I ran the command and there are no packet captures listed.

Doesn't the pix by default look at the incoming data to determine it's type and validity? I think it's called stateful packet inspection. I think what I need to do is turn that off on a couple of my access list entries, or the whole firewall, if it's possible. These machines are on a separate LAN, so turning it off isn't really a big security risk as there is nothing of value hosted on that network.

hi,

just double check your fixup's to ensure no ports are overlapping with your game ports.

really a PIX should be able to handle this fine.

There are no fixup ports overlapping game ports. It looks like the two port ranges that need attention are udp 28960-28965 and 27000-27020. These have really high hit counts so I suspect these are the actual data ports that pass game information to the server.

I think the pix should be able to handle this as well. It has only been a problem with two games so far. Counter-Strike and Call of Duty. It seems like however these games package their data it makes the pix look them over really hard, which raises cpu usage on the pix to levels that cause lag. These types of games run very low pings, especially cs, and with even a 6 players in a cs server the cpu usage is at 14% and players get lag. I know I could switch over to something like a linksys router for each game server, but I want a good firewall that allows you to bind multiple ip's, and I already have the pix's.

What model PIX do you have, how many interfaces are you using on it.

Perhaps you are exceeding the throughput on your PIX as you are getting high traffic on the server you mention thus pushing up the CPU util.

There a few command line utils on the PIX that will allow you to tell the throughput and your interfaces etc.

Have a look at the following link and see what you can find out.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

Rgds

PD

The pix is a 501. Currently there are 3 dedicated gaming servers behind it. The internet pipe is a 10mbit fiber optic connection. I have used the pdm to monitor bandwidth usage. I have never seen usage go above 3.5mbit. The pix should be able to handle that just fine. I have tested these games on my test server when no other servers were active (3-4am). And one game of cs with 6 players will lag. Bandwidth through the pix only reads about 250kbit up and down during this time but cpu usage is at 14%.Another game that I run can have a full 32 man server running over a meg up and down, and there is little to no cpu usage 0-2%. This is why I think it's got to be the stateful packet inspection causing the lag. Is there any way to turn this feature off?

trust me its not the SPI causing it.

what is your logging like?

i bet yhou have console logging at info!

just do a show tech and paste the config in here

Attached is the show tech. I checked logging through the pdm and all the logging options are set to disabled. Thanks for the help on this. =)

hrmm

interesting - well the config looks very simple to me.

try doing a show memory and show perfmon when the CPU is high.