topic Re: Pix firewall blocking Internet access once in a while; in Network Security

Pix firewall blocking Internet access once in a while;

sfanayei — Fri, 21 Feb 2020 08:55:29 GMT

Hi,

I have a pix 515E, 3.6(3). The pix blocking a Internet access sometims. I can not ping Interfaces at blocking time. And my syslog logging shows that connection are stopped. How can I find out the resen why. To make pix work igen, I have to turn off and on igen. What is wroung? Can anybody give me some advise? Tanks in advance!

Sfanayei

Re: Pix firewall blocking Internet access once in a while;

Fernando_Meza — Thu, 25 May 2006 23:15:57 GMT

mmm ... perhaps you have connection limits on your nat statements. that will stop outgoing connections for the whole subnet once the limited is reached. Can you post the output of sh run | inc nat

"max_conns Specifies the maximum number of simultaneous TCP and UDP connections for

the entire subnet. The default is 0, which means unlimited connections. (Idle

connections are closed after the idle timeout specified by the timeout conn

command.)

Note This option does not apply to outside NAT. The firewall only tracks

connections from a higher security interface to a lower security interface.

If you set max_conns as well as the outside option, the max_conns option

is ignored. "

If you are NOT having any connection limits then ... it sounds like your PIX could be running out of resources ... I suggest you checking that your PIX satisfies the minimum requirements for the version of OS you are running. I believe is 6.3 (3) right ..?

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/prod_release_note09186a0080579fd2.html

Also you can perform some performance analysis to find out the overall consition of your PIX.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

I hope it helps ... please rate it it if it does !!!

Re: Pix firewall blocking Internet access once in a while;

sfanayei — Fri, 26 May 2006 10:30:47 GMT

Hi, Tanks a lot. I will examine it.

Sfanayei

Re: Pix firewall blocking Internet access once in a while;

john.king — Fri, 26 May 2006 22:06:11 GMT

What is your license? If your license is not unrestricted then you are probebly running out of outbound sessions and by resetting, you clear it and start over eventualy running out and then requiring a reset. Run the PDM and it will shouw you your license and how many sessions you have open.

Re: Pix firewall blocking Internet access once in a while;

sfanayei — Sun, 28 May 2006 17:29:51 GMT

Hi, Tanks a lot for your replay. I have restricted license, but what is limits for outbound sessions numbers for a restricted license? And how can I finde out?

Sfanayei

Re: Pix firewall blocking Internet access once in a while;

Fernando_Meza — Mon, 29 May 2006 01:48:57 GMT

Hi .. maximum concurrent connections are 48.000

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

I hope it helps ..please rate it if it does !!!

Re: Pix firewall blocking Internet access once in a while;

manoj.kv — Mon, 29 May 2006 09:23:01 GMT

Hi,

Reduce the connection timeout using timeout conn command.

Try to clear the transalations using clear xlate and clear arp command insted of rebooting the device.

Manoj

Re: Pix firewall blocking Internet access once in a while;

sfanayei — Tue, 30 May 2006 11:31:26 GMT

Hi,

I have these line in my configuration.

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

How much can I Reduce den without effecting somting els?

Tanks in advance

Sfanayei

Re: Pix firewall blocking Internet access once in a while;

manoj.kv — Fri, 02 Jun 2006 03:14:43 GMT

Changing the xlate to 1:00:00 and conn timeout to 0:30:00 will not create any problem

Manoj

Re: Pix firewall blocking Internet access once in a while;

sfanayei — Tue, 06 Jun 2006 05:44:43 GMT

Hi,

I will run with this new parameters som days to see how pix will react. Tanks again.

Sfanayei