Pix 515R keeps going down

[Zelandakh]

Have read several similar stories on here, but nothing matches for sure...

Config as follows:

PIX Version 6.0(1)104
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname firewall
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 220.1.2.3 Zelandakh
name 219.1.2.4 termsrv
name 219.1.2.5 email
access-list acl_outside permit icmp any any echo-reply
access-list acl_outside permit icmp any any source-quench
access-list acl_outside permit icmp any any unreachable
access-list acl_outside permit icmp any any time-exceeded
access-list acl_outside permit tcp host Zelandakh host termsrv eq 3389
access-list acl_outside permit tcp any host email eq www
access-list acl_outside permit tcp any host email eq smtp
pager lines 35
logging console critical
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 219.1.2.3 255.255.255.248
ip address inside 192.168.1.7 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 <proxy server> 255.255.255.255 2000 1000
static (inside,outside) termsrv <terminal server internal> netmask 255.255.255.255 1000 100
static (inside,outside) email <email server internal> netmask 255.255.255.255 1000 100
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 217.37.221.182 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80

(names changed to protect the environment)

My syslog server recently suffered hard drive failure. Could this be the problem as it was working fine until then. In which case how do I get around the problem?

Having moved to access lists from conduits, is there anything else I should do? At the moment I need to allow particular people into terminal server, email in to Exchange server (and

http://www in

to same place for OWA) and allow people to surf out via proxy server.

But twice a day I have to restart the Pix as it either runs at a crawl or goes so you can't even telnet to it.

Why?

 

[Cluebird]

Check your statics:
static (inside,outside) termsrv <terminal server internal> netmask 255.255.255.255 0 0
static (inside, outside) email <email server internal> netmask 255.255.255.255 0 0

Your email and termsrv may be getting hammered and you're running out of connections and half-open connections.

 

[Zelandakh]

terminal server doesn't seem to be getting hammered but email is quite active. How can I help the situation and are there any built in 515R limits to the connections?

 

[Cluebird]

Before you change your statics, a couple of notes. In your configuration, your statics allow 1000 total connections and 100 embryonic connections. If your email is under attack, then the PIX is trying to do TCP intercept and finish the 3-way handshake before forwarding the session to the server. That may be what is bogging the box down. You may want to use zero (unlimited) on the first number and leave 100 or increase to 500 for the second.
The 515E should support up to 130,000 simultaneous connections. The Restricted license prevents you from adding more than three interfaces and also prevents you from doing failover.