Re: Scaling PIX

r-lemaster · ‎11-10-2003

I got a PIX 501 because I though it was wicked fast. Now, it looks like I have sucked up about 70% of my RAM somehow.

# sh mem

Free memory: 5355944 bytes

Used memory: 11421272 bytes

------------- ----------------

Total memory: 16777216 bytes

HERE IS MY QUESTION:

How is it that I have sucked up 70% of my RAM with just a couple access lists and NAT? Can anyone refer me to a document that explains what services use what resources on the firewall and how? for example, I would like to find out what services use up RAM and what services use up CPU cycles.

Bandwidth? ACLs? VPN? IDS?

I'm trying to find out if my current PIX is good enough or I will have to upgrade to a 506.

lwierenga · ‎11-10-2003

First, high memory utilization normally means that you have excessive traffic in/out.

OK. Lets get this figured out. First, get me:

sh mem

sh traffic

sh xlate count

sh conn count

sh perfmon

sh blocks

issue these commands one after another. Also, enable logging to a syslog host to capture information over time.

logging on

logging host

logging trap debugging (after about ten minutes revert back to informational, instead of debug)

More then likely we will be able to determine what is going on doing all these things.

r-lemaster · ‎11-10-2003

# sh mem

Free memory: 5354776 bytes

Used memory: 11422440 bytes

------------- ----------------

Total memory: 16777216 bytes

# sh traffic

outside:

received (in 365649.740 secs):

163686 packets 61357151 bytes

0 pkts/sec 3 bytes/sec

transmitted (in 365649.740 secs):

106590 packets 43287367 bytes

0 pkts/sec 0 bytes/sec

inside:

received (in 365649.740 secs):

204374 packets 45709583 bytes

0 pkts/sec 7 bytes/sec

transmitted (in 365649.740 secs):

202596 packets 78079671 bytes

0 pkts/sec 2 bytes/sec

# sh xlate count

2 in use, 502 most used

# sh conn count

1 in use, 81 most used

# sh perfmon

PERFMON STATS: Current Average

Xlates 0/s 0/s

Connections 0/s 0/s

TCP Conns 0/s 0/s

UDP Conns 0/s 0/s

URL Access 0/s 0/s

URL Server Req 0/s 0/s

TCP Fixup 0/s 0/s

TCPIntercept 0/s 0/s

HTTP Fixup 0/s 0/s

FTP Fixup 0/s 0/s

AAA Authen 0/s 0/s

AAA Author 0/s 0/s

AAA Account 0/s 0/s

# sh blocks

SIZE MAX LOW CNT

4 600 530 600

80 400 397 399

256 612 610 612

1550 932 475 675

Here's about 5 minutes of debug traffic:

11-10-2003 23:30:41 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 10651 for outside:81.109.114.44/2529 to inside:192.168.1.10/80 duration 0:00:22 bytes 28314 TCP Reset-O

11-10-2003 23:30:41 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 10650 for outside:81.109.114.44/2522 to inside:192.168.1.10/80 duration 0:00:22 bytes 42890 TCP Reset-O

11-10-2003 23:30:19 Local4.Notice 192.168.1.1 %PIX-5-304001: 81.109.114.44 Accessed URL 64.2.55.36:/images/logo.gif

11-10-2003 23:30:18 Local4.Info 192.168.1.1 %PIX-6-302013: Built inbound TCP connection 10651 for outside:81.109.114.44/2529 (81.109.114.44/2529) to inside:192.168.1.10/80 (64.2.55.36/80)

11-10-2003 23:30:18 Local4.Notice 192.168.1.1 %PIX-5-304001: 81.109.114.44 Accessed URL 64.2.55.36:/artists/undun/

11-10-2003 23:30:18 Local4.Info 192.168.1.1 %PIX-6-302013: Built inbound TCP connection 10650 for outside:81.109.114.44/2522 (81.109.114.44/2522) to inside:192.168.1.10/80 (64.2.55.36/80)

11-10-2003 23:30:18 Local4.Info 192.168.1.1 %PIX-6-305011: Built static TCP translation from inside:192.168.1.10/80 to outside:64.2.55.36/80

11-10-2003 23:29:43 Local4.Error 192.168.1.1 %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.4.97.134 dst outside:64.2.55.38 (type 8, code 0)

11-10-2003 23:29:25 Local4.Debug 192.168.1.1 %PIX-7-710005: UDP request discarded from 192.168.1.10/138 to inside:192.168.1.255/netbios-dgm

11-10-2003 23:29:17 Local4.Info 192.168.1.1 %PIX-6-305012: Teardown static TCP translation from inside:192.168.1.10/80 to outside:64.2.55.36/80 duration 0:00:31

11-10-2003 23:29:13 Local4.Error 192.168.1.1 %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.4.61.136 dst outside:64.2.55.38 (type 8, code 0)

11-10-2003 23:28:54 Local4.Error 192.168.1.1 %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.2.179.16 dst outside:64.2.55.38 (type 8, code 0)

11-10-2003 23:28:47 Local4.Info 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from 62.146.37.165/38239 to 64.2.55.36/80 flags RST on interface outside

11-10-2003 23:28:47 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 10649 for outside:62.146.37.165/38239 to inside:192.168.1.10/80 duration 0:00:01 bytes 7284 TCP Reset-O

11-10-2003 23:28:46 Local4.Notice 192.168.1.1 %PIX-5-304001: 62.146.37.165 Accessed URL 64.2.55.36:/

11-10-2003 23:28:46 Local4.Info 192.168.1.1 %PIX-6-302013: Built inbound TCP connection 10649 for outside:62.146.37.165/38239 (62.146.37.165/38239) to inside:192.168.1.10/80 (64.2.55.36/80)

11-10-2003 23:28:46 Local4.Info 192.168.1.1 %PIX-6-305011: Built static TCP translation from inside:192.168.1.10/80 to outside:64.2.55.36/80

11-10-2003 23:28:41 Local4.Info 192.168.1.1 %PIX-6-302010: 0 in use, 81 most used

11-10-2003 23:28:34 Local4.Debug 192.168.1.1 %PIX-7-710005: TCP request discarded from 64.0.86.237/2115 to outside:64.2.55.36/135

11-10-2003 23:28:33 Local4.Debug 192.168.1.1 %PIX-7-710005: TCP request discarded from 64.0.36.105/3550 to outside:64.2.55.36/135

11-10-2003 23:28:28 Local4.Debug 192.168.1.1 %PIX-7-710005: TCP request discarded from 64.0.86.237/2115 to outside:64.2.55.36/135

11-10-2003 23:28:27 Local4.Debug 192.168.1.1 %PIX-7-710005: TCP request discarded from 64.0.36.105/3550 to outside:64.2.55.36/135

11-10-2003 23:28:25 Local4.Debug 192.168.1.1 %PIX-7-710005: TCP request discarded from 64.0.86.237/2115 to outside:64.2.55.36/135

11-10-2003 23:28:25 Local4.Error 192.168.1.1 %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.0.86.237 dst outside:64.2.55.38 (type 8, code 0)

11-10-2003 23:28:24 Local4.Debug 192.168.1.1 %PIX-7-710005: TCP request discarded from 64.0.36.105/3550 to outside:64.2.55.36/135

11-10-2003 23:28:24 Local4.Error 192.168.1.1 %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.0.36.105 dst outside:64.2.55.38 (type 8, code 0)

11-10-2003 23:28:10 Local4.Debug 192.168.1.1 %PIX-7-710005: UDP request discarded from 192.168.1.10/137 to inside:192.168.1.255/netbios-ns

11-10-2003 23:28:09 Local4.Debug 192.168.1.1 %PIX-7-710005: UDP request discarded from 192.168.1.10/137 to inside:192.168.1.255/netbios-ns

11-10-2003 23:28:08 Local4.Debug 192.168.1.1 %PIX-7-710005: UDP request discarded from 192.168.1.10/137 to inside:192.168.1.255/netbios-ns

11-10-2003 23:27:47 Local4.Info 192.168.1.1 %PIX-6-305012: Teardown static TCP translation from inside:192.168.1.10/80 to outside:64.2.55.36/80 duration 0:00:31

11-10-2003 23:27:16 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 10648 for outside:68.39.148.22/2432 to inside:192.168.1.10/80 duration 0:00:00 bytes 0 TCP FINs

11-10-2003 23:27:16 Local4.Info 192.168.1.1 %PIX-6-302013: Built inbound TCP connection 10648 for outside:68.39.148.22/2432 (68.39.148.22/2432) to inside:192.168.1.10/80 (64.2.55.36/80)

11-10-2003 23:27:16 Local4.Info 192.168.1.1 %PIX-6-305011: Built static TCP translation from inside:192.168.1.10/80 to outside:64.2.55.36/80

11-10-2003 23:26:54 Local4.Debug 192.168.1.1 %PIX-7-710005: UDP request discarded from 192.168.1.10/137 to inside:192.168.1.255/netbios-ns

Many thanks for your help!

nkhawaja · ‎11-11-2003

to me it all looks ok. Glenn Fulger is on ask the expert session on this same forum. please also forward your request to his session as well.

Can you get the output of "show process".

If cpu usage is very low then you not need to worry that much about memory usage.

Thanks

Nadeem

r-lemaster · ‎11-11-2003

Thanks Nadeem,

Can you direct me to a link that explains how Bandwidth, ACLs, VPN, IDS, affect CPU or RAM on the PIX? I'd like to add more IDS, ACLs, and some VPN to the PIX, but I can't tell if my current PIX can handle the load (It seems I'm almost out of memory). For example, is VPN CPU intensive or RAM intensive? IDS? ACL? Bandwidth?

Here is my show process:

PC SP STATE Runtime SBASE Stack Process

Hsi 001e83d9 007b7934 0054e008 10 007b69ac 3628/4096 arp_timer

Lsi 001ed55d 007daa6c 0054e008 0 007d9af4 3928/4096 FragDBGC

Lwe 00119bbf 0082f36c 00551768 0 0082e504 3688/4096 dbgtrace

Lwe 003dab25 008314fc 00546938 3080 0082f5b4 6936/8192 Logger

Hsi 003deb7d 008345f4 0054e008 0 0083267c 7708/8192 tcp_fast

Hsi 003dea1d 008366a4 0054e008 20 0083472c 7644/8192 tcp_slow

Lsi 002f8891 008b56fc 0054e008 0 008b4774 3944/4096 xlate clean

Lsi 002f879f 008b679c 0054e008 0 008b5824 3548/4096 uxlate clean

Mwe 002efa7f 008d576c 0054e008 10 008d37d4 7864/8192 tcp_intercept_timer_process

Lsi 0043016d 008e600c 0054e008 0 008e5084 3900/4096 route_process

Hsi 002e0c1c 008e709c 0054e008 0 008e6134 2748/4096 PIX Garbage Collector

Hwe 002141c9 008eb564 0054e008 0 008e75fc 16048/16384 isakmp_time_keeper

Lsi 002de99c 008fbdb4 0054e008 0 008fae2c 3944/4096 perfmon

Mwe 0020ba01 00907884 0054e008 0 0090590c 7860/8192 IPsec timer handler

Hwe 0039164b 0091c154 00569030 0 0091a20c 7032/8192 qos_metric_daemon

Mwe 0025d61d 00932cec 0054e008 0 00932584 1436/2048 IP Background

Lwe 002f0582 009e53fc 00564348 0 009e4584 3704/4096 pix/trace

Lwe 002f079e 009e64ac 00564a78 0 009e5634 3704/4096 pix/tconsole

Hwe 0011f5b7 009f038c 004f8bc8 0 009ec8c4 14732/16384 ci/console

Csi 002e94bb 009f18cc 0054e008 10 009f0974 3416/4096 update_cpu_usage

Hwe 002d64a1 00a1635c 0052d3b8 0 00a124d4 15884/16384 uauth_in

Hwe 003dd66d 00a1845c 007f2308 0 00a16584 7896/8192 uauth_thread

Hwe 003f326a 00a195ac 00546f38 0 00a18634 3960/4096 udp_timer

Hsi 001e0092 00a1b25c 0054e008 0 00a1a2e4 3928/4096 557mcfix

Crd 001e0047 00a1c31c 0054e480 225348880 00a1b394 3640/4096 557poll

Lsi 001e00fd 00a1d3bc 0054e008 0 00a1c444 3700/4096 557timer

Cwe 001e1c71 00a3343c 006c60c8 33830 00a31544 6168/8192 pix/intf0

Mwe 003f2fda 00a3452c 0082caf8 0 00a335f4 3896/4096 riprx/0

Msi 0039a8c9 00a3563c 0054e008 0 00a346c4 3888/4096 riptx/0

Cwe 001e1c71 00a3b774 0073b638 41600 00a3987c 6104/8192 pix/intf1

Mwe 003f2fda 00a3c884 0082cab0 0 00a3b94c 3896/4096 riprx/1

Msi 0039a8c9 00a3d994 0054e008 0 00a3ca1c 3888/4096 riptx/1

Hwe 003dd901 00aa70ac 007dd710 160 00aa6e04 300/1024 listen/http0

Hwe 003dd901 00aa758c 007e17f8 5290 00aa72e4 136/1024 listen/http1

Hwe 003dd901 00aa7ae4 007dd900 0 00aa789c 188/1024 listen/pfm

Hwe 003dd901 00aa8394 007dd9f8 10 00aa7d4c 1212/2048 listen/telnet_1

Mwe 0012cd31 00aaa574 0054e008 0 00aa85fc 7888/8192 DHCPD Timer

Mwe 003f2fda 00aafa5c 0082ca68 70 00aadb24 6888/8192 dhcpd_recv/1

Mwe 00367a62 00ab1d64 0054e008 150 00aafdec 5388/8192 Crypto CA

H* 003de2d7 0009ff2c 0054dff0 10 00abadc4 4156/8192 telnet/ci

r-lemaster · ‎11-11-2003

HERE IS MY QUESTION:

How is it that I have sucked up 70% of my RAM with just a couple access lists and NAT? Can anyone refer me to a document that explains what services use what resources on the firewall and how? for example, I would like to find out what services use up RAM and what services use up CPU cycles.

Bandwidth? ACLs? VPN? IDS? NAT?

I'm trying to find out if my current PIX is good enough or I will have to upgrade to a 506.