Could you help please?

[dm318]

Hi All,

Hope some of you can help me on this.

Environment:
- PIX 501 with 10-user license (limited budget, that's why)
- about 6-7 users behind PIX with 1 server & 2 network printers
- users connecting to Internet; the server and printer does not

The existing configuration is working fine, however occasionally, some of the users will exhaust the 10-user license and be denied connection to the Internet. Any of you have any idea why? I understand that the 10 user license refers to activity passing through the PIX from 10 IP addresses behind the PIX right? Or am I wrong?

Also, is there any general PIX optimzation guides out there?

Thank you very very much
dm318

 

[yizhar]

HI.

How do workstations get TCP/IP addresses.
Are you using the built in DHCP server of the pix?
(If so, try to use static ip addresses on hosts instead).
What is the pix OS version?

> understand that the 10 user license refers to activity
> passing through the PIX from 10 IP addresses behind the
> PIX right?
Yes, something like that.
When a host passes any traffic via the pix, it is added to the translation table and the license count ticks. Additional sessions from the same ip do not count.
As far as I know there is no time-out or it is a very long one, so if you need to reset the license count you need to either reboot the pix or issue the command "clear xlate".

Here are some things you can do:

Use syslog messages to get more info.

Use the pix command:
show xlate
To see how much and which addresses are "in use".

In pix OS 6.1x, some problems with the pix501 reaching 10 users to early might be solved by upgrading to version 6.2x.
Open a TAC case with Cisco and you might get a free OS upgrade...

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[dm318]

Thanks YiZhar.

* Yes, the clients are getting the IP addresses from the PIX. I'll set up a DHCP server instead and see if that solves the problem.

* My PIX is running 6.1.1 so there might be a possibility the PIX may be running out of license prematurely. I'll go ahead and check with TAC. One question, I do have a 6.2.x ROM, can I upgrade the PIX ROM from 6.1.x to 6.2.x and still use the existing activation key? Still quite new to the PIX...

Thanks YiZhar. You've been really helpful.

 

[ccbootcamp]

It's sounds like you're getting really close to your license count limit. You might just want to spend $500 or so (Im not sure of the exact cost) and upgrade it to the 50 license version. It sounds like it would solve your short term problem and also allow some room for growth. Network Learning Inc

http://www.ccbootcamp.com

http://www.routerie.com

 

[havanajoe]

dm318 -

You should be able to upgrade to 6.2x without needing to change the activation key. I was able to upgrade ours from 5.x to 6.2x without having to.

As for the user count and the translation table (xlate), there is a timeout xlate command to set the amount of time that the PIX will hold the translation.

Hope this helps...

 

[dm318]

havanajoe-

Thanks. About the timeout command... Its already set to a minimal figure to allow the PIX to "recover" the session soon after its terminated so to speak. And yes, I do hope to spend that $500 to upgrade it to a 50-user license soon.

Season's Greetings to you all!