PIX 501 10 User License Problem - No Connection to WAN

I have a strange problem with my 501 PIX. It's been two weeks with no problems till today. This morning I had only two computers on. One computer was a static IP Address and the second computer with Dynamic. I notice that the dynamic computers has an ipaddress of I'm not sure why its so high on the octet. The other problem is the static computer has an ipaddress of and its connection to the internet is intermittent. Today, I tried to remoteconnect to my static computer (made no changes to pix that would of cause a problem, port 3389 is enabled and forwarded to static computer), and I get an error message that says "connection to computer is lost". In other others, because of my 10 user license agreement, I cannot connect to my computer.

Here are my questions:

1. I don't understand why I only have two computers that are having intermittent connection to the internet due license agreement. The fact is Only two computers are on and connected, not above ten.

2. If I connect to my RemoteComputer x 10, but then disconnect the connection x 10, will PIX still think the Ten connection stil exists? If so, how can I decrease the lease/hold time?. For some strange reason, the PIX still thinks there are ten computers connecting through the PIX, when in fact there are only one or two connections.

500 points for this..
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do a 'clear xlate' and try. I gotta tell you, I have no idea about the problem upfront though. But lets get started. If not, does rebooting the PIX helps?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Intruder_3Author Commented:
I can do a clear xlate or cl local-host and this will fix the problem.. but the real question is Why when two computers connect to the internet and RemoteDesktop to my static computer will cause my 10 User limit to exceed? and Why is that my dynamic computer has an octet of, when it should be x.x.x.3 or 4?

I doesn't make sense.. could be a hacker? How can I decrease the time interval to refresh the table or session?
>Why when two computers connect to the internet....
   Are you sure the PIX has maxed out the 10 inside hosts limit?  When traffic to the Internet stops, run this:
sh xlate
   ...and check the number of unique IPs in the right-hand column after "Local".  If you see 10 different local IPs, then you're most likely hitting the 10-host limit.
  You have 2 or 3 inside PCs?  What other IP devices do you have on the inside LAN? Any JetDirect print servers? Any SOHO network storage devices like a Snap appliance? Anything at all that has an IP (either static or dynamic) *and* that is set with the PIX as it's default gateway?  No joke, I've seen a few clients that ran into the 10-host-limit just because of a few print servers or a printer with a built-in NIC - their IPs were showing up in the xlate table - don't know exactly what they were doing, but removing the default gateway on these printers/print servers cleared it up.

What specific version of PIX are you running? If you do a "sh run", about the first line will be something like:  "PIX Version 6.3(5)".  Some older PIX versions had problems with NAT.

>How can I decrease the time interval to refresh the table
  timeout xlate 0:10:00   <- sets timeout to 10 min; should be longer than "timeout conn" (correct way, but many people seem to get away with making 'xlate' shorter);  defaults in PIX 6.x are:
  timeout xlate 03:00:00  <- 3 hr
  timeout conn 01:00:00  <- 1 hr
Anytime you change the "timeout xlate" setting, be sure to run:  clear xlate

>Why is that my dynamic computer has an octet of
  Is the PIX the DHCP server for the LAN? Check the output of:  
sh run | incl dhcpd  <- note the "pipe" character (usually "SHIFT-\" on keyboard)
  If you see the 2 lines below in output, then your PIX is the DHCP server, & the "dhcpd address" line tells you what range of IPs it's giving out:
 dhcpd address [low IP]-[high IP] inside
 dhcpd enable inside

Intruder_3Author Commented:
"Interface inside: 1 active, 2 maximum active, 0 denied" - Why does it show "2 Max Active", when it should be 10 user limit?

I do not have any printers, SNAPs, or other devices that require an ip address.
I understand the DHCP range, but why is my laptop not obtaining the next ip address, such as, x.x.x.3? Could it be that there are others obtaining ip addresses by DHCP, such as, Hackers? No Wireless Access points or printers.

Can I setup mac-address to ip address on PIX?

FIREPIX up 19 hours 6 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash , 8MB
BIOS Flash

0: ethernet0: address is 0016.c835.f9b2, irq 9
1: ethernet1: address is 0016.c835.f9b3, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Serial Number:
Running Activation Key:
Configuration last modified by enable_15 at 23:04:52.036 UTC Thu Apr 13 2006
FIREPIX# sho loca
Interface inside: 1 active, 2 maximum active, 0 denied
local host: <>,
    TCP connection count/limit = 1/unlimited
    TCP embryonic count = 0
    TCP intercept watermark = unlimited
    UDP connection count/limit = 0/unlimited
I don't remember what the "# maximum active" is for on the show local-host command but I know it does not
correspond to PIX license. Here is what I suggest you do:

1) Access the PIX via the CLI and turn on logging on level 7. The commands are as follow:

If accessing the PIX via console:

logging console 7
logging on
term mon

If accessing the PIX via telnet:

logging monitor 7
logging on
term mon

Whatever mode of access you are using, make sure that you save your session, because depending on the traffic currently passing through the PIX, you might have a lot of output on your screen that you won't be able to read them.

2) Perform your test, e.g. browse the internet,  remote desktop etc

3) Once the internet connection stops, capture the output of the following:

sh dhcpd binding
sh xlate
sh conn
sh local
sh arp

If the pix is truly running out of license, then you should see the following messages on the logs:

%PIX-4-407001: Deny traffic for local-host  inside: 192.168.1.x, license limit of number exceeded

Post the output of the show commands and go through the logs and see if you find anything unusual.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.