Solved

Pix 501 slow connection

Posted on 2003-10-23
4
1,298 Views
Last Modified: 2013-12-07
I have a pix 501 that makes a tunnel to a pix 520 on my network. Every couple of days the connection times out or has ping times in 1200ms range when I am pinging from my workstation on another subnet on the inside. It gets to the point that all pings timeout but I can still connect to any computer through VNC but it is terribly slow. I have ethereal running on this network and I dont see anything unsual happening. I can however resart the win 2000 domain controller there and everything is fine for a while, especially if I run a continous ping from my workstation to a machine on this subnet. Cisco has looked over my configs and they don't see anything.
this is the event viewer on my domain controller:

Event Type:      Error
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1311
Date:            10/23/2003
Time:            11:45:12 AM
User:            N/A
Computer:      CTY-SCR-DC
Description:
The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=xxxxxx,DC=com, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable).  

For (a), please use the Active Directory Sites and Services Manager to do one of the following:
1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site.  This option is preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=yorkcountygov,DC=com in this site from a Domain Controller that contains the same Partition in another site.  

For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted.
Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1265
Date:            10/23/2003
Time:            11:45:13 AM
User:            N/A
Computer:      CTY-SCR-DC
Description:
The attempt to establish a replication link with parameters
 
 Partition: DC=xxxxxxx,DC=com
 Source DSA DN: CN=NTDS Settings,CN=CTY-PBJ-DC,CN=Servers,CN=York-Probate,CN=Sites,CN=Configuration,DC=xxxxxx,DC=com
 Source DSA Address: 9bbb2bd8-8d74-47d1-8c3b-745fbc667799._msdcs.xxxxxx.com
 Inter-site Transport (if any): CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=xxxxxx,DC=com
 
 failed with the following status:
 
 The RPC server is unavailable.
 
 The record data is the status code.  This operation will be retried.
Data:
0000: ba 06 00 00               º...    

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13508
Date:            10/23/2003
Time:            9:01:58 AM
User:            N/A
Computer:      CTY-SCR-DC
Description:
The File Replication Service is having trouble enabling replication from CTY-PBJ-DC to CTY-SCR-DC for d:\actdir\sysvol\domain using the DNS name CTY-PBJ-DC.xxxxxx.com. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name CTY-PBJ-DC.xxxxxx.com from this computer.
 [2] FRS is not running on CTY-PBJ-DC.xxxxxx.com.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Data:
0000: ba 06 00 00    

       

This is the pix 501



User Access Verification

Password:
Type help or '?' for a list of available commands.
net-scr-pix> ena
Password: **********
net-scr-pix#
net-scr-pix# show tech

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

net-scr-pix up 13 days 23 hours

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000b.be94.a081, irq 9
1: ethernet1: address is 000b.be94.a082, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                50
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Serial Number: 806512004 (0x30126584)
Running Activation Key: 0x2ee15ab2 0x2750584f 0x29414935 0x605cc5cb
Configuration last modified by enable_15 at 07:02:07.537 EDT Thu Oct 23 2003








------------------ show clock ------------------

07:02:30.838 EDT Thu Oct 23 2003

------------------ show memory ------------------

Free memory:         4999640 bytes
Used memory:        11777576 bytes
-------------     ----------------
Total memory:       16777216 bytes

------------------ show conn count ------------------

14 in use, 214 most used

------------------ show xlate count ------------------

0 in use, 174 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     4    600    598    600
    80    400    398    399
   256    100      0    100
  1550    933    483    675
  2560     10      6      9

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000b.be94.a081
  IP address xxx.xxx.xxx.xxx, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        21249921 packets input, 3501248633 bytes, 0 no buffer
        Received 12536068 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        12577123 packets output, 1549433900 bytes, 0 underruns
        0 output errors, 27327 collisions, 0 interface resets
        0 babbles, 1 late collisions, 191611 deferred
        9 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/59)
        output queue (curr/max blocks): hardware (0/128) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000b.be94.a082
  IP address 10.xxx.xxx.xxx, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        12799183 packets input, 988268256 bytes, 0 no buffer
        Received 172224 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        9316537 packets output, 2375906872 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/128)
        output queue (curr/max blocks): hardware (1/101) software (0/1)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 9%; 1 minute: 6%; 5 minutes: 8%

------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Hsi 001eaa09 007c0ccc 00555860         10 007bfd44 3512/4096 arp_timer
Lsi 001effad 007e3e04 00555860         20 007e2e8c 3800/4096 FragDBGC
Lwe 00119abf 00838844 00558fc0          0 008379dc 3688/4096 dbgtrace
Lwe 003e3f55 0083a9d4 0054e188          0 00838a8c 8008/8192 Logger
Hsi 003e806d 0083dacc 00555860         60 0083bb54 7700/8192 tcp_fast
Hsi 003e7f0d 0083fb7c 00555860         70 0083dc04 7636/8192 tcp_slow
Lsi 003006f9 008bf054 00555860          0 008be0cc 3944/4096 xlate clean
Lsi 00300607 008c00f4 00555860          0 008bf17c 3884/4096 uxlate clean
Mwe 002f82d3 008e8cf4 00555860         20 008e6d5c 7864/8192 tcp_intercept_timer
_process
Lsi 0043a545 008f95f4 00555860          0 008f866c 3900/4096 route_process
Hsi 002e80f4 008fa684 00555860         10 008f971c 2748/4096 PIX Garbage Collect
or
Hwe 00217101 008feb74 00555860         70 008fac0c 13436/16384 isakmp_time_keepe
r
Lsi 002e5e74 0090f954 00555860          0 0090e9cc 3944/4096 perfmon
Mwe 0020e719 0091b424 00555860         10 009194ac 5264/8192 IPsec timer handler
Hwe 0039a4db 0092fe5c 00570980         30 0092df14 7000/8192 qos_metric_daemon
Mwe 00261395 0094a994 00555860         50 00946a2c 15260/16384 IP Background
Lwe 002f8f4a 009fd0a4 0056bc98          0 009fc22c 3704/4096 pix/trace
Lwe 002f9182 009fe154 0056c3c8          0 009fd2dc 3704/4096 pix/tconsole
Hwe 0011f217 00a08034 00502bc0          0 00a0456c 14732/16384 ci/console
Csi 002f0fd3 00a09574 00555860         50 00a0861c 3400/4096 update_cpu_usage
Hwe 002dcba1 00a2e104 00534c00          0 00a2a27c 15884/16384 uauth_in
Hwe 003e6b5d 00a30204 007fb6a0          0 00a2e32c 7896/8192 uauth_thread
Hwe 003fce0a 00a31354 0054e788          0 00a303dc 3960/4096 udp_timer
Hsi 001e2636 00a33014 00555860          0 00a3209c 3928/4096 557mcfix
Crd 001e25eb 00a340d4 00555cd8  718629080 00a3314c 3640/4096 557poll
Lsi 001e26a5 00a35174 00555860         10 00a341fc 3688/4096 557timer
Cwe 001e4229 00a4b24c 006cf448    6534590 00a49354 5288/8192 pix/intf0
Mwe 003fcb7a 00a4c35c 00835fd0          0 00a4b424 3896/4096 riprx/0
Msi 003a3999 00a4d46c 00555860          0 00a4c4f4 3888/4096 riptx/0
Cwe 001e4229 00a53604 007449b8   21076990 00a5170c 5588/8192 pix/intf1
Mwe 003fcb7a 00a54714 00835f88          0 00a537dc 3896/4096 riprx/1
Msi 003a3999 00a55824 00555860          0 00a548ac 3888/4096 riptx/1
Hwe 003e6df1 00a813fc 007e6f80          0 00a81154  284/1024 listen/http1
Hwe 003cdce5 00a83c4c 00a840fc      15940 00a81e24 4796/8192 isakmp_receiver
Hwe 003e6df1 00a8444c 007e6ba0          0 00a84204  172/1024 listen/pfm
Hwe 003e6df1 00a84d24 007e7078          0 00a846dc 1196/2048 listen/telnet_1
Hwe 003e6df1 00a8562c 007e6aa8        970 00a84fe4 1032/2048 listen/ssh_0
Hwe 003e6df1 00a85f64 007e6e88          0 00a8591c 1196/2048 listen/ssh_1
Mwe 00370852 00a884ec 00555860        790 00a86574 5332/8192 Crypto CA
Mwe 003e0b11 00aa2db4 00555860          0 00aa0e3c 6440/8192 ssh/timer
H*  003e77c7 0009ff2c 00555848         60 00b269c4 3876/8192 telnet/ci

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:
        received (in 78039.130 secs):
                1664147 packets 234262763 bytes
                21 pkts/sec     3001 bytes/sec
        transmitted (in 78039.130 secs):
                852779 packets  1023206929 bytes
                10 pkts/sec     13001 bytes/sec
inside:
        received (in 78039.130 secs):
                872253 packets  987539367 bytes
                11 pkts/sec     12049 bytes/sec
        transmitted (in 78039.130 secs):
                690379 packets  145858410 bytes
                8 pkts/sec      1043 bytes/sec

------------------ show perfmon ------------------


PERFMON STATS:    Current      Average
Xlates               0/s          0/s
Connections          0/s          0/s
TCP Conns            0/s          0/s
UDP Conns            0/s          0/s
URL Access           0/s          0/s
URL Server Req       0/s          0/s
TCP Fixup           55/s          2/s
TCPIntercept         0/s          0/s
HTTP Fixup           0/s          0/s
FTP Fixup            0/s          0/s
AAA Authen           0/s          0/s
AAA Author           0/s          0/s
AAA Account          0/s          0/s

------------------ show running-config ------------------

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ygXm0Ja.6E6.iQkt encrypted
passwd N2eEvITSRJ9NzvTF encrypted
hostname net-scr-pix
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 xxxxxxx
access-list inside_outbound_nat0_acl permit ip 10.1.107.0 255.255.255.0 xxxxxxxx 255.0.0.0
access-list outside_cryptomap_20 permit ip 10.1.107.0 255.255.255.0 YorkCounty 2
55.0.0.0
pager lines 24
logging console critical
logging monitor errors
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxxxxx 255.0.0.0 inside
pdm location xxxxx 255.0.0.0 outside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location 10.xxx.xxx.xxx255.255.255.0 inside
pdm location 10.xxx.xxx.xxx 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:30:00
timeout conn 0:25:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxxxxxxx 255.0.0.0 inside
no snmp-server location
snmp-server contact xxxxxxxxxx
snmp-server community private
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet xxxxxx 255.0.0.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.0 inside
ssh timeout 5
console timeout 0
username admin password PfBxzfncKNEXnCCW encrypted privilege 15
terminal width 80
banner login STAY OUT!!!
Cryptochecksum:6691b3fa09510c1b4ab855d36f44ccbe
: end
net-scr-pix#
0
Comment
Question by:shapiro360
4 Comments
 
LVL 5

Expert Comment

by:vtobusman
ID: 9608179
 That error on a windows box is because their is not enough bandwith for the domain to function properly...

  what tpe of connection are our running between the 2 sites  ??
If its less then a 512kbps you probally should upgrade it .....

 Microsoft AD needs a min of like 384 just function correctly..  you can also try scheduling
replication to accure after hours..this might help...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9609426
The processor on the 501 was just never meant to handle that much traffic load with replication of AD servers across the VPN. As vtobusman suggests, either upgrade your link, or think about getting more horesepower for your PIX, like a 515.
How many users at your location?
General rule of thumb -
Under 10? 501
10-50? 506
Servers/replication between sites? 506, maybe 515

However, if you have a DSL connection, you might consider changing the MTU on your server to something like 1300 vs the default 1500
0
 

Author Comment

by:shapiro360
ID: 9613503
I am using a cable modem with 512kbps and there are 34 users at this site. I have a 50 user license on the pix 501. I am in the process of upgrading all the users to win 2000. There is only 1 server at this location also. I recently upgraded the pdm to the latest version 6.3 and 3.0 IOS. I have another site with 20 users, a domain controller 2 file servers and I never have a problem there. I have had the cable company out to check the signal coming in and there is nothing wrong there.
0
 
LVL 3

Accepted Solution

by:
t1n0m3n earned 500 total points
ID: 9621201
You are getting a lot of defers and collisions on the outside interface.
You might need to replace the cable or reroute it.
Maybe it is running near something that is outputting some EMF at certain times of the day.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now