after upgrading to 7.2(2) 1

[netwalker1]

I am getting a limitation TCP Problem ?
a lot of connection are being dropped with the error :
(conn-limit) conection limit reached


how can I pass this problem ?

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

post a scrubbed config

http://www.wr-mem.com

 

[netwalker1]

solved ...

solution steps :
1- Remove the Crypto map
2- Clear the Crypto IPS sa for the peer
3- Add the Crpto Map again ...



Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[netwalker1]

sorry - the problem still exist ...
my answer was for another problem !

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[ADB100]

Post a show version. It sounds like you have lost the license key during the upgrade and the PIX has reverted to a restricted license.

Andy

 

[netwalker1]

No ...
this is the output of the show version

---

Cisco PIX Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(3)

Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

pixfirewall up 1 day 0 hours
failover cluster up 1 day 0 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 000d.bc36.8546, irq 10
1: Ext: Ethernet1 : address is 000d.bc36.8547, irq 11
2: Ext: GigabitEthernet0 : address is 0003.47e4.11b8, irq 10
3: Ext: GigabitEthernet1 : address is 0003.47e4.11eb, irq 5
4: Ext: Ethernet2 : address is 0005.5d18.82e8, irq 11
5: Ext: Ethernet3 : address is 0005.5d18.82e9, irq 10
6: Ext: Ethernet4 : address is 0005.5d18.82ea, irq 9
7: Ext: Ethernet5 : address is 0005.5d18.82eb, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 807352494
Running Activation Key: 0xc041994b 0x3c643aa6 0x558685c0 0xc5cb43b4
Configuration last modified by msccpix at 12:20:01.821 EEST Wed Mar 26 2008

---

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

Still need to see a scrubbed config. The issue is most likely the connection limit is to low and needs to be adjusted. The alternative is that you have infected hosts on the network. You may have seen this with the upgrade due to connection limit defaults in 7.x that didnt exist in 6.x

http://www.wr-mem.com

 

[netwalker1]

what is the command which can control this ?
what do you mean by scrubbed config ?


Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

Scrubbed config would mean cleaning a "sh run" from your PIX.


You probably dont want the world to see any sensitive IP addresses so you would remove or change them when posting. Also things like usernames, passwords etc... Oncwe you scrubbed the config you can post for the community to help troubleshoot your problem. For this issues you could just post a

"sh running-config nat"

The nat command allows you to control the amount of TCP or UDP connections that are allowed though a translation. The default for both is 0 if not defined. This would allow for unlimited connections. You would then be limited to the restraints of the firewall.

Leaving this to unlimited is not good stuff. This allows DoS attacks to have the freedom of opening as many connections as possible without being throttled. You always want to set some sort of limit based on the amount of hosts you have on the network keeping mind that some hosts may need to open several connections at a time.

http://www.wr-mem.com

 

[netwalker1]

Solved ...
I found a limitation in the static command of teh server !

removed and everything back to normal ...

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

What was the limit set to?

http://www.wr-mem.com

 

[netwalker1]

TCP 20 30
20 concurrent connection and 30 half-open connection ,,,

the command was configured from th eprevious version - but maybe the new OS could manage to activate it !

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

Yeah that is way low. I would set to 500 conc and 400 half and see how that works out. Really depends on the amount of connections the server is using at one time.

http://www.wr-mem.com

 

[netwalker1]

you are so kind
400 half-open for mail server !
This will allow the attacker to get my Mail Server down !

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

If 400 half open connections gets your mailserver down you need to upgrade from a 386 to at least a Pentium II.


Really like I said it depends on the amount of connections the server is using. If your a web server then you want to be able to support the users that will be using the service. If you have 1000 employees you could very well have 400 half open connections for email. Thats a decision you have to make. As long as you dont leave it to 0 or not defined.

http://www.wr-mem.com

 

[netwalker1]

I will give you a star - because you was with me in this problem ...

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]