11-15-2004 09:15 AM - edited 02-20-2020 11:44 PM
I have a 501 firewall for the past couple of years at a client site. In recent months they have a growing problem of a random users not able to connect to the Internet. Typically 1-2 users are able to connect in the morning and then the next user is unable. No pattern of specific users on a small LAN of 4-6 users. Rebooting the 501 by power cycling cures the problem for several days until it happens again. They are now frustrated at want me to solve the issue. The IOS has never been updated.
Clinet has a single public IP address and I "assume" that somehow NAT is not functioning correctly....but not sure.
Any suggestions on how to start solving?
TIA, Phil
11-15-2004 10:32 AM
Could you post the NATing part of your config ?
nat, globals, ip config and routes, ACL is it have ..
thanks
Patrick
11-15-2004 12:00 PM
Patrick,
Here is the complete listing minus the security information...when I do a sh xlate the 501 says that 17 are in use. There are only 8 possible users on this SBS 2000 based domain. Are we exceeding a limit?
Phil
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
hostname pixfirewall
domain-name xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxxxx eq www
access-list 100 permit tcp any host xxxxx eq smtp
access-list 100 permit tcp any host xxxxx eq ftp
access-list 100 permit tcp any host xxxxx eq 3389
access-list 100 permit tcp any host xxxxx eq pop3
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxxxx 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.9 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) tcp xxxxx smtp 10.0.0.9 smtp netmask 255.255.255.
255 0 0
static (inside,outside) tcp xxxxx www 10.0.0.9 www netmask 255.255.255.25
5 0 0
static (inside,outside) tcp xxxxx 3389 10.0.0.9 3389 netmask 255.255.255.
255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.0.9 //xxxxx/c:/cisco_pix
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 10.0.0.12-10.0.0.41 inside
dhcpd dns 206.26.36.34 10.0.0.9
dhcpd wins 10.0.0.9
dhcpd lease 360000
dhcpd ping_timeout 750
dhcpd domain xxxxxx.com
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxx
pixfirewall# exit
11-15-2004 11:15 AM
Is this a 10 user license 501? If so they may be going over the license limit. The PIX keeps track of that by the IP addresses that have gone through it. Rebooting the PIX clears the list. I ran into the same thing a few years ago. The "show local-host" command will show you how many IP's are is use. You can use the "clear local-host" command to clear out old ones. Newer software may solve the problem. Cisco's site states that these are concurrent users, but I know the older software kept the IP's longer.
How many users are at that site? Also are they on DHCP or do they have static IP's?
11-15-2004 12:09 PM
Yes this is a 501 with 10 user license. I did a sh xlate command before I performed the clear local-host and it said 17 users. After the clear was sent the total is now 7 users. Can be extend the license on the 501?
Phil
11-15-2004 12:21 PM
You can upgrade the license, but if there are fewer than 10 devices behind the PIX, you shouldn't have to do that. The software version I saw the problem in was 6.1(1). I have other customers on 10-user PIX'es now that do not seem to be having problems. What version of the PIX software is on that PIX?
11-15-2004 12:23 PM
Frogot to say that we use the dhcp on the 501 for the dynamic IP address for users. About 4 desktops are in the office all of the time and the other 4 laptops used in the field that are in the office on a random basis.
I also see that we can purchase a 50 user license for the 501 if this is the cause. I still don't understand why just 8 max users are bumping into this 10 license issue.
Phil
11-15-2004 12:37 PM
If the DHCP server is giving them different IP addresses, then those new addresses will count towards the total number of IP's passing through the PIX. I'm not sure why the PIX does not time out those addresses in the older versions. If you type "show local-host" over the next few days, you should see what addresses are taking up those licenses. I would upgrade the PIX to the latest software and watch the local-host list. If the DHCP server is just handing out different IP addresses to those devices every time, you may want to increase the lease time.
11-15-2004 12:39 PM
Check the release notes of your FOS version, might be a bug? I think the as the hosts are dynamic the PIX counts up all the time more hosts.
Why do you not configure your DHCP to just 10 host this may solve your issue !!!
For example: FOS 6.1.3 had
BugID CSCdw25026
License not released after 30 seconds in certain scenario.
The 501 license is based on "local-host" entries. You can issue a 'sh local-host' on the PIX to see the total number of licenses the PIX has counted.
What PIX OS version are you using ?
sincerely
Patrick
11-15-2004 12:51 PM
Patrick,
As shown in earlier posting to you, our 501 is running 6.1(1) FOS. I did a sh local-host after doing a clear local-host and got back 7 users.
Sounds like your suggestion is to limit the hosts to 10 instead of the range of 12-41 that is currently configured?
Thanks, Phil
11-15-2004 01:11 PM
Yes Phil, would be good thing to do this anyway. I does just give troubles to give more than 10 DHCP addresses in an 10 user license.
The problem is definitly a bug in the 6.1.1 code I suggest you to upgarde it to 6.3.4 this release fixed also a DOS problem in the TCP/IP code.
sincerely
Patrick
11-15-2004 01:31 PM
Patrick,
Well I just made the dhcp change to restrict to 10 IP address leases for 100 hours. I looked at the release notes on 6.1(1) and did not see anything specific to my issue. I did a "sh local-host" command and there are currently 8 users. Guess that everyone is in the office today.
I've never done a update to the FOS. How much effort is involved in doing this to a 501? I see the latest version is 6.3.4.
Phil
11-15-2004 02:06 PM
It's a fairly simple process. You will need a copy of the pix634.bin and PDM-302.bin (if you want to use the PIX Device Manager). Then you will need a TFTP server. From the console you will type "copy tftp://x.x.x.x/pix634.bin flash:" (where x.x.x.x is the IP address of the TFTP server. Once that is completed, you can copy the PDM with "copy tftp://x.x.x.x/pdm-302.bin flash:pdm" When both of these are completed, just type "reload".
11-15-2004 02:31 PM
Here are some details of this bug !!!
CSCdw25026 Bug Details
First Fixed-in Version 6.1(4), 6.1(1.104) Version
First Found-in Version 6.1(1)
Symptom:
License or host object not released after 30 seconds idle.
Conditions:
If a host retain the license longer than 30 seconds.
Workaround:
Use clear local-host
See Bug Tool:http://www.cisco.com/kobayashi/support/tac/tools.shtml
The upgarde is not really complicate you need a local TFTP server or you can download it from a Website see: Upgrading Software for the Cisco Secure PIX Firewall and PIX Device Manager
http://www.cisco.com/warp/public/110/upgrade.shtml
sincerely
Patrick
11-16-2004 07:44 AM
Patrick,
Thanks to you for the clear description of the cause for the random problem accessing the Internet we see. I will update the FOS.
Phil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide