PIX 525 Firewall - Performance problem

Posted on 2004-08-02
Last Modified: 2013-11-16
Hi all,

We have a performance issue with our Pix 525. CPU utilization has suddenly shot up to 80-90%, and during peak traffic loads, the pix even crashes.The normal utilization is around 30-40%.
The firewall was originally running IOS version 6.2(2) and upgraded to V6.3(3) and then to 6.3(4) after being advised by Cisco TAC.

A TAC case has been running for the past one week, and a resolution is still not available. Could someone give out a few pointers as to where I should start looking?
Question by:fullerms
LVL 36

Expert Comment

ID: 11691961
Can you provide some rough stats:-

Inbound & outbound bandwidth
Inbound & outbound packet rate
Number of connections through PIX

Author Comment

ID: 11692300
I really would'nt know how to get this information on a pix. What are the commands I need to use? The nearest to what you have asked for is pasted below.

We have multiple interfaces, and the traffic is as below. Inside and interface gb-ethernet1  are Gig fibre ports.

sh traffic
      received (in 73327.340 secs):
            41911612 packets      4225204014 bytes
            44 pkts/sec      57035 bytes/sec
      transmitted (in 73327.340 secs):
            68288317 packets      2362973543 bytes
            52 pkts/sec      32049 bytes/sec
ethernet1 :
      received (in 73327.360 secs):
            36530732 packets      293637582 bytes
            29 pkts/sec      4004 bytes/sec
      transmitted (in 73327.360 secs):
            22356811 packets      3954096890 bytes
            12 pkts/sec      53045 bytes/sec
      received (in 73327.380 secs):
            244794016 packets      3132224894 bytes
            3045 pkts/sec      42012 bytes/sec
      transmitted (in 73327.380 secs):
            358067960 packets      3808419625 bytes
            4004 pkts/sec      51000 bytes/sec
gb-ethernet1 :
      received (in 73327.400 secs):
            271831733 packets      1144006870 bytes            
            3004 pkts/sec      15015 bytes/sec
      transmitted (in 73327.400 secs):
            197924351 packets      4188015912 bytes
            2054 pkts/sec      57055 bytes/sec
      received (in 73334.010 secs):
            45880281 packets      2865143858 bytes
            39 pkts/sec      39011 bytes/sec
      transmitted (in 73334.010 secs):
            47919282 packets      3354998369 bytes
            9 pkts/sec      45046 bytes/sec
      received (in 73334.030 secs):
            36960128 packets      2568975870 bytes
            35 pkts/sec      35031 bytes/sec
      transmitted (in 73334.030 secs):
            42877533 packets      408221391 bytes
            57 pkts/sec      5039 bytes/sec

show conn count
14649 in use, 27259 most used
LVL 79

Expert Comment

ID: 11692689
Suggest you put a sniffer on the inside to see what is hammering it with 4000 packets per second. Sure sounds like a worm.
You can start by simply blocking icmp echo from hitting the interface with an access-list on the inside interface. Block icmp echo only.
LVL 36

Accepted Solution

grblades earned 500 total points
ID: 11694160
I agree with lrmoore. In addition on the outside interface you can see the average received packet size (57000/44) is around 1300 bytes which is what I would expect as the maximum packet size is 1500 bytes.
On your internal interface the average is more like 15 bytes which is very low. It appears there is lots of traffic going between the inside and gb-ethernet1 interfaces consisting of very small packets.

You can get a free packet sniffer from
You will need to configure port spanning on the switch the PIX connects to so that all traffic to and from that interface is sent to another port which you have the packet sniffer attached to.
LVL 23

Expert Comment

by:Tim Holman
ID: 11721170
Here's how you get Ethereal to work:

1)  Go to
2)  Under Windows 98/ME/2000/XP/2003 Installers, select a site near you
3)  Download WinPcap_3_0.exe and ethereal-setup-0.10.4.exe
4)  Install WinPcap_3_0 - double click on the WinPcap_3_0.exe file, just
click OK / Yes throughout
5)  Install ethereal-setup-0.10.4 - double click on the file, accept all the
defaults (OK / Yes throughout)
6)  Start the Ethereal application
7)  Go to Capture > Start
8)  Under Interface, select your Internet facing interface.  If you're
unsure, then select one, and continue.  If it displays results, then you've
got the right interface, if your capture is empty, then select another
interface and carry on...
9)  Under Capture Files, put \capture.cap
10)  Click OK
11)  Capturing will commence....
12)  Capture what you need to
13) Go back to Ethereal, click Stop
14)  Analyse the c:\capture.cap file, or send it to me -

We need to see what all these packets are.  The PIX is not very good at withstanding high volumes of small packets.  A 10-20Mb flood of SYN or UDP / connectionless packets will easily keel the PIX over.

I would also check there are no routing loops.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question