With a 10- or 50-user license, the PIX will not allow new connections to the Internet.
The workaround to this is to issue the clear local-host command to clear the licenses and allow new connections.
Possible solutions are discussed below.
Check Network Address Translation (NAT) configurations to be sure you are not running out of global addresses. If you do not have Port Address Translation (PAT) configured, you could try configuring PAT so that the PIX will use the PAT address for further translations when the global addresses in the NAT pool run out.
A PAT example is shown below.
global (outside) interface
Check how many users are making connections through the PIX. If the number of connections exceeds your license, then you will need to upgrade to a 50-user license or upgrade to another platform.
The example below shows how to see how many local-hosts you have.
show local-host local host: <_10.1.1.15>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0 Xlate(s): PAT Global 188.8.131.52(1024) Local 10.1.1.15(516) PAT Global 184.108.40.206(0) Local 10.1.1.15 ICMP id 340 PAT Global 220.127.116.11(1024) Local 10.1.1.15(1028) Conn(s): TCP out 18.104.22.168:23 in 10.1.1.15:1026 idle 0:00:25 Bytes 1774 flags UIO UDP out 22.214.171.124:31649 in 10.1.1.15:1028 idle 0:00:17 flags D- local host: <_10.1.1.17>, conn(s)/limit = 2/0, embryonic(s)/limit = 0/0 Xlate(s): PAT Global 126.96.36.199(1025) Local 10.1.1.17(516) PAT Global 188.8.131.52(0) Local 10.1.1.17 ICMP id 340 PAT Global 184.108.40.206(1025) Local 10.1.1.17(1028) Conn(s): TCP out 220.127.116.11:23 in 10.1.1.17:1027 idle 0:00:25 Bytes 1774 flags UIO UDP out 18.104.22.168:31649 in 10.1.1.17:1029 idle 0:00:17 flags D-
If the above solutions do not work, then you may be running into Bug ID CSCdw25026. This bug is fixed in 6.1(4) code.
Hi all,We’ve deployed FTD HA managed by FMC. Last week the primary unit had failed and we are running with only secondary FTD.And we are now planning to replace the primary unit with new FTD. Are there any ways to replace the unit without breaking the HA ...
Hello, can someone please help me with a configuration guide with requirements for integration of AD with FTD (FMC) using ISE as Identity source for captive portal authentication. Regards,Juan Carlos Arias
Hi All I want to ask a thing related this ? we have FTD/FMC and along with treat/malware license and we want to block files according to SHA-256 , SHA1 and MD5 signatures. There is no problem with SHA-256 because we can add custom fi...
I have configured my access switch interfaces with DOT1X authentication from Radius server. And my end host connected with these interfaces are getting their IP from DHCP server. But since my end host clients are not able to authenticate successfully, hen...
I have a HA cluster of FTD (Active/Standby). On FMC, the monitoring is complaining failures in screenshot below for the Standby FTD. Everything is healthy on the Active primary FTD and FMC... I do not see any blockings or DNS issues...Any suggestions? The...