Hello,
Since we've installed a PIX 515 firewall it hangs two or three times
a day. IN and OUT Interfaces stop responding and ping fails from PIX
to any other IPs than its own interfaces.
Each time it's gone we saw from console that 1550 bytes long buffers were exhausted.
Cisco documentation of SHOW BLOCKS command is really funny:
"A zero in CNT column means memory is exhausted now. Exhausted
memory is not a problem as long as traffic is moving through the PIX
Firewall. You can use the show conn commands to see if traffic is
moving. If traffic is not moving and the memory is exhausted, a
problem may be indicated."
Of course traffic does no pass through when PIX is dead, although traffic
counters increase slowly.
During normal operation we have less than 100 connections, but most
of them could have heavy traffic (proxies servers). Typical buffers utilization is:
SIZE MAX LOW CNT
4 1600 1597 1599
80 400 397 400
256 400 394 398
1550 932 635 674
65536 8 7 8
(Just 1/3 of 1550 bytes buffers allocated)
Also main memory does not seem to be an issue:
33554432 bytes total, 25481216 bytes free
PIX soft version is 4.4(1) (2 interfaces, no fail-over nor IPsec).
Did anybody hear of such a problem?
Thanks,
Gustavo Bellotto
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
