topic Re: PIX stopping connections!! in Network Security

PIX stopping connections!!

r.lent — Fri, 21 Feb 2020 07:09:17 GMT

Every couple of weeks or so, after a weekend, I arrive at work to find the PIX is 'Disallowing New Connections'.

If I then reload the PIX all is OK again until another couple of weeks away!

Does anyone know why this would be happening?

Many thanks,

Robin.

Re: PIX stopping connections!!

tvanginneken — Mon, 15 Dec 2003 12:42:33 GMT

Hi,

are you using the restricted version of the PIX? Maybe you have reached the maximum number of connection.

Use the 'show local-host' command to check this.

Kind Regards,

Tom

Re: PIX stopping connections!!

r.lent — Mon, 15 Dec 2003 13:27:38 GMT

Hi,

I have done a 'show local-host' but am still unsure if I have the resticted PIX or not! There is a line which says - Interface inside: 3 active, 13 maximum active, 0 denied.

Would that mean I only have 13 connections available to me?

I also did a 'show ver' and there is a line in here which states - Throughput: unlimited.

Am I looking in the wrong place?

Many thanks for your help.

Robin.

Re: PIX stopping connections!!

tvanginneken — Mon, 15 Dec 2003 13:53:14 GMT

Hi,

what type of pix do you have? The user restriction is only applicable for the 501 models. Try doing a 'sh ver', it should display if you have a restriction for the max number of users.

Regards,

Tom

Re: PIX stopping connections!!

r.lent — Mon, 15 Dec 2003 14:45:34 GMT

Hi Tom,

Sorry, I should have posted the device details first!

It is a PIX515e.

Regards,

Robin.

Re: PIX stopping connections!!

tvanginneken — Mon, 15 Dec 2003 14:55:59 GMT

Robin,

could you post a 'sh run' on the forum? Please modify public address and password entries.

Thanks!

Regards,

Tom

Re: PIX stopping connections!!

mostiguy — Mon, 15 Dec 2003 15:04:34 GMT

Are you using tcp syslogging? If you are, and the log server is unavailable, the pix will block all new connections. If you cannot keep the log server available, just switch to standards based udp syslogging

Re: PIX stopping connections!!

r.lent — Tue, 16 Dec 2003 14:13:08 GMT

Hi,

Here is a printout of the conf of the PIX.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password N51JqWodsWmI5V9u encrypted

passwd N51JqWodsWmI5V9u encrypted

hostname pixfirewall

domain-name lawandresources.wcc.co.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name ***.***.***.*** Pipex

name 192.168.0.0 Law-Resources

name 192.168.0.1 TimeServer

name 192.168.0.2 MailServer

access-list 101 permit tcp any host ***.***.***.*** eq smtp

access-list 101 deny icmp any host ***.***.***.*** echo-reply

pager lines 24

logging timestamp

logging trap alerts

logging history alerts

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside ***.***.***.*** 255.255.255.248

ip address inside ***.***.***.*** 255.255.0.0

ip address intf2 127.0.0.1 255.255.255.255

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location TimeServer 255.255.255.255 inside

pdm location MailServer 255.255.255.255 inside

pdm location 192.168.0.5 255.255.255.255 inside

pdm location 192.168.0.25 255.255.255.255 inside

pdm location Law-Resources 255.255.0.0 inside

pdm location 192.168.0.30 255.255.255.255 inside

pdm logging warnings 20

pdm history enable

arp timeout 14400

global (outside) 1 ***.***.***.***-***.***.***.*** netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) ***.***.***.*** MailServer netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.5 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

auth-prompt prompt Please enter your Username and Password for access to the Internet

auth-prompt accept Accepted!! You are through to the Internet

service resetoutside

telnet Law-Resources 255.255.0.0 inside

telnet Law-Resources 255.255.0.0 intf2

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:cdb12fbd6666133fc3368f17a7591a86

I did find sys logging enabled but it was only on the PIX itself. I have disabled this to see if it makes any difference.

Many thanks for all the help on this matter.

Robin.

Re: PIX stopping connections!!

matthew.bauer — Thu, 18 Dec 2003 16:05:22 GMT

Hey Robin,

You may want to start a TAC request. I just implemented a 515e a few weeks ago and about every 10 days I have to restart it. For the same reason. I have read on cisco's website that a certain amount of 515's are defective and need to be replaced.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c7.shtml

Hopefully this will explain it.

Thanks

Matt

Re: PIX stopping connections!!

matthew.bauer — Fri, 19 Dec 2003 15:55:09 GMT

Hey Robin,

You may also want to look at your traffic statistics. Make sure everything is set to full duplex if you can. Somehow my public interface was set to 10baset and at half duplex. I noticed a lot of collisions and deferred packets.

I just set it to auto and it picked up at 100 full. so far I have 0 collisions and deferred but it has only been about an hour. I am going to let it run for the weekend and see what I come up with.