Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Licencing

Status
Not open for further replies.
mikesjn

mikesjn

MIS
Nov 1, 2002
1
GB
Running:NG FP2 on Solaris 8 (64 Bit)(Enforcement Module)
Have management module/Client on Windows 2000 server

The enforcement module has a 25 user licence - I did not spec it. I have 4 Nics in the Solaris
Nic1 to Management Lan (Set as an internal network)
Nic2 to Servers in a specific security Zone (Set as an internal network)
Nic3 to Pix Firewall(Set as an internal network)
Nic4 to a developers network (Set as an External network)

My question is, currently most traffic will come from the Developers network (60 Workstations) and travel to this firewall, the route out of NIC's 1 and 2 to either a pix and another network or to servers directly connected to the Firewall, Management traffic is local.

All runs fine then the fw stops, a PS -ef at the solaris prompt shows the same processes running, but I can do an fwstart, the firewall may or may not pass traffic, if not _ I can cpstop and use ndd to re-enable ip_forwarding and all
the packets will route. If I reboot the firewall is fine for a short while. Could licencing cause this? Does anyone know of a good explanation of licencing and how the interfaces influence this (Internal/external)? I would really appreciate a good explantion.
Thanks
Mike
 
Sort by date Sort by votes
You have 60 workstations in the developers network alone, plus all the devices in the other networks, yet you have only a 25 user node limited licence. Oh dear!

Everytime the firewall sees traffic from the network it counts that IP address and keeps a total count of the number of IP addresses that it sees. Once you have exceeded the number of IP addresses that you are licenced for then the firewall will log all extra IP addresses. The result of this is that when you have exceeded your licence by as much as you have then the firewall consumes itself with logging and so performace suffers.

We had exactly this situation a couple of months ago with a customer firewall that had exceeded a 250 user licence. The NT event viewer was always full of warnings about extra IP addresses and so performance took a dive. We also have another firewall with a 25 user licence which the customer is not willing to upgrade at this point and that runs like a dog because they are way over the limit of the licence.

Remember that a node limited licence counts everything with an IP address. If your coffee machine had an IP address then it would be counted by the firewall! You are way over your limit and need to get the correct licence.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

gfunk123
  • Locked
  • Question
Backup firewall licencing
Replies
1
Views
33
Piloria
Piloria

Part and Inventory Search

Sponsor

Back
Top