Solved

PIX 525 Firewall - Performance problem

Posted on 2004-08-02
5
869 Views
Last Modified: 2013-11-16
Hi all,

We have a performance issue with our Pix 525. CPU utilization has suddenly shot up to 80-90%, and during peak traffic loads, the pix even crashes.The normal utilization is around 30-40%.
The firewall was originally running IOS version 6.2(2) and upgraded to V6.3(3) and then to 6.3(4) after being advised by Cisco TAC.

A TAC case has been running for the past one week, and a resolution is still not available. Could someone give out a few pointers as to where I should start looking?
0
Comment
Question by:fullerms
5 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11691961
Can you provide some rough stats:-

Inbound & outbound bandwidth
Inbound & outbound packet rate
Number of connections through PIX
0
 
LVL 6

Author Comment

by:fullerms
ID: 11692300
I really would'nt know how to get this information on a pix. What are the commands I need to use? The nearest to what you have asked for is pasted below.

We have multiple interfaces, and the traffic is as below. Inside and interface gb-ethernet1  are Gig fibre ports.

sh traffic
outside:
      received (in 73327.340 secs):
            41911612 packets      4225204014 bytes
            44 pkts/sec      57035 bytes/sec
      transmitted (in 73327.340 secs):
            68288317 packets      2362973543 bytes
            52 pkts/sec      32049 bytes/sec
ethernet1 :
      received (in 73327.360 secs):
            36530732 packets      293637582 bytes
            29 pkts/sec      4004 bytes/sec
      transmitted (in 73327.360 secs):
            22356811 packets      3954096890 bytes
            12 pkts/sec      53045 bytes/sec
inside:
      received (in 73327.380 secs):
            244794016 packets      3132224894 bytes
            3045 pkts/sec      42012 bytes/sec
      transmitted (in 73327.380 secs):
            358067960 packets      3808419625 bytes
            4004 pkts/sec      51000 bytes/sec
gb-ethernet1 :
      received (in 73327.400 secs):
            271831733 packets      1144006870 bytes            
            3004 pkts/sec      15015 bytes/sec
      transmitted (in 73327.400 secs):
            197924351 packets      4188015912 bytes
            2054 pkts/sec      57055 bytes/sec
ethernet2:
      received (in 73334.010 secs):
            45880281 packets      2865143858 bytes
            39 pkts/sec      39011 bytes/sec
      transmitted (in 73334.010 secs):
            47919282 packets      3354998369 bytes
            9 pkts/sec      45046 bytes/sec
ethernet3:
      received (in 73334.030 secs):
            36960128 packets      2568975870 bytes
            35 pkts/sec      35031 bytes/sec
      transmitted (in 73334.030 secs):
            42877533 packets      408221391 bytes
            57 pkts/sec      5039 bytes/sec




show conn count
14649 in use, 27259 most used
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11692689
Suggest you put a sniffer on the inside to see what is hammering it with 4000 packets per second. Sure sounds like a worm.
You can start by simply blocking icmp echo from hitting the interface with an access-list on the inside interface. Block icmp echo only.
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11694160
I agree with lrmoore. In addition on the outside interface you can see the average received packet size (57000/44) is around 1300 bytes which is what I would expect as the maximum packet size is 1500 bytes.
On your internal interface the average is more like 15 bytes which is very low. It appears there is lots of traffic going between the inside and gb-ethernet1 interfaces consisting of very small packets.

You can get a free packet sniffer from http://www.ethereal.com/
You will need to configure port spanning on the switch the PIX connects to so that all traffic to and from that interface is sent to another port which you have the packet sniffer attached to.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721170
Here's how you get Ethereal to work:

1)  Go to http://www.ethereal.com/download.html
2)  Under Windows 98/ME/2000/XP/2003 Installers, select a site near you
3)  Download WinPcap_3_0.exe and ethereal-setup-0.10.4.exe
4)  Install WinPcap_3_0 - double click on the WinPcap_3_0.exe file, just
click OK / Yes throughout
5)  Install ethereal-setup-0.10.4 - double click on the file, accept all the
defaults (OK / Yes throughout)
6)  Start the Ethereal application
7)  Go to Capture > Start
8)  Under Interface, select your Internet facing interface.  If you're
unsure, then select one, and continue.  If it displays results, then you've
got the right interface, if your capture is empty, then select another
interface and carry on...
9)  Under Capture Files, put \capture.cap
10)  Click OK
11)  Capturing will commence....
12)  Capture what you need to
13) Go back to Ethereal, click Stop
14)  Analyse the c:\capture.cap file, or send it to me - tim_holman@hotmail.com

We need to see what all these packets are.  The PIX is not very good at withstanding high volumes of small packets.  A 10-20Mb flood of SYN or UDP / connectionless packets will easily keel the PIX over.

I would also check there are no routing loops.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now