PIX 501 10 User License Problem - No Connection to WAN

Posted on 2006-04-13
Last Modified: 2010-07-27
I have a strange problem with my 501 PIX. It's been two weeks with no problems till today. This morning I had only two computers on. One computer was a static IP Address and the second computer with Dynamic. I notice that the dynamic computers has an ipaddress of I'm not sure why its so high on the octet. The other problem is the static computer has an ipaddress of and its connection to the internet is intermittent. Today, I tried to remoteconnect to my static computer (made no changes to pix that would of cause a problem, port 3389 is enabled and forwarded to static computer), and I get an error message that says "connection to computer is lost". In other others, because of my 10 user license agreement, I cannot connect to my computer.

Here are my questions:

1. I don't understand why I only have two computers that are having intermittent connection to the internet due license agreement. The fact is Only two computers are on and connected, not above ten.

2. If I connect to my RemoteComputer x 10, but then disconnect the connection x 10, will PIX still think the Ten connection stil exists? If so, how can I decrease the lease/hold time?. For some strange reason, the PIX still thinks there are ten computers connecting through the PIX, when in fact there are only one or two connections.

500 points for this..
Question by:Intruder_3
    LVL 32

    Accepted Solution

    Do a 'clear xlate' and try. I gotta tell you, I have no idea about the problem upfront though. But lets get started. If not, does rebooting the PIX helps?


    Author Comment

    I can do a clear xlate or cl local-host and this will fix the problem.. but the real question is Why when two computers connect to the internet and RemoteDesktop to my static computer will cause my 10 User limit to exceed? and Why is that my dynamic computer has an octet of, when it should be x.x.x.3 or 4?

    I doesn't make sense.. could be a hacker? How can I decrease the time interval to refresh the table or session?
    LVL 20

    Assisted Solution

    >Why when two computers connect to the internet....
       Are you sure the PIX has maxed out the 10 inside hosts limit?  When traffic to the Internet stops, run this:
    sh xlate
       ...and check the number of unique IPs in the right-hand column after "Local".  If you see 10 different local IPs, then you're most likely hitting the 10-host limit.
      You have 2 or 3 inside PCs?  What other IP devices do you have on the inside LAN? Any JetDirect print servers? Any SOHO network storage devices like a Snap appliance? Anything at all that has an IP (either static or dynamic) *and* that is set with the PIX as it's default gateway?  No joke, I've seen a few clients that ran into the 10-host-limit just because of a few print servers or a printer with a built-in NIC - their IPs were showing up in the xlate table - don't know exactly what they were doing, but removing the default gateway on these printers/print servers cleared it up.

    What specific version of PIX are you running? If you do a "sh run", about the first line will be something like:  "PIX Version 6.3(5)".  Some older PIX versions had problems with NAT.

    >How can I decrease the time interval to refresh the table
      timeout xlate 0:10:00   <- sets timeout to 10 min; should be longer than "timeout conn" (correct way, but many people seem to get away with making 'xlate' shorter);  defaults in PIX 6.x are:
      timeout xlate 03:00:00  <- 3 hr
      timeout conn 01:00:00  <- 1 hr
    Anytime you change the "timeout xlate" setting, be sure to run:  clear xlate

    >Why is that my dynamic computer has an octet of
      Is the PIX the DHCP server for the LAN? Check the output of:  
    sh run | incl dhcpd  <- note the "pipe" character (usually "SHIFT-\" on keyboard)
      If you see the 2 lines below in output, then your PIX is the DHCP server, & the "dhcpd address" line tells you what range of IPs it's giving out:
     dhcpd address [low IP]-[high IP] inside
     dhcpd enable inside


    Author Comment

    "Interface inside: 1 active, 2 maximum active, 0 denied" - Why does it show "2 Max Active", when it should be 10 user limit?

    I do not have any printers, SNAPs, or other devices that require an ip address.
    I understand the DHCP range, but why is my laptop not obtaining the next ip address, such as, x.x.x.3? Could it be that there are others obtaining ip addresses by DHCP, such as, Hackers? No Wireless Access points or printers.

    Can I setup mac-address to ip address on PIX?

    FIREPIX up 19 hours 6 mins

    Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    Flash , 8MB
    BIOS Flash

    0: ethernet0: address is 0016.c835.f9b2, irq 9
    1: ethernet1: address is 0016.c835.f9b3, irq 10
    Licensed Features:
    Failover:                    Disabled
    VPN-DES:                     Enabled
    VPN-3DES-AES:                Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces:          2
    Cut-through Proxy:           Enabled
    Guards:                      Enabled
    URL-filtering:               Enabled
    Inside Hosts:                10
    Throughput:                  Unlimited
    IKE peers:                   10

    This PIX has a Restricted (R) license.

    Serial Number:
    Running Activation Key:
    Configuration last modified by enable_15 at 23:04:52.036 UTC Thu Apr 13 2006
    FIREPIX# sho loca
    Interface inside: 1 active, 2 maximum active, 0 denied
    local host: <>,
        TCP connection count/limit = 1/unlimited
        TCP embryonic count = 0
        TCP intercept watermark = unlimited
        UDP connection count/limit = 0/unlimited
    LVL 9

    Assisted Solution

    I don't remember what the "# maximum active" is for on the show local-host command but I know it does not
    correspond to PIX license. Here is what I suggest you do:

    1) Access the PIX via the CLI and turn on logging on level 7. The commands are as follow:

    If accessing the PIX via console:

    logging console 7
    logging on
    term mon

    If accessing the PIX via telnet:

    logging monitor 7
    logging on
    term mon

    Whatever mode of access you are using, make sure that you save your session, because depending on the traffic currently passing through the PIX, you might have a lot of output on your screen that you won't be able to read them.

    2) Perform your test, e.g. browse the internet,  remote desktop etc

    3) Once the internet connection stops, capture the output of the following:

    sh dhcpd binding
    sh xlate
    sh conn
    sh local
    sh arp

    If the pix is truly running out of license, then you should see the following messages on the logs:

    %PIX-4-407001: Deny traffic for local-host  inside: 192.168.1.x, license limit of number exceeded

    Post the output of the show commands and go through the logs and see if you find anything unusual.


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now