topic Re: connection limits on pix 525 , high cpu usage in Network Security

connection limits on pix 525 , high cpu usage

mle — Fri, 21 Feb 2020 06:10:31 GMT

Hi to all of you!

Have anybody informations about "realworld" connection limits on a PIX?

We experienced high cpu utilization (99%) if we reached connetion counts above 70000. Our highest counts are about 135000 connections. (!!! No yoke, and no DOS/DDOS, we have so much hits!!!)

At this time we tuned our connection timeouts to minimum, but this seems as we try to buy us time :-).

Any hint would be great.

bye

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.0(2)

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0006.d75c.ea04, irq 10

1: ethernet1: address is 0006.d75c.ea05, irq 11

2: ethernet2: address is 0002.b303.bec2, irq 5

3: ethernet3: address is 00e0.b603.468c, irq 11

4: ethernet4: address is 00e0.b603.468b, irq 10

5: ethernet5: address is 00e0.b603.468a, irq 9

6: ethernet6: address is 00e0.b603.4689, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 8

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

Re: connection limits on pix 525 , high cpu usage

gfullage — Wed, 24 Jul 2002 04:48:01 GMT

The 525 will max out at around 500,000 connections, although this is a rough estimate. I've seen them go up higher, but you wouldn't want to do that. There shouldn't be any issue at around 70,000 connections. How much traffic are you seeing thru this PIX? Are you doing stateful failover? Can you provide a config? And a "sho tech" when the problem is occurring?

Re: connection limits on pix 525 , high cpu usage

mle — Wed, 24 Jul 2002 09:59:11 GMT

Hi Glenn!

Thanks for your reply.

We experience a mostly linear rise of cpu usage and connections. For example 10000 conn / 10 % cpu and 70000 / 99. If we are reaching 60000 conn free memory on PIX decreases about 1 MB.

After an update of our webpages we have per client about 10 TCP (HTTP/HTTPS) and 10 UDP (RPC/..) connections on PIX. Seems 3 times more than before. Our traffic rates are about 5 - 8 Mbit/s normal and 10 -12 Mbit/s at peak rate. We have a 34 Mbit/s connection to our provider.

Yes, we have stateful failover and http replication with dedicated interface, but NOT LAN-based failover.

Maybe i found another limitation of our system, our customers reach our webfarm over one IP-Address and we balance on several servers. Do you think there are another limitiation about port allocation and addressing?

About show tech and config i ´ll have to discuss with my colleagues.

Thank a lot for your kind response

Mathias