Re: pix 525 fails with "show blocks" reducing to 0

candv · ‎10-19-2001

Anyone seen this occur, there is something in the bug toolkit but not much. We have 2 firewalls running failover, we are running 6.1(1).

Periodically telnet/ssh access to the pix stops, console is ok, can ping fine, traffic through is ok. Suddenly pix dies and reboots, I have a copy of the before and after "show blocks" command

following is when console works but telnet doesn't

Pix525-UHW#sh blocks

SIZE MAX LOW CNT

4 1600 0 0

80 400 397 400

256 2500 2493 2499

1550 2468 218 220

2560 600 66 66

Below is when all fails

Pix525-UHW# sh block

SIZE MAX LOW CNT

4 1600 0 0

80 400 397 400

256 2500 2493 2499

1550 2471 0 0

2560 600 66 66

Pix after reboot

SIZE MAX LOW CNT

4 1600 1600 1600

80 400 392 393

256 2500 2459 2475

1550 2468 1686 1700

Anyone have any ideas, this happened in 6.0(1) as well.

murabi · ‎10-25-2001

I have something similiar and couldn’t find any bugs either. Have you talked to Cisco yet? Let me know what they come up with.

candv · ‎10-25-2001

I have not had a problem with the blocks since I removed all vpn related commands on the firewall. I reset isakmp to default and removed all crypto map statements.

I only had two pc's connecting using vpn but it seems as if they are taking up resources which the firewall isn't releasing

my show blocks list is now

Pix525-UHW# sh block

SIZE MAX LOW CNT

4 1600 1574 1599

80 400 374 399

256 2500 2459 2498

1550 2468 1257 1697

gkuhl · ‎11-22-2001

I have a client that is running a PIX 515-r and needs to run Version 6.0(1) or higher for port redirection. They recently experienced a similar incident where the PIX would stay up for 30 seconds, then stop passing any traffic.

Cisco has a bug open (CSCdv65961) on 6.1 explaining about block count going to zero and traffic stops. They have a fix in V6.2, but it is not out on the download site. You'll probably need to open a TAC case for special file access.