PIX 515e traffic fails after 10 minutes

[SilverBandit]

Help please?
I've spent the best part of a week trying to discover why our pix 515e-UR-FO bundle stops allowing traffic in or out after approximately 10 minutes uptime.

If I issue the "reload" command, or switch the power off to the Active unit everything starts working again for about 10 minutes. I've changed the two timers that have "10 minutes" as default but to no avail.

I'm testing the traffic by performing a PING from a machine behind the PIX out to a DNS server on the net. It runs happily for about 10 minutes then just starts timing out - at which point there is no traffic allowed in or out of the PIX. However I can still VPN to the pix...

Any suggestions because I'm tearing my hair out here!

Cheers
Gerrard

 

[themut]

Does a clear xlate solve the problem? Issue the following commands:

show conn count
show xlate count

Are these counters too high?

 

[SilverBandit]

nmpix# show conn count
0 in use, 1 most used
nmpix# show xlate count
0 in use, 2 most used

Don't think this is the problem...

 

[LloydSev]

is that the count before or after you stop being able to send and receive?

Connect via console and do the same when the PIX quits sending and receiving.

Computer/Network Technician
CCNA

 

[SilverBandit]

sorry, I should have specified - that is from the console and is the count AFTER I can longer send/receive.

Gerrard

 

[themut]

Post a show version output for this PIX

 

[LloydSev]

Well then I guess the goal should be to try to see the count just prior to it freezing ....

Computer/Network Technician
CCNA

 

[themut]

Also post the output from the show fail command

 

[SilverBandit]

(Primary) show ver
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

nmpix up 4 hours 55 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)
0: ethernet0: address is 0011.21c6.617d, irq 10
1: ethernet1: address is 0011.21c6.617e, irq 11
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 80822xxxx (xxxxxxxxxx)
Running Activation Key: xxxxxxxxxx
Configuration last modified by enable_15 at 22:02:05.174 GMT/BST Fri Mar 18 2005

(Secondary) show ver
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

nmpix up 4 hours 59 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)
0: ethernet0: address is 0011.21c6.617d, irq 10
1: ethernet1: address is 0011.21c6.617e, irq 11
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Failover Only (FO) license.

Serial Number: 80801xxxx (xxxxxxxxxx)
Running Activation Key: xxxxxxxxxxx
Configuration last modified by enable_15 at 21:51:35.500 GMT/BST Fri Mar 18 2005

(Primary) show fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 5 seconds
This host: Primary - Active
Active time: 60 (sec)
Interface outside (195.224.69.x): Normal
Interface inside (10.0.0.1): Normal
Other host: Secondary - Standby
Active time: 17675 (sec)
Interface outside (195.224.69.x+1): Normal
Interface inside (10.0.0.11): Normal

Stateful Failover Logical Update Statistics
Link : Unconfigured.

(Secondary) Show fail

(Doing this over an SSH connection so couldn't get this without forcing the two PIX to change roles from Active to Standby)

Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 5 seconds
This host: Secondary - Active
Active time: 17710 (sec)
Interface outside (195.224.69.x): Normal
Interface inside (10.0.0.1): Normal
Other host: Primary - Standby
Active time: 310 (sec)
Interface outside (195.224.69.x+1): Normal
Interface inside (10.0.0.11): Normal

Stateful Failover Logical Update Statistics
Link : Unconfigured.

 

[themut]

If you turn off primary unit (and leavit turned off) or disconnect it from the network then the behaviour you are describing is normal. Unit:

This PIX has a Failover Only (FO) license.
Serial Number: 80801xxxx (xxxxxxxxxx)


is working basically as a stand alone PIX and the license will not permit such use. This FO bundle will work fine only if it sees the primary unit at all times, if you disconnect the primary from the network or turned it off then it will restart after a fixe amount of time. That is the reason why the failover unit is cheaper compared to the restricted licensed PIX.

 

[SilverBandit]

The 10-minute timeout occurs regardless of which unit is currently active. I've never tried using the FO PIX as a standalone unit for precisely the reason you mention (though I seem to recall reading the reboot period is every 24 hours.)

 

[SilverBandit]

Hi,
Still having the same problem with no success in resolving yet.

I have count figures from just before the units stop passing traffic...
nmpix# sh conn count
9 in use, 13 most used
nmpix# sh xlate count
7 in use, 18 most used

Are these figures too high?

 

[LloydSev]

not at all...

I run a 506e.. and this is what mine results in..

vpn# sho conn count
48 in use, 351 most used
vpn# sho xlate count
10 in use, 26 most used

Computer/Network Technician
CCNA