PIX 501 : CPU Load %

cool.cisco · ‎03-21-2005

Hi,

I am facing a problem in PIX Firewall, I have 515 in failover mode, one is acting as a primary and other is acting as standby.

My Network is

PC>>>L2 Switches>>>L3 Switch>>Internal L2 Switch>>>PIX>>>External L2 Switch>>>Router>>>Internet.

whenever there are some network traffic increased, in my layer3 switch it show cpu cycles normal and doens't affect on the L3 CPU and memory.

But pix cpu utilization increased to 90-100% and results for my network down.

Then we have to identify the pc or server through sniffer or identify the port and then block that port in l3 switch.or remove that pc/server from the network.

This is happening very frequently.

Please suggest what are all the tools and cisco ios features that i can use so that before anything happes i should come to know and results network uptime.

AT present it happens almost daily and my network downtime is increasing like anything...

I really appreciate if cisco can look into this and suggest..............

Many thanks,

Patrick Iseli · ‎03-21-2005

What kind of traffic are youo talking about ? Is this a DDOS or Worms that causes that ?

What hardware are you using and what PIX OS version ?

A way to monitor that could be MRTG that graphs the CPU a Interface activity.

Website of MRTG:http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

Example config for mrtg:

# Created by v4only

### Global Config Options

# for UNIX

WorkDir: /var/www/localhost/htdocs/mrtg

Htmldir: /var/www/localhost/htdocs/mrtg

Imagedir: /var/www/localhost/htdocs/mrtg

IconDir: /var/www/localhost/htdocs/mrtg/icons

EnableIPv6: no

Target[pix-cpu]:.1.3.6.1.4.1.9.9.109.1.1.1.1.5.1&.1.3.6.1.4.1.9.9.109.1.1.1.1.5.1:snmp-password@111.111.111.1

RouterUptime[pix-cpu]:snmp-password@111.111.111.1

Title[pix-cpu]: PIX 501 CPU LOAD

PageTop[pix-cpu]:

PIX 501 : CPU Load %

MaxBytes[pix-cpu]:100

ShortLegend[pix-cpu]:%

XSize[pix-cpu]:380

YSize[pix-cpu]:100

YLegend[pix-cpu]: CPU Utilization

Legend1[pix-cpu]: 5 sec CPU load %

Legend2[pix-cpu]: 1 min CPU load %

Legend3[pix-cpu]: Maximal 5 sec CPU load %

Legend4[pix-cpu]: Maximal 1 min CPU load %

LegendI[pix-cpu]: 5 sec load:

LegendO[pix-cpu]: 1 min load:

Options[pix-cpu]: gauge, growright, nopercent

### Interface 1 >> Descr: 'PIX-Firewall-'outside'-interface' | Name: ''| Ip: '111.111.111.1' | Eth: '00-0a-f4-cc-ee-cc' ###

### The following interface is commented out because:

### * --ifref=name is not unique for this interface

#

Target[pix_outside]: 1:snmp-password@111.111.111.1

SetEnv[pix_outside]: MRTG_INT_IP="111.111.111.1"

#MRTG_INT_DESCR="PIX-Firewall-'outside'-interface"

MaxBytes[pix_outside]: 1250000

Title[pix_outside]: 1 -- PIX501

PageTop[pix_outside]:

Outside -- PIX501

System:	PIX501 in Neverland
Maintainer:	admin@domain.com
Description:	PIX Firewall outside interface
ifType:	ethernetCsmacd (6)
ifName:
Max Speed:	10.0 Mbits/s
Ip:	111.111.111.1 ()

### Interface 2 >> Descr: 'PIX-Firewall-'inside'-interface' | Name: '' |Ip: '192.168.1.1' | Eth: '00-0a-f4-bb-ff-ee' ###

### The following interface is commented out because:

### * --ifref=name is not unique for this interface

#

Target[pix_inside]: 2:snmp-password@111.111.111.1

SetEnv[pix_inside]: MRTG_INT_IP="192.168.1.1"

#MRTG_INT_DESCR="PIX Firewall inside interface"

MaxBytes[pix_inside]: 12500000

Title[pix_inside]: INSIDE -- PIX 501

PageTop[pix_inside]:

INSIDE -- PIX 501

System:	PIX501 in Neverland
Maintainer:
Description:	PIX Firewall inside interface
ifType:	ethernetCsmacd (6)
ifName:
Max Speed:	100.0 Mbits/s
Ip:	192.168.1.1

sincerely

Patrick

Patrick Iseli · ‎03-21-2005

Another Tool could be NTOP that is a great Real time analysing tool really easy to install.

See:

http://www.ntop.org/ntop.html

This tool can display the real time top 10 users and much more, it is really easy with this tool to identify infected hosts and then remove them from the network. It also lists the ports and protocols that this hosts are using.

sincerely

Patrick

cool.cisco · ‎03-22-2005

Thanks Patrick to provide vavluable information.

I will try and let you..

I am using PIX 515 with 6.3 version and PDM 3.0 is installed.

Though i can monitor the traffic from PDM, graph comes for cpu and memory utilization but i can't get the specific hosts....

Regards,

PIX Down

PIX 501 : CPU Load %

Outside -- PIX501

INSIDE -- PIX 501