shapiro360
asked on
Pix 501 slow connection
I have a pix 501 that makes a tunnel to a pix 520 on my network. Every couple of days the connection times out or has ping times in 1200ms range when I am pinging from my workstation on another subnet on the inside. It gets to the point that all pings timeout but I can still connect to any computer through VNC but it is terribly slow. I have ethereal running on this network and I dont see anything unsual happening. I can however resart the win 2000 domain controller there and everything is fine for a while, especially if I run a continous ping from my workstation to a machine on this subnet. Cisco has looked over my configs and they don't see anything.
this is the event viewer on my domain controller:
Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 10/23/2003
Time: 11:45:12 AM
User: N/A
Computer: CTY-SCR-DC
Description:
The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=xxxxxx ,DC=com, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable).
For (a), please use the Active Directory Sites and Services Manager to do one of the following:
1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=yorkco untygov,DC =com in this site from a Domain Controller that contains the same Partition in another site.
For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted.
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1265
Date: 10/23/2003
Time: 11:45:13 AM
User: N/A
Computer: CTY-SCR-DC
Description:
The attempt to establish a replication link with parameters
Partition: DC=xxxxxxx,DC=com
Source DSA DN: CN=NTDS Settings,CN=CTY-PBJ-DC,CN= Servers,CN =York-Prob ate,CN=Sit es,CN=Conf iguration, DC=xxxxxx, DC=com
Source DSA Address: 9bbb2bd8-8d74-47d1-8c3b-74 5fbc667799 ._msdcs.xx xxxx.com
Inter-site Transport (if any): CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con figuration ,DC=xxxxxx ,DC=com
failed with the following status:
The RPC server is unavailable.
The record data is the status code. This operation will be retried.
Data:
0000: ba 06 00 00 º...
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 10/23/2003
Time: 9:01:58 AM
User: N/A
Computer: CTY-SCR-DC
Description:
The File Replication Service is having trouble enabling replication from CTY-PBJ-DC to CTY-SCR-DC for d:\actdir\sysvol\domain using the DNS name CTY-PBJ-DC.xxxxxx.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name CTY-PBJ-DC.xxxxxx.com from this computer.
[2] FRS is not running on CTY-PBJ-DC.xxxxxx.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Data:
0000: ba 06 00 00
This is the pix 501
User Access Verification
Password:
Type help or '?' for a list of available commands.
net-scr-pix> ena
Password: **********
net-scr-pix#
net-scr-pix# show tech
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
net-scr-pix up 13 days 23 hours
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 000b.be94.a081, irq 9
1: ethernet1: address is 000b.be94.a082, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
Serial Number: 806512004 (0x30126584)
Running Activation Key: 0x2ee15ab2 0x2750584f 0x29414935 0x605cc5cb
Configuration last modified by enable_15 at 07:02:07.537 EDT Thu Oct 23 2003
------------------ show clock ------------------
07:02:30.838 EDT Thu Oct 23 2003
------------------ show memory ------------------
Free memory: 4999640 bytes
Used memory: 11777576 bytes
------------- ----------------
Total memory: 16777216 bytes
------------------ show conn count ------------------
14 in use, 214 most used
------------------ show xlate count ------------------
0 in use, 174 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
4 600 598 600
80 400 398 399
256 100 0 100
1550 933 483 675
2560 10 6 9
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a081
IP address xxx.xxx.xxx.xxx, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
21249921 packets input, 3501248633 bytes, 0 no buffer
Received 12536068 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
12577123 packets output, 1549433900 bytes, 0 underruns
0 output errors, 27327 collisions, 0 interface resets
0 babbles, 1 late collisions, 191611 deferred
9 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/59)
output queue (curr/max blocks): hardware (0/128) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a082
IP address 10.xxx.xxx.xxx, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
12799183 packets input, 988268256 bytes, 0 no buffer
Received 172224 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9316537 packets output, 2375906872 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/128)
output queue (curr/max blocks): hardware (1/101) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 9%; 1 minute: 6%; 5 minutes: 8%
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Hsi 001eaa09 007c0ccc 00555860 10 007bfd44 3512/4096 arp_timer
Lsi 001effad 007e3e04 00555860 20 007e2e8c 3800/4096 FragDBGC
Lwe 00119abf 00838844 00558fc0 0 008379dc 3688/4096 dbgtrace
Lwe 003e3f55 0083a9d4 0054e188 0 00838a8c 8008/8192 Logger
Hsi 003e806d 0083dacc 00555860 60 0083bb54 7700/8192 tcp_fast
Hsi 003e7f0d 0083fb7c 00555860 70 0083dc04 7636/8192 tcp_slow
Lsi 003006f9 008bf054 00555860 0 008be0cc 3944/4096 xlate clean
Lsi 00300607 008c00f4 00555860 0 008bf17c 3884/4096 uxlate clean
Mwe 002f82d3 008e8cf4 00555860 20 008e6d5c 7864/8192 tcp_intercept_timer
_process
Lsi 0043a545 008f95f4 00555860 0 008f866c 3900/4096 route_process
Hsi 002e80f4 008fa684 00555860 10 008f971c 2748/4096 PIX Garbage Collect
or
Hwe 00217101 008feb74 00555860 70 008fac0c 13436/16384 isakmp_time_keepe
r
Lsi 002e5e74 0090f954 00555860 0 0090e9cc 3944/4096 perfmon
Mwe 0020e719 0091b424 00555860 10 009194ac 5264/8192 IPsec timer handler
Hwe 0039a4db 0092fe5c 00570980 30 0092df14 7000/8192 qos_metric_daemon
Mwe 00261395 0094a994 00555860 50 00946a2c 15260/16384 IP Background
Lwe 002f8f4a 009fd0a4 0056bc98 0 009fc22c 3704/4096 pix/trace
Lwe 002f9182 009fe154 0056c3c8 0 009fd2dc 3704/4096 pix/tconsole
Hwe 0011f217 00a08034 00502bc0 0 00a0456c 14732/16384 ci/console
Csi 002f0fd3 00a09574 00555860 50 00a0861c 3400/4096 update_cpu_usage
Hwe 002dcba1 00a2e104 00534c00 0 00a2a27c 15884/16384 uauth_in
Hwe 003e6b5d 00a30204 007fb6a0 0 00a2e32c 7896/8192 uauth_thread
Hwe 003fce0a 00a31354 0054e788 0 00a303dc 3960/4096 udp_timer
Hsi 001e2636 00a33014 00555860 0 00a3209c 3928/4096 557mcfix
Crd 001e25eb 00a340d4 00555cd8 718629080 00a3314c 3640/4096 557poll
Lsi 001e26a5 00a35174 00555860 10 00a341fc 3688/4096 557timer
Cwe 001e4229 00a4b24c 006cf448 6534590 00a49354 5288/8192 pix/intf0
Mwe 003fcb7a 00a4c35c 00835fd0 0 00a4b424 3896/4096 riprx/0
Msi 003a3999 00a4d46c 00555860 0 00a4c4f4 3888/4096 riptx/0
Cwe 001e4229 00a53604 007449b8 21076990 00a5170c 5588/8192 pix/intf1
Mwe 003fcb7a 00a54714 00835f88 0 00a537dc 3896/4096 riprx/1
Msi 003a3999 00a55824 00555860 0 00a548ac 3888/4096 riptx/1
Hwe 003e6df1 00a813fc 007e6f80 0 00a81154 284/1024 listen/http1
Hwe 003cdce5 00a83c4c 00a840fc 15940 00a81e24 4796/8192 isakmp_receiver
Hwe 003e6df1 00a8444c 007e6ba0 0 00a84204 172/1024 listen/pfm
Hwe 003e6df1 00a84d24 007e7078 0 00a846dc 1196/2048 listen/telnet_1
Hwe 003e6df1 00a8562c 007e6aa8 970 00a84fe4 1032/2048 listen/ssh_0
Hwe 003e6df1 00a85f64 007e6e88 0 00a8591c 1196/2048 listen/ssh_1
Mwe 00370852 00a884ec 00555860 790 00a86574 5332/8192 Crypto CA
Mwe 003e0b11 00aa2db4 00555860 0 00aa0e3c 6440/8192 ssh/timer
H* 003e77c7 0009ff2c 00555848 60 00b269c4 3876/8192 telnet/ci
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
received (in 78039.130 secs):
1664147 packets 234262763 bytes
21 pkts/sec 3001 bytes/sec
transmitted (in 78039.130 secs):
852779 packets 1023206929 bytes
10 pkts/sec 13001 bytes/sec
inside:
received (in 78039.130 secs):
872253 packets 987539367 bytes
11 pkts/sec 12049 bytes/sec
transmitted (in 78039.130 secs):
690379 packets 145858410 bytes
8 pkts/sec 1043 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 55/s 2/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ygXm0Ja.6E6.iQkt encrypted
passwd N2eEvITSRJ9NzvTF encrypted
hostname net-scr-pix
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 xxxxxxx
access-list inside_outbound_nat0_acl permit ip 10.1.107.0 255.255.255.0 xxxxxxxx 255.0.0.0
access-list outside_cryptomap_20 permit ip 10.1.107.0 255.255.255.0 YorkCounty 2
55.0.0.0
pager lines 24
logging console critical
logging monitor errors
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxxxxx 255.0.0.0 inside
pdm location xxxxx 255.0.0.0 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location 10.xxx.xxx.xxx255.255.255. 0 inside
pdm location 10.xxx.xxx.xxx 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:30:00
timeout conn 0:25:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxxxxxxx 255.0.0.0 inside
no snmp-server location
snmp-server contact xxxxxxxxxx
snmp-server community private
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet xxxxxx 255.0.0.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.0 inside
ssh timeout 5
console timeout 0
username admin password PfBxzfncKNEXnCCW encrypted privilege 15
terminal width 80
banner login STAY OUT!!!
Cryptochecksum:6691b3fa095 10c1b4ab85 5d36f44ccb e
: end
net-scr-pix#
this is the event viewer on my domain controller:
Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 10/23/2003
Time: 11:45:12 AM
User: N/A
Computer: CTY-SCR-DC
Description:
The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=xxxxxx
For (a), please use the Active Directory Sites and Services Manager to do one of the following:
1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=yorkco
For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted.
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1265
Date: 10/23/2003
Time: 11:45:13 AM
User: N/A
Computer: CTY-SCR-DC
Description:
The attempt to establish a replication link with parameters
Partition: DC=xxxxxxx,DC=com
Source DSA DN: CN=NTDS Settings,CN=CTY-PBJ-DC,CN=
Source DSA Address: 9bbb2bd8-8d74-47d1-8c3b-74
Inter-site Transport (if any): CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con
failed with the following status:
The RPC server is unavailable.
The record data is the status code. This operation will be retried.
Data:
0000: ba 06 00 00 º...
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 10/23/2003
Time: 9:01:58 AM
User: N/A
Computer: CTY-SCR-DC
Description:
The File Replication Service is having trouble enabling replication from CTY-PBJ-DC to CTY-SCR-DC for d:\actdir\sysvol\domain using the DNS name CTY-PBJ-DC.xxxxxx.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name CTY-PBJ-DC.xxxxxx.com from this computer.
[2] FRS is not running on CTY-PBJ-DC.xxxxxx.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Data:
0000: ba 06 00 00
This is the pix 501
User Access Verification
Password:
Type help or '?' for a list of available commands.
net-scr-pix> ena
Password: **********
net-scr-pix#
net-scr-pix# show tech
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
net-scr-pix up 13 days 23 hours
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 000b.be94.a081, irq 9
1: ethernet1: address is 000b.be94.a082, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license.
Serial Number: 806512004 (0x30126584)
Running Activation Key: 0x2ee15ab2 0x2750584f 0x29414935 0x605cc5cb
Configuration last modified by enable_15 at 07:02:07.537 EDT Thu Oct 23 2003
------------------ show clock ------------------
07:02:30.838 EDT Thu Oct 23 2003
------------------ show memory ------------------
Free memory: 4999640 bytes
Used memory: 11777576 bytes
------------- ----------------
Total memory: 16777216 bytes
------------------ show conn count ------------------
14 in use, 214 most used
------------------ show xlate count ------------------
0 in use, 174 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
4 600 598 600
80 400 398 399
256 100 0 100
1550 933 483 675
2560 10 6 9
------------------ show interface ------------------
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a081
IP address xxx.xxx.xxx.xxx, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
21249921 packets input, 3501248633 bytes, 0 no buffer
Received 12536068 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
12577123 packets output, 1549433900 bytes, 0 underruns
0 output errors, 27327 collisions, 0 interface resets
0 babbles, 1 late collisions, 191611 deferred
9 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/59)
output queue (curr/max blocks): hardware (0/128) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a082
IP address 10.xxx.xxx.xxx, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
12799183 packets input, 988268256 bytes, 0 no buffer
Received 172224 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9316537 packets output, 2375906872 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/128)
output queue (curr/max blocks): hardware (1/101) software (0/1)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 9%; 1 minute: 6%; 5 minutes: 8%
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Hsi 001eaa09 007c0ccc 00555860 10 007bfd44 3512/4096 arp_timer
Lsi 001effad 007e3e04 00555860 20 007e2e8c 3800/4096 FragDBGC
Lwe 00119abf 00838844 00558fc0 0 008379dc 3688/4096 dbgtrace
Lwe 003e3f55 0083a9d4 0054e188 0 00838a8c 8008/8192 Logger
Hsi 003e806d 0083dacc 00555860 60 0083bb54 7700/8192 tcp_fast
Hsi 003e7f0d 0083fb7c 00555860 70 0083dc04 7636/8192 tcp_slow
Lsi 003006f9 008bf054 00555860 0 008be0cc 3944/4096 xlate clean
Lsi 00300607 008c00f4 00555860 0 008bf17c 3884/4096 uxlate clean
Mwe 002f82d3 008e8cf4 00555860 20 008e6d5c 7864/8192 tcp_intercept_timer
_process
Lsi 0043a545 008f95f4 00555860 0 008f866c 3900/4096 route_process
Hsi 002e80f4 008fa684 00555860 10 008f971c 2748/4096 PIX Garbage Collect
or
Hwe 00217101 008feb74 00555860 70 008fac0c 13436/16384 isakmp_time_keepe
r
Lsi 002e5e74 0090f954 00555860 0 0090e9cc 3944/4096 perfmon
Mwe 0020e719 0091b424 00555860 10 009194ac 5264/8192 IPsec timer handler
Hwe 0039a4db 0092fe5c 00570980 30 0092df14 7000/8192 qos_metric_daemon
Mwe 00261395 0094a994 00555860 50 00946a2c 15260/16384 IP Background
Lwe 002f8f4a 009fd0a4 0056bc98 0 009fc22c 3704/4096 pix/trace
Lwe 002f9182 009fe154 0056c3c8 0 009fd2dc 3704/4096 pix/tconsole
Hwe 0011f217 00a08034 00502bc0 0 00a0456c 14732/16384 ci/console
Csi 002f0fd3 00a09574 00555860 50 00a0861c 3400/4096 update_cpu_usage
Hwe 002dcba1 00a2e104 00534c00 0 00a2a27c 15884/16384 uauth_in
Hwe 003e6b5d 00a30204 007fb6a0 0 00a2e32c 7896/8192 uauth_thread
Hwe 003fce0a 00a31354 0054e788 0 00a303dc 3960/4096 udp_timer
Hsi 001e2636 00a33014 00555860 0 00a3209c 3928/4096 557mcfix
Crd 001e25eb 00a340d4 00555cd8 718629080 00a3314c 3640/4096 557poll
Lsi 001e26a5 00a35174 00555860 10 00a341fc 3688/4096 557timer
Cwe 001e4229 00a4b24c 006cf448 6534590 00a49354 5288/8192 pix/intf0
Mwe 003fcb7a 00a4c35c 00835fd0 0 00a4b424 3896/4096 riprx/0
Msi 003a3999 00a4d46c 00555860 0 00a4c4f4 3888/4096 riptx/0
Cwe 001e4229 00a53604 007449b8 21076990 00a5170c 5588/8192 pix/intf1
Mwe 003fcb7a 00a54714 00835f88 0 00a537dc 3896/4096 riprx/1
Msi 003a3999 00a55824 00555860 0 00a548ac 3888/4096 riptx/1
Hwe 003e6df1 00a813fc 007e6f80 0 00a81154 284/1024 listen/http1
Hwe 003cdce5 00a83c4c 00a840fc 15940 00a81e24 4796/8192 isakmp_receiver
Hwe 003e6df1 00a8444c 007e6ba0 0 00a84204 172/1024 listen/pfm
Hwe 003e6df1 00a84d24 007e7078 0 00a846dc 1196/2048 listen/telnet_1
Hwe 003e6df1 00a8562c 007e6aa8 970 00a84fe4 1032/2048 listen/ssh_0
Hwe 003e6df1 00a85f64 007e6e88 0 00a8591c 1196/2048 listen/ssh_1
Mwe 00370852 00a884ec 00555860 790 00a86574 5332/8192 Crypto CA
Mwe 003e0b11 00aa2db4 00555860 0 00aa0e3c 6440/8192 ssh/timer
H* 003e77c7 0009ff2c 00555848 60 00b269c4 3876/8192 telnet/ci
------------------ show failover ------------------
No license for Failover
------------------ show traffic ------------------
outside:
received (in 78039.130 secs):
1664147 packets 234262763 bytes
21 pkts/sec 3001 bytes/sec
transmitted (in 78039.130 secs):
852779 packets 1023206929 bytes
10 pkts/sec 13001 bytes/sec
inside:
received (in 78039.130 secs):
872253 packets 987539367 bytes
11 pkts/sec 12049 bytes/sec
transmitted (in 78039.130 secs):
690379 packets 145858410 bytes
8 pkts/sec 1043 bytes/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 55/s 2/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show running-config ------------------
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ygXm0Ja.6E6.iQkt encrypted
passwd N2eEvITSRJ9NzvTF encrypted
hostname net-scr-pix
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 xxxxxxx
access-list inside_outbound_nat0_acl permit ip 10.1.107.0 255.255.255.0 xxxxxxxx 255.0.0.0
access-list outside_cryptomap_20 permit ip 10.1.107.0 255.255.255.0 YorkCounty 2
55.0.0.0
pager lines 24
logging console critical
logging monitor errors
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxxxxx 255.0.0.0 inside
pdm location xxxxx 255.0.0.0 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location 10.xxx.xxx.xxx255.255.255.
pdm location 10.xxx.xxx.xxx 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:30:00
timeout conn 0:25:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxxxxxxx 255.0.0.0 inside
no snmp-server location
snmp-server contact xxxxxxxxxx
snmp-server community private
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet xxxxxx 255.0.0.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.0 inside
ssh timeout 5
console timeout 0
username admin password PfBxzfncKNEXnCCW encrypted privilege 15
terminal width 80
banner login STAY OUT!!!
Cryptochecksum:6691b3fa095
: end
net-scr-pix#
The processor on the 501 was just never meant to handle that much traffic load with replication of AD servers across the VPN. As vtobusman suggests, either upgrade your link, or think about getting more horesepower for your PIX, like a 515.
How many users at your location?
General rule of thumb -
Under 10? 501
10-50? 506
Servers/replication between sites? 506, maybe 515
However, if you have a DSL connection, you might consider changing the MTU on your server to something like 1300 vs the default 1500
How many users at your location?
General rule of thumb -
Under 10? 501
10-50? 506
Servers/replication between sites? 506, maybe 515
However, if you have a DSL connection, you might consider changing the MTU on your server to something like 1300 vs the default 1500
ASKER
I am using a cable modem with 512kbps and there are 34 users at this site. I have a 50 user license on the pix 501. I am in the process of upgrading all the users to win 2000. There is only 1 server at this location also. I recently upgraded the pdm to the latest version 6.3 and 3.0 IOS. I have another site with 20 users, a domain controller 2 file servers and I never have a problem there. I have had the cable company out to check the signal coming in and there is nothing wrong there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what tpe of connection are our running between the 2 sites ??
If its less then a 512kbps you probally should upgrade it .....
Microsoft AD needs a min of like 384 just function correctly.. you can also try scheduling
replication to accure after hours..this might help...