The only time I remember seeing PIX come to a hault was when someone had
built NAT's and their conduits backwards (i.e. trying to translate priv.
to pub from the outside). Just something to look at. =)
Carric Dooley CNE
COM2:Interactive Media
http://www.com2usa.com
"Luck is the residue of design."
- Branch Rickey - former owner of the Brooklyn Dodger Baseball Team
On Mon, 8 Nov 1999, Gustavo Bellotto wrote:
> Hello,
>
> Since we've installed a PIX 515 firewall it hangs two or three times
> a day. IN and OUT Interfaces stop responding and ping fails from PIX
> to any other IPs than its own interfaces.
>
> Each time it's gone we saw from console that 1550 bytes long buffers were exhausted.
>
> Cisco documentation of SHOW BLOCKS command is really funny:
>
> "A zero in CNT column means memory is exhausted now. Exhausted
> memory is not a problem as long as traffic is moving through the PIX
> Firewall. You can use the show conn commands to see if traffic is
> moving. If traffic is not moving and the memory is exhausted, a
> problem may be indicated."
>
> Of course traffic does no pass through when PIX is dead, although traffic
> counters increase slowly.
>
> During normal operation we have less than 100 connections, but most
> of them could have heavy traffic (proxies servers). Typical buffers utilization is:
>
> SIZE MAX LOW CNT
> 4 1600 1597 1599
> 80 400 397 400
> 256 400 394 398
> 1550 932 635 674
> 65536 8 7 8
>
> (Just 1/3 of 1550 bytes buffers allocated)
>
> Also main memory does not seem to be an issue:
> 33554432 bytes total, 25481216 bytes free
>
> PIX soft version is 4.4(1) (2 interfaces, no fail-over nor IPsec).
>
> Did anybody hear of such a problem?
>
> Thanks,
>
> Gustavo Bellotto
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
