Re: Problems with 501 10 user and VPN

matthew.long · ‎01-25-2005

Hi,

I have a pix configured with a site to site vpn. The pix has a 10 user license and there are only 5 users on site.

The pix is running out of licenses, I do a show local-host and get:

Interface inside: 10 active, 10 maximum active, 2781 denied

It looks like that if the pix sees data inbound from the other site for an ip address it allocates a license. This happens even if the host is not there e.g a ping and an unreach reply.

Has anyone also had this problem. Is there something in the config that I can change?

Thanks

jmia · ‎01-25-2005

Matthew,

I don't believe you can work around this licensing issue unless you upgrade to unlimited version, as you correctly point out

your active licenses are being chewed up due to the site-to-site vpn.

Maybe I'm wrong, so if someone from Cisco is reading this tread and knows a work around apart from up grading to unlimited version, I'd be most interested to know and I'm sure Matthew will be too.

Jay

matthew.long · ‎01-26-2005

Jay

I looged a call with TAC and haven't got very far

I was pointed to the Pix release notes:

A user is considered active when any one or more of the following is true:

The user has passed traffic through the PIX in the last xlate timeout seconds.

The user has an established NAT or PAT translation through the PIX Firewall.

The user has an established TCP connection or UDP session through the PIX Firewall.

The user has an established user authentication through the PIX Firewall.

Note, it does not say which direction the traffic passes.

The workaround I was given was to do a clear xlate and clear local. And that I would probably have to upgrade.

I am looking to get around the issue by setting the dhcp on the pix to only provide 10 ip addresses and reconfigure the encryption ACLs to only pass traffic to those 10 IPs. If the traffic cant get through the vpn it can't use up the ips.....

Makes the config a bit inflexible but....

Looks like a bug to me.

jrtaylor3 · ‎01-26-2005

The problem is a bug with the 6.33 or lower code and the wya in which it counts sessions.

You will need to upgrade to v 6.33 or later. I had the same problem and the upgrade resolved the issue. Since version 6.33 (110) requires a special download I would upgrade to 6.34, this also has fixed the "fixup" bug for DNS as well.

matthew.long · ‎01-27-2005

Thanks for that information, i'll try it out today

matthew.long · ‎01-27-2005

Thanks I found the bug and it does resolve the issue,

More details are at:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec15510&cco_product=PIX+Firewall&fset=&swver=6.3&keyw=license&target=&train=

Thanks again

jasonbegley · ‎01-28-2005

As far as licensing on inside hosts goes.. What if there is a router behind the firewall, would it count the router and all hosts behind it? Would there be any change if using nat?

thisisshanky · ‎01-28-2005

Jason,

As long as the router is not establing a connection with or through the firewall, this shouldnt be a problem. For instance, you ping from the router to an ip address in the internet, that could cause the pix to consider the router as one active user.

If that router is doing NAT for hosts behind it, all traffic will be sourced from one IP. i would think the PIX should be fooled this way.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

matthew.long · ‎01-31-2005

Yes thats right

if the intenal router is doing nat then the pix only uses one license, I have seenthis done with checkpoint where the site uses a proxy server to reduce their licensing costs on the checkpoint.

I you have a router without nat and inside routes on the poix then every host uses a license. But if you are bigenough to have routers inside your network you probably should be looking at a 506 at least!