Thank you to all that have replied my post.
A Cisco EuroTAC Engineer has contacted me after the post.
He said that this failure has been seen in some few other sites
(only on PIX 515). They have opened the case CSCdp32325 as it is
supposed to be caused by a bug that freezes NIC adapters logic.
The problem is present also in versions 4.4(2) and 5.0(2).
I hope they are on the right track and it doesn't turn out to
be a hardware issue with our unit!
Regards,
Gustavo Bellotto
Gustavo Bellotto wrote:
>
> Hello,
>
> Since we've installed a PIX 515 firewall it hangs two or three times
> a day. IN and OUT Interfaces stop responding and ping fails from PIX
> to any other IPs than its own interfaces.
>
> Each time it's gone we saw from console that 1550 bytes long buffers were exhausted.
>
> Cisco documentation of SHOW BLOCKS command is really funny:
>
> "A zero in CNT column means memory is exhausted now. Exhausted
> memory is not a problem as long as traffic is moving through the PIX
> Firewall. You can use the show conn commands to see if traffic is
> moving. If traffic is not moving and the memory is exhausted, a
> problem may be indicated."
>
> Of course traffic does no pass through when PIX is dead, although traffic
> counters increase slowly.
>
> During normal operation we have less than 100 connections, but most
> of them could have heavy traffic (proxies servers). Typical buffers utilization is:
>
> SIZE MAX LOW CNT
> 4 1600 1597 1599
> 80 400 397 400
> 256 400 394 398
> 1550 932 635 674
> 65536 8 7 8
>
> (Just 1/3 of 1550 bytes buffers allocated)
>
> Also main memory does not seem to be an issue:
> 33554432 bytes total, 25481216 bytes free
>
> PIX soft version is 4.4(1) (2 interfaces, no fail-over nor IPsec).
>
> Did anybody hear of such a problem?
>
> Thanks,
>
> Gustavo Bellotto
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
