[c-nsp] pix 535 issues

Alban Dani albcisco at gmail.com
Wed Jan 18 10:40:07 EST 2006 

Hi there and thanks,


Here is the data about the status of our pix:

Memory utilization : 22%
CPU utilization : 35%

xlate count : 1068 (max recorded 1674)
conn count : 33597 ( max recorded 188911)

I have turned on full logging but never get any memory related errors.

What gives?

thanks again,

Alban

On 1/18/06, Jeff Kell <jeff-kell at utc.edu> wrote:
>
> Ted Mittelstaedt wrote:
> > virus infected system on the inside, blasting thousands of copies of
> > itself to random ip numbers on the Internet, overflows the inernal
> translation
> > table and uses up all the free ram.
> We see this more often than I'd like, on a 515E (only 32Mb).  Somewhere
> around 28-30k connections and new connections start to generate "memory
> allocation errors" in the logs, and the connection requests are ignored.
>
> Doesn't have to be a virus.  P2P will do it too, especially when setup
> as a "supernode" or "ultrapeer", if you allow that.  Skype has a
> "supernode" mode too.  The newer variants that can run in UDP mode are
> especially bad.
>
> You can watch connection counts (console, PDM, probably SNMP), or devise
> some means of analyzing the connections that are active to try to find
> the source[s].  Unfortunately, at least on PIX 6.3, there is no
> connection throttling mechanism like more recent IOS implementations.  I
> don't know about 7.0.
>
> If you use a wrapper of your choice to load the output of a "show conn"
> into a perl array @session, this snippet from one of our operations crew
> may help:
>
> my $totalConnections = $session[0];
> shift @session;  #Remove the total Number of connections
> my %ipAddress;
> foreach (@session)
> {
>         my $ip = (split(/in/, $_))[1];
>         $ip = (split(/:/, $ip))[0];
>         if (exists $ipAddress{$ip})
>         {
>                 $ipAddress{$ip} = $ipAddress{$ip} + 1;
>         }
>         else
>         {
>                 $ipAddress{$ip} = 1;
>         }
> }
>
> my $count = 0;
> print "<table><tr><th>IP</th><th>Number of Connections</th></tr>";
> foreach (sort {$ipAddress{$b} <=> $ipAddress{$a}} keys %ipAddress)
> {
>         if($count > 9){exit;}  #For the top 10
>         print "<tr><td>$_</td><td>$ipAddress{$_}</td></tr>";
>         $count++;
> }
> print "</table>";
> print "Total,$totalConnections\n";
> print $query->end_html;
>
> Jeff
>

More information about the cisco-nsp mailing list