03-12-2008 10:09 AM - edited 03-11-2019 05:16 AM
We have 2 PIX 515E's, and all of a sudden the memory has begun to run out very fast. According to the Cisco website, the RAM on the PIX should not change much, if any at all.
We have tried all possible means to ensure there is no DoS being carried out. Are there any further steps we can take to look into this matter?
One of the firewalls memory takes about 24 hours to run out, and then we have to perform a reload to reduce its memory. The other one seems to be stable at present, but when it starts to misbehave, it also requires a reboot every 2-3 days.
Any ideas welcome
Thanks
Ali
Solved! Go to Solution.
03-13-2008 08:03 AM
put the commands in this order
cl local
timeout uauth 0:05:0
timeout conn 1:0:0
timeout xlate 3:0:0
03-13-2008 08:41 AM
These are the default settings which you should have in your firewall, I can see even UDP timeout value not correct..set the following timeout value
ASA(config)# sh run timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
03-12-2008 12:13 PM
get me,
sh conn count
sh conn detail
sh version
sh xlate count
03-13-2008 03:15 AM
.
03-13-2008 03:20 AM
sh conn count = 13497 in use, 13589 most used
The conn count is always rising, so in a few hours time, it will be higher than the above.
Cisco PIX Security Appliance Software Versio
Device Manager Version 5.0(1)
Compiled on Thu 31-Mar-05 14:37 by builders
System image file is "flash:/image"
Config file at boot was "startup-config"
smb-fw2 up 10 hours 58 mins
Hardware: PIX-515E, 64 MB RAM, CPU Pentium
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : media index
1: Ext: Ethernet1 : media index
Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a Restricted (R) license.
xlate count = 47 in use, 47 most used
Do you want all of "sh conn detail" ?
Also is it safe to bump up the RAM in a PIX similar to the above to say 192MB ? will this have any side effects ?
Thanks
Ali
03-13-2008 05:51 AM
13497 in use?? how many users were connected at this time..do you think there these many connections are valid ?
moreover you running code 7.x , I would suggest you to go up to 128 MB RAM
03-13-2008 06:03 AM
Its hard to say how many users, as we host quite a few servers, but the number 13497 is beyond what we expect.
Thats what we think is causing the memory to run out. The total number of connections is rising but not dropping when connections are dropped, hence using up our memory.
Yes we have 7.x, can i assume its ok on our restricted licence to stick in 128MB RAM ?
Any ideas on how to drop the number of connections ? At present "sh conn count" is 17703 in use, 17743 most used !!
Thanks for your help.
Ali
03-13-2008 06:06 AM
hmm..get me the following :-
1)exact version ?
2)sh run timeout
3)sh conn
3)sh conn detail (not the entire , but few lines that shows me the idle connections lying there)
03-13-2008 06:39 AM
Version : 7.0(1)
sh run timeout :
timeout xlate 999:59:59
timeout conn 99:59:59 half-closed 99:59:59 udp 99:02:00 icmp 0:00:02
timeout sunrpc 99:10:00 h323 999:59:59 h225 999:59:59 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 99:59:59 sip_media 0:02:00
timeout uauth 99:05:00 absolute
sh conn :
TCP out aa.bb.cc.dd:25663 in server1:25 idle 2:44:57 bytes 114 flags UfrOB
UDP out aa.bb.cc.dd:4623 in server1:53 idle 10:30:15 flags -
UDP out aa.bb.cc.dd:4600 in server1:53 idle 10:30:17 flags -
UDP out aa.bb.cc.dd:4561 in server1:53 idle 10:30:19 flags -
UDP out aa.bb.cc.dd:4530 in server1:53 idle 10:30:20 flags -
UDP out aa.bb.cc.dd:4498 in server1:53 idle 10:30:22 flags -
UDP out aa.bb.cc.dd:4463 in server1:53 idle 10:30:24 flags -
UDP out aa.bb.cc.dd:20462 in server1:53 idle 11:19:49 flags -
TCP out aa.bb.cc.dd:60039 in server2:143 idle 11:02:43 bytes 2752 flags UfIOB
TCP out aa.bb.cc.dd:60034 in server2:143 idle 11:02:42 bytes 9082 flags UfIOB
TCP out aa.bb.cc.dd:3241 in server3:25 idle 5:53:57 bytes 769 flags UfIOB
TCP out aa.bb.cc.dd:30062 in server5:80 idle 3:31:53 bytes 10868 flags UfIOB
TCP out aa.bb.cc.dd:30061 in server5:80 idle 3:33:32 bytes 4706 flags UfIOB
TCP out aa.bb.cc.dd:30060 in server5:80 idle 3:33:31 bytes 7458 flags UfIOB
TCP out aa.bb.cc.dd:30055 in server5:80 idle 3:33:26 bytes 16249 flags UfIOB
TCP out aa.bb.cc.dd:30054 in server5:80 idle 3:33:30 bytes 8498 flags UfIOB
where aa.bb.cc.dd are various IP addresses and serverX relates to servers behind the firewall
Thanks Ashish
03-13-2008 07:36 AM
I got it..you have idle conn timeout/xlate timeout set as 999 hours and 99 hrs,not recommened at all, which is causing the stale idle connections to eat up the memory..
so put these commands in
clear loc
timeout conn 1:0:0
timeout xlate 3:0:0
PS:- Please rate all the posts if they were helpful, so that others could refer to this
03-13-2008 07:52 AM
I put the commands in and got the following error:
xlate timeout 3:00:00 cannot be les than the uauth timeout 99:05:00
Usage: timeout [xlate:conn:udp:icmp:sunrpc:h323:mgcp:sip:sip_media:uauth
Also just for my info - what does "clear loc" do?
What about the timeouts for the rest of the things such as UDP etc ?/
I will certainly rate all your posts, you have been very helpful. Thanks again
Ali
03-13-2008 08:03 AM
put the commands in this order
cl local
timeout uauth 0:05:0
timeout conn 1:0:0
timeout xlate 3:0:0
03-13-2008 08:32 AM
sh run timeout now shows as follows:
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 99:59:59 udp 99:02:00 icmp 0:00:02
timeout sunrpc 99:10:00 h323 999:59:59 h225 999:59:59 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 99:59:59 sip_media 0:02:00
timeout uauth 0:05:00 absolute
Can you please advise if the rest of the parameters are set ok ? Also in ASDM the "Connection" check box is NOT ticked under Configuration-> Features -> Properties -> Advanced -> Timeouts. Should this be the case ? the time is greyed out at 01:00:00.
you have been very helpful, i would highly appreciate if you can answer the above questions. Otherwise i think you have resolved my case, for which i am very grateful to you.
Thanks
Ali
03-13-2008 08:41 AM
These are the default settings which you should have in your firewall, I can see even UDP timeout value not correct..set the following timeout value
ASA(config)# sh run timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
03-13-2008 09:12 AM
OK I have done that now, and the firewall looks much healthier now. All the check boxes in ASDM are clear (ie un ticked) in "Timeout" settings - should this be the case ?
Sorry this is my final question and then i will close the case at my end. I would appreciate your response to this.
Thanks
Ali
03-13-2008 09:17 AM
All the check boxes in ASDM are clear (ie un ticked) in "Timeout" settings - should this be the case ?
--yes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide