My Pix seems to have a memory leak ?
Result of the command: "sh memory"
Free memory: 6088072 bytes ( 9%)
Used memory: 61020792 bytes (91%)
------------- ----------------
Total memory: 67108864 bytes (100%)
This is 30mins after a restart. Seem like it gets worse and worse until i cant even connect to the ASDM.
I have Tried turning off loggin as well as some connection timeout commands.
I am using a Pix515E with 8.0(3) and 128MB RAM. It ran OK for months but has recently had several episodes during which it produced streams of memory allocation failures (syslog 211001). When in this condition I could not log into the VPN. It was still operating but some users were having problems and I eventually had to restart it.
The traffic load is typically 10Mbps, and the max number of connections is around 10,000 but typically 5,000. The CPU usage is 10%-20%. There is 1 VPN with normally 1 client. The memory usage is always high, between 115MB and 120MB but during these problems it creeps higher.
Why might the memory usage be so high when my network load is quite light for the 515E? What circumstances cause the memory usage to increase during operation? Is there anything I can do to prevent the memory usage increasing to the point where the PIX crashes?
I have a second 515E with 8.0(4)32 and 64MB RAM, loaded with the same config. I have not had this one in service, but off-line it is using 53MB of memory. If the spare pix needs 53MB to load the firmware and my config, why does the other one use 115MB?
We had two PIXes in our environment and working as a active-failover mode. Its noted in now a days the active PIX memory utilization is 98% and for standby PIX it is 96%. And also in some times we were experiencing packet loss to the ip of active PIX and which reflects in the inside servers access also. During that time the active pix was not accessible via ssh as well as ASDM. We have tried reloading the PIX and changing failover state of the PIX, but it results only a temporary solution. Current memory installed is 128 MB (maximum upgraded), so a upgrade is also not possible. Please see the show command outputs from the PIX. Current Software version is 7.2(4)
sh memory output (PIX 1 - active)
Free memory: 4850944 bytes ( 4%)
Used memory: 129366784 bytes (96%)
[code]....
1) How we can pin point the root cause of this high memory utilization?
2) What might be the reason for the high memory utilization for the standby pix (96%), still the PIX is in idle state?
3) Is it a hardware issue or a memory leak issue, then how can we find out?
4) Is a software upgrade to new version resolves the memory issue?
From what I can see on some of the message discussion boards, this is an alert only message. I would like to get clarification that this will not cause operational issues with the controller.
I did try to change the free memory by using the command
config memory monitor leaks 10000 300000
but then I get a response about core dumps and the alerts do not go away.
4402's been running quite happily until recently. I have 11 wlan's configured, but only 5 are enabled at this moment in time.
There are 26ap's connected to the 4402, a mixture of 1130's and 1142's. The memory error in the subject is popping up quite frequently.
No reference I can find on this forum or other Cisco.com.
*osapiReaper: Aug 01 14:35:07.004: %OSAPI-1-MEM_LEAK_LOW_ALARM: osapi_task.c:5105 Free System Memory went below 100MB
*osapiReaper: Aug 01 14:34:56.996: %OSAPI-1-MEM_LEAK_LOW_ALARM: osapi_task.c:5105 Free System Memory went below 100MB
*osapiReaper: Aug 01 14:34:46.988: %OSAPI-1-MEM_LEAK_LOW_ALARM: osapi_task.c:5105 Free System Memory(code)
I need to redo the configuration on the new one?
View 11 Replies View RelatedI have an Pix 515E firewall with Pix724-33.bin IOS. I just want to know that does this IOS support SNMPV3 or I will have to upgarde it with some other version.
View 1 Replies View RelatedIve got a problem with passing traffic through a Cisco 515e firewall.im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x? ive configured a group called infrastructure and added the 10.x.x.x addresses.ive configured acl 101 inbound on the outside interface:
access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
theres a route to the inside net:
inside 172.16.0.0 255.255.0.0 172.16.163.1
and theres a translation:
static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255
when i try and connect, using a packet capture I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok. access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1)
firewall transparent
names
!
interface Ethernet0
[Code]....
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies View RelatedI have Pix firewall 515e on inside interface its has configured with IP 192.168.0.254.And Global Nating is configured.
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
I want i configured Global nating only for only specific IP address E.g 192.168.0.0-192.168.0.30 and 192.168.0.200-192.168.0.254?How i do this?
I have the following network.2 WAN links termination on my PIX 515e and all internal users connected to third interface.
Problem I am facing is that I have assign manual IP to users with some have full access to Internet while others have limited.
The users are changing their IP address while others are offline and I want to restrict them.
The only way I can think off is by binding IP to MAC as e.g ( Active wall software). But can it be done on PIX 515e and if so how?
I have ordered RP2 and it will be having 8GB default memory. What is the difference between memory & Physical memory?Since I am able to see only 4GB memory in my ASR 1004. [code]
View 1 Replies View RelatedI have erased the Cisco image from my PIX 515E, and while i tried to load a new image its asking for activation key. I tried its old key. but no use.
View 1 Replies View RelatedI have a PIX 515 Ewhich does authentication for SSH via RADIUS protocol and fails over to the local database if radius server goes offline. But when the radius server comes back online, authentication still takes place through LOCAL and not the radius server. Following are the commands:
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
[Code].....
\I just configure my PIX 515E with version 7.0(4) and having problems to get traffic out on eth0 (if name outside). There is no problems between different VLAN ,all VLANs are configure on eth1. It is also possible to accass services on VLAN 10 (DMZ) from outside. The only thing I see in syslog is "Built Outbound" and "Teardown".
View 11 Replies View RelatedI have a Pix 515E running PixOS version 8.0.4 with two interfaces, inside and outside.On the inside interface, I have a Redhat Enterprise Linux 5.4 64 bits machine as an NFS server version 4 (NFSv4).On the outside interface, I have three (3) Redhat Enterprise Linux 5.4 64 bits as NFS clients.I am looking for the exact UDP and TCP ports to be added to the ACL in order to accomplish
View 1 Replies View RelatedI need ot upgrade a Cisco PIX 515 E to A Cisco ASA (not sure what type and modle yet!). the PIX currently has about 80 lines of ACLs and no VPNs. So only inside and outside interfaces and 80 lines of ACLs to be transferred over to the ASA.I was wondering if the ACLs can be transferred over to ASA as is?is there anything that I need ot watch for?
View 1 Replies View RelatedI have an issue in the Cisco PIx 515e series. The IOS is 6.1(2).I have set sepecific access-list to allow incoming traffic to inside interface. But still the TCP 3-way handshaking is dropped here. [code]
View 6 Replies View RelatedWhat would be the access-list entry to allow protocol 97? I am setting up foreign-anchor controller and need to allow protocol 97.
View 1 Replies View RelatedWe just switched over from a T1 line to 50/4 Mbps cable Internet. The speed was fine with the T1, but when we switched over to cable, the download speeds didn't increase. I'm getting 2-3 Mbps up and still only 1.5 Mbps down. I inherited this network a few years ago, so I didn't configure the Pix initially but I have been managing it and can't find a setting limiting the bandwidth for the liffe of me. I know it's not the Internet because when I connect a computer straight to the modem, the speed is great. As soon as I put it through the Pix though, it slows way down.
View 8 Replies View RelatedI'm trying to use port redirection to allow outside access to a internal web server. As far as I can see, everything is configured properly. The Open Port Checker tool from yougotsingle.com says that the port (80) is open. However when I goto access it the connection times out. The external address is static from my ISP, and I will call it xxx.xxx.xxx.xxx. The server is at 10.1.1.20, and is functioning properly over the LAN.
View 7 Replies View RelatedI have Cisco PIX 515E for my Lab and can't recover the password. It is not connected to the network. I have configured server, address, gateway from the monitor mode and tftp not seeing my laptop. best way to reset or recover password.
View 7 Replies View RelatedI've been struggling to get ASDM (PDM) installed and running on my PIX 515e. The PIX IOS version is 7.2.4(30) The ASDM version I've copied to flash is 524.
I've followed the Cisco documentation verbatim, however I still cannot connect via the Java ASDM client or via http. When I try to connect via http, my PIX shows the following error: "tcp access denied by acl from..." I do not this this is a security (ACL) issue as I've tested after opening everything up and still no luck.
Here's my running config (w/ the relevant statements prepended with ">>>"):
show run
: Saved
:
[Code]....
I have the following Pix 515E Firewall, that has been working good for a few years. But suddenly, the Pix stop booting up. The only thing that is happening is the power and network traffic led flashes and the active led is off. So my question is that is this symptom a hardware or software problem and is it fixable with either new parts; or is my firewall dead. I suspect that it is a hardware problem since the active led doesn't light up. I cann't even enter the ROM Moniter mode.
View 7 Replies View RelatedWhat would be the command to clear the df-bit on a PIX-515e running 6.3? I have tried the following:
conf t crypto ipsec df-bit clear-df inside and it doesn't take it.
I am facing high CPU util on my pix 515 E which is in failover mode.During peak hours the util is see rising to 60% where as in off peak hours it is normally12%.
During normal operation the average utilisation was observed to be 30% but suddenly from 2/3 days it is constantly 60% doule the value as earlier. Have gone through the logs and traffic but not able to tarce anything particular
below is the o/p of some command taken for analysis
IOS version 8.0(4)
sh cpu usage
CPU utilization for 5 seconds = 51%; 1 minute: 61%; 5 minutes: 58%
sh cpu usage
[Code]......
I need to create a DMZ zone in my network. One server need to be put in DMZ. I have a PIX 515E 6.3.3. It has free port to create DMZ.
1) Put a new switch for DMZ zone
2) Connect it to the DMZ port
3) Create a NAT for inside to DMZ with same IP as inside
4) Create ACL for permiting traffic to DMZ and apply it to outside interface
5) Create ACl for permitting traffic from DMZ to inside
6) Routing for DMZ in PIX
Looking at migrating from the following:
PIX-515EPIX Security Appliance Software Version 8.0(4)Device Manager Version 6.1(5)51
to
ASA5515Cisco Adaptive Security Appliance Software Version 8.6(1)Device Manager Version 6.6(1)
Is this migration directly supported, or do I need to downgrade first?
I was wondering if I picked up a used (End of Life) pix-515e, would would I need to do to be able to upgrade it to that latest version of IOS made for that product? Is it still possible to even get access to that version? Will cisco allow downloads for that devices IOS?
View 4 Replies View RelatedI´ve a problem with my "old" PIX515e device. I wanted to flash this device to a new firmware level but forgot to disable the "lost enable" password before. So I started to make the firmware upgrade on my device, ended up with "flashfs" is busy and I should start the enabled modus and "copy flash tftp" to activate the new flash version. Unfortunalty I cannot do this because I´ve lost my password. When I´m trying to boot this device up now, it will end with a error message...
Unable to locate boot image configuration
Booting first image in flash
No bootable image in flash. Please download an image from a network server in the monitor mode
Failed to find an image to boot
As mentioned, when I will load a new flash image over monitor mode, i cannot activate that image because of flashfs is busy.The password reset bin files will not work too. I tried that too but this one will recongnize no active installed flash.Is there any way to reanimate my PIX515e? In newer devices there are possibilites to work with changing config register but I´ve found nothing about that for a PIX515e.
I need to upgrade/ replace a Cisco 515 E firewall with a Cisco ASA. Not sure what model yet! The pix has about 80 lines of ACLs and I side and outside interfaces with No VPNs.. I was wondering of those lines of ACLs can be transferred over to ASA as is or there are things I need to watch for ?
View 21 Replies View RelatedI dint have any experience in Using cisco pix firewall. i got this for home lab practice.the pix can be accessed and configured by web based and CLI mode right. basic configuariton tto configure pix 515e in cli mode.
as of now im using console( hyper terminal) to access the pix. in cli based commands i need the following
1. how to assign ip address to inside ethernet and outside ethernet
2. how to enable telnet and after enabling it , can i connect my pc directly to the pix inside ethernet and do telnetting or if at all possible with (https enabled)web based config. any of these are ohk.
went at browsing to find these all i could find is web based configs. i need cli commands.