Traffic problems

[zephyran]

We have a PIX Classic running 4.0.6 (we don't have CCO, so we can't upgrade the software) that is the Internet gateway for our NT 4 network of just over 50 PCs.

Previously, we had the PIX serve 48 external global addresses for about 48 internal clients. However, several clients were added, and the PIX started regularly running out of global addresses. Therefore, we switched to using 46 NAT addresses and one PAT address (whose IP is lower than the NAT range). The problem has been mostly fixed, but during high-traffic times, there's always one or two computers that are unable to browse the Internet at all (getting Page Not Found) errors for every page they try to browse to. Resetting the PIX fixes the problem.

It acts like we've run out of NAT and PAT addresses, but that shouldn't be possible, since PAT itself is supposed to be able to supply 64k simultaneous connections. Has anyone seen this kind of issue before, and knows what we can do to rectify it? Thanks!

 

[xlee]

Could it be a license issue? Do a show version and it should tell you how many license you have.

 

[zephyran]

We have 256 total connections available, and we're nowhere near that.

 

[dchp]

Check your nat statement. It should appear as shown. If the two trailing zeros are not there, it will limit your pat connections.


nat (inside) 1 x.x.x.x 255.0.0.0 0 0

The first number is for max connects. 0 is unlimited

usage: [no] nat [(<if_name>)] <nat_id> <local_ip> [<mask>
[<max_conns> [emb_limit> [<norandomseq>]]]

 

[zephyran]

I set the NAT statement like you suggested, but it wouldn't show up with the two trailing zeroes when I did a show nat.

 

[ChrisAC]

I really can't understand why you are using a separate IP address for each client! That's a massive waste of IP addresses and I'm supprised that your ISP assigned you that many. All your clients could connect through the PIX on a single IP address by using the outside address on the PIX:

global (outside) 1 interface

Chris.

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[zephyran]

Well, it was set up like that long before I joined the organization, and I will not be allowed to change it to fully PAT until I can show that partial PAT will work.

 

[whegge]

You may have licenses for 256 connections but that does not mean 256 individual connections. It means 256 simulatious session connections. A session connection is each individual part of web page that needs to be downloaded. On a &quot;normal&quot; web page there could be upwards of 30 to 40 pieces to the web page. With IE this could translate into 15 or more session connections. This is because IE does not limit the number of sessions that get started, it just reuses connections once one has been freed up. With Netscape, at least v 4.75 and before, is limited to 8 connections. THis is one reason why IE is faster than Netscape, or seems to be. To check the actual number of licenses you have used on your PIX issue this command:

show conn count

Should come up with a line like this
716 in use 1016 most used

The most used is what you have reached and if it is equal to or more than your 256 number you will need more licenses.

Wes Hegge

 

[zephyran]

The result I get from show conn count is:

51 in use, 205 remain, 127 most used

 

[whegge]

I am not sure then. If the problem is still there can you supply your configuration?

 

[zephyran]

Here's the configuration. I removed the IP addresses and password, but noted the number of addresses in the global ranges). x is the digits for external addresses, and y is for internal ones.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PIX Version 4.0.6
enable password zzzzzzzzzzzzzzzz encrypted
passwd zzzzzzzzzzzzzzzz encrypted
hostname PIX
no failover
names
syslog output 20.3
no syslog console
interface ethernet outside 10baset
interface ethernet inside 10baset
ip address inside y.y.y.1 255.255.255.0
ip address outside x.x.x.x 255.255.255.192
arp timeout 600
global 1 x.x.x.x-x.x.x.x (46 addresses)
global 1 x.x.x.x-x.x.x.x (1 address, lower than above range)
nat 1 y.y.y.0 255.255.255.0
static x.x.x.x y.y.y.3
static x.x.x.x y.y.y.4
static x.x.x.x y.y.y.49
conduit x.x.x.x 0 tcp 0.0.0.0 0.0.0.0 (first static)
conduit x.x.x.x 0 udp 0.0.0.0 0.0.0.0 (first static)
conduit x.x.x.x 0 tcp 0.0.0.0 0.0.0.0 (second static)
conduit x.x.x.x 0 udp 0.0.0.0 0.0.0.0 (second static)
conduit x.x.x.x 0 tcp 0.0.0.0 0.0.0.0 (third static)
conduit x.x.x.x 0 udp 0.0.0.0 0.0.0.0 (third static)
age 10
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:10:00 conn 0:05:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
no snmp-server location
no snmp-server contact
telnet y.y.y.0 255.255.255.0
mtu outside 1500
mtu inside 1500
: end