prompt Please enter your Username and Password for access to the Internet
auth-prompt accept Accepted!! You are through to the Internet
telnet Law-Resources 255.255.0.0 inside
telnet Law-Resources 255.255.0.0 intf2
telnet timeout 5
ssh timeout 5
terminal width 80
I did find sys logging enabled but it was only on the PIX itself. I have disabled this to see if it makes any difference.
Many thanks for all the help on this matter.
You may want to start a TAC request. I just implemented a 515e a few weeks ago and about every 10 days I have to restart it. For the same reason. I have read on cisco's website that a certain amount of 515's are defective and need to be replaced.
Hopefully this will explain it.
You may also want to look at your traffic statistics. Make sure everything is set to full duplex if you can. Somehow my public interface was set to 10baset and at half duplex. I noticed a lot of collisions and deferred packets.
I just set it to auto and it picked up at 100 full. so far I have 0 collisions and deferred but it has only been about an hour. I am going to let it run for the weekend and see what I come up with.