Re: PIX 501 reaches license limit with 3 users

ablenner · ‎05-02-2005

I have a PIX 501 running 6.3(3) with a 10-user license. It has 3 IP addresses on the inside.

I get messages %PIX-4-407001: Deny traffic for local-host interface:10.204.136.131, license limit of 10 exceeded.

This message is produced for all three inside IP addresses (and no other, so I haven't got some appearing out of thin air).

A show local-host produces (after somethings timed out a bit, and the messages have gone away):

Interface inside: 3 active, 10 maximum active, 5655 denied

local host: <10.204.136.131>,

TCP connection count/limit = 4/unlimited

TCP embryonic count = 0

TCP intercept watermark = 10

UDP connection count/limit = 0/unlimited

AAA:

Xlate(s):

Global 10.204.132.131 Local 10.204.136.131

Conn(s):

TCP out NIC051:3747 in 10.204.136.131:502 idle 0:00:00 Bytes 1673914 flags UIOB

TCP out NIC051:3748 in 10.204.136.131:502 idle 0:00:00 Bytes 141183

Is the license the number of IP addresses or the number of TCP connections? I was sure it was the number of IP addresses at this O/S level.

Sorry I haven't got the show local-hosts for the real thing, but as I don't know whats going on I can't reproduce it.

bphan · ‎05-02-2005

Hello:

An inside host is counted toward the limit when one of the following conditions is true:

–The inside host has forwarded traffic through the PIX Firewall within the last five minutes.

–The inside host currently reserved an xlate connection or user authentication at the PIX Firewall.

You can try to expire the inside users more quickly from the limit, set the xlate, connection, and uauth timeouts to the following recommended values or lower. (

Timeouts and Recommended Values

xlate 00:05:00 (five minutes)

conn 01:00:00 (one hour)

uauth 00:05:00 (five minutes)

Hope that helps.

Thanks,

Binh

ablenner · ‎05-03-2005

Thanks - I got that advice from the message interpreter. But I'm still not sure how three IP address chew up 10 licenses.

Inside hosts have forwarded traffic in the last five minutes - thats three licenses? Can an inside host have multiple reserved xlate connections or uauths? And are these in addition to the forwarded traffic license numbers? My inside hosts have a one-to-one IP mapping with external addresses.

How do I ask the PIX to give me the data on these, over and above the show local-host?

Regards

bphan · ‎05-03-2005

'show local-host' and 'show xlate count' should be sufficient to in addition to the syslog messages.

Have you tried reducing the xlate to 5 minutes and see if that makes a difference yet?

Binh

ablenner · ‎05-04-2005

Thank you - you have given me the clue I needed.

This PIX setup is a pilot, so although its a 10-user system with only 3 addresses in use, it has a full Class C subnet of addresses configured on the inside - each with a static translation to an outside address.

So - for example - when I PING (from the outside) an address on the inside which is defined but not present, that sets up a translate. So a PING sweep of the entire subnet sets up 254 xlates - or tries to.

At your most welcome suggestion I've dropped the xlate timeout from 3 hours to 5 minutes and that will help immensely.

I think my problem is CiscoWorks 2000 doing a subnet sweep. CW2K is allowed to see all addresses inside the firewall - I will put a stop to this.

Regards