PIX 520 HTTPS Connection Limit?

[trmg]

Hey All,

I work for a school district and we subscribe to a few web based services that are externally hosted. A couple of the more heavily used services use HTTPS. Last night (Friday) was the end of the 2nd trimester, so a lot of people were logging on to these services. Near the end of the day, a user reported that she could not log into the service. I have two computers on my desk (a laptop and a desktop). I was able to log in and use the service from one of my computers, but not the other. Once the site transitioned to an HTTPS connection, the browser reported that it could not connect to the website. I also discovered that on the computer that was not able to access the service, I was also unable to access ANY HTTPS site! However, I was still able to access any non secure HTTP site.

Also, all computers could access internal HTTPS sites.

The problem was sporadic and didn't affect everybody, and since it was only with external sites, my only thought was that maybe we somehow maxed out something on the PIX. So, I rebooted the PIX and all was better.

Soo, my question is...does the PIX 520 have a limit on secure connections? Or could the problem have been something else?

Many Thanks!

 

[brianinms]

No, the pix 520 doesn't have a limit on https connections. However it does have a limit on the number of simultaneous connections. I cant recall the limit as the end of sale for the 520 was 8 years ago.

 

[trmg]

Yeah, I know it's old...lol

According to the wiki entry on the PIX series firewalls, the 520 has a simultaneous connection limit of 256,000. Hmm, I can't imagine we reached that but I guess it's possible.

The wiki entry also says that the PIX 520 supports either 128, 1000, or unlimited simultaneous hosts. There is a footnote explaining it, but I didn't quite understand it. Is this dependent on the OS version it's running? How would I find out how many simultaneous clients our PIX can support?

(Wiki entry:

http://en.wikipedia.org/wiki/Cisco_PIX)

 

[brianinms]

Post a "show version

 

[trmg]

Well, I feel stupid! "Inside Hosts: Unlimited"

-----

Cisco PIX Firewall Version 6.1(4)

Compiled on Tue 21-May-02 08:40 by morlee

OUR-PIX up 1 day 17 hours

Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00e0.b601.fbb5, irq 11
1: ethernet1: address is 00e0.b601.fbb4, irq 10
2: ethernet2: address is 00e0.b601.fbb3, irq 15
3: ethernet3: address is 00e0.b601.fbb2, irq 9
4: ethernet4: address is 00d0.b7af.dab3, irq 10

Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
ISAKMP peers: Unlimited

Serial Number: 18043049 (0x11350a9)
Activation Key: 0xa2671d65 0x5c3c8dec 0xfdbec3a7 0xbeece679

-----

So, I guess it's entirely possible we reached the 256,000 simultaneous connection limit. I assume a host can establish multiple connections by simply visiting multiple web sites and/or connecting to multiple resources via the Internet (thus passing through the PIX)...especially when a website provides content via multiple servers (like ad hosts, media hosts, and whatnot)

Can the PIX be configured to "time out" idle connections faster?

 

[trmg]

Another question (maybe related) I have for you guys...

We've defined a MASSIVE pool of IP addresses to be used for NAT. I always thought this was VERY excessive and unnecessary (we're talking like 3 class C networks, here). We are a district of 4 schools, roughly 1000 or so computers. I used to work for a school district and they only used one IP address for dynamically NATted clients over 14 schools!

Of course, we've got static entries for all of our servers that need specific port mappings and whatnot.

Would we be better off specifying one IP as our global outside address rather than the huge pool that is defined now?

 

[unclerico]

Would we be better off specifying one IP as our global outside address rather than the huge pool that is defined now?

honestly, it's entirely up to you. i would assume that you were not the original administrator that set this up so perhaps the original admin had a specific reason for it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[trmg]

Yeah, this was how things were set up before me. The original administrator was worried about running out of ports. I don't think we have to worry about that...I mean, right now, all port 80 traffic flows through our Squid box for content filtering and that utilizes a single external IP address.

I want to configure/reconfigure the ol' PIX so that it's most efficient.

Would it be better/more efficient to have the PIX do PAT over 1 or few IP's rather than having the PIX do NAT using a pool of IP's (which is 3.5 class C's right now)?

 

[brianinms]

You have a few public class c's? I haven't found any different performance between nat and pat. You usually pat to merely conserve ip addresses. However, from the sounds of it you don't suffer that problem.

 

[trmg]

We have 4 class C subnets! They were donated to us (along with our Internet connection). They're MUCH more than we need, but we have them at our disposal. We only defined the pool so large because the IPs would not get used otherwise.

Would restricting the NAT pool size make the PIX manage resources more strictly? I'm trying to think of ways to avoid what happened on Friday not happen again!

 

[trmg]

^ I forgot to add...

Since our PIX can only handle 256,000 simultaneous connections at one time, and since there are only about 65,535 ports per IP address, the dynamic pool need not be any larger than 2-3 IP addresses (taking into account static mappings and all)?

Tell me if I'm not making sense. lol

 

[baddos]

If you are using a nat pool, it's possible you ran out of addresses. Although I wouldn't think it would allow http and not https if that was happening.

The problem with pre-defined nat pools is that once you run out of addresses, nobody can use them until they are done with them.

How many hosts are we talking about using concurrent connections through the firewall?

 

[brianinms]

Well the fact all http traffic goes through this squid box and all other traffic is natd at the firewall it is possible he ran out of IPs. I overlooked the fact he may not have a pat configured to prevent such an occurrence.

 

[trmg]

Hmm. Well, we have roughly 400 staff members and 2,500 students. Our district has roughly 1400 computers.

I'm relatively new in the PIX world. How would I enable PAT?

Right now, we have our pools defined as so...

global (outside) 1 149.20.84.129-149.20.84.254 netmask 255.255.255.0
global (outside) 1 149.20.85.1-149.20.85.254 netmask 255.255.255.0
global (outside) 1 149.20.86.1-149.20.86.254 netmask 255.255.255.0
global (outside) 1 149.20.87.1-149.20.87.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

 

[trmg]

I did a quick google search, and is it as simple as this?

global (outside) 1 172.16.1.62 netmask 255.255.255.192

Specifying a single IP address (in addition to our pools) when defining an outside address to use?

 

[brianinms]

Remove

global (outside) 1 149.20.87.1-149.20.87.254 netmask 255.255.255.0


Add

global (outside) 1 149.20.87.1-149.20.87.253 netmask 255.255.255.0

global (outside) 1 149.20.87.254


That is over 750 addresses and I would have to suspect most traffic is http and thus you wouldn't have run out of addresses.

 

[trmg]

As we speak, "show xlate" reports that 743 IP's are in use!

 

[trmg]

Sounds like we may need to change our PIX configuration to what brianinms recommends.

Thanks everyone for all the help!

 

[trmg]

What would be a recommended setting for xlate timeout? Currently, we have it set to 3 hours. I think this may be part of the problem as well.

 

[brianinms]

I believe the default is 1 hour and it sounds like you were just running out of IP addresses. Additionally you can issue the "clear xlate" command to flush out all xlates without having to reboot.