Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 501 -Not releasing liscenses

Reply
Thread Tools

Pix 501 -Not releasing liscenses

 
 
Jimmy
Guest
Posts: n/a
 
      11-03-2003
OK... after you folks have educated me on the basics, I am
finally back with some specific info on my problem of licenses
not getting released after use.

Config: Pix 501, default configuration for security (no specific
nat entries or access-list entries). It's essentially the same as
if you just plugged it in new, set the gateway, and let it rip.

Problem: Licenses are being used and not released. The source of
the problem - too many systems asking to go out vs. number of
licenses is another issue - I am working that. However, the fact
remains that licenses seem to be held almost forever once they
are granted - despite no activity from the licensed internal
IP address (i.e. the machines are shut down overnight, the
licensed is still in the 501 "show local" in the morning.)

Ideas ? Configuration is shown below. I did make a change to the
timeout setting for closed and half closed, see below. I'm not sure if
that was correct to try and/or advisable (comments?) Note: anything
below with "xxx" was masked by me.

Thanks,


Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list out_acces_in permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.252
ip address inside 10.34.240.3 255.255.240.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.35.128.0 255.255.240.0 10.34.240.1 1
timeout xlate 3:00:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksumxxxxxxxxxxxxxxxxxxxxxxx
: end
[OK]

 
Reply With Quote
 
 
 
 
Hugo Drax
Guest
Posts: n/a
 
      11-03-2003

"Jimmy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> OK... after you folks have educated me on the basics, I am
> finally back with some specific info on my problem of licenses
> not getting released after use.
>
> Config: Pix 501, default configuration for security (no specific
> nat entries or access-list entries). It's essentially the same as
> if you just plugged it in new, set the gateway, and let it rip.
>
> Problem: Licenses are being used and not released. The source of
> the problem - too many systems asking to go out vs. number of
> licenses is another issue - I am working that. However, the fact
> remains that licenses seem to be held almost forever once they
> are granted - despite no activity from the licensed internal
> IP address (i.e. the machines are shut down overnight, the
> licensed is still in the 501 "show local" in the morning.)
>
> Ideas ? Configuration is shown below. I did make a change to the
> timeout setting for closed and half closed, see below. I'm not sure if
> that was correct to try and/or advisable (comments?) Note: anything
> below with "xxx" was masked by me.
>
> Thanks,
>
>
> Building configuration...
> : Saved
> :
> PIX Version 6.1(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxx encrypted
> passwd xxx encrypted
> hostname xxx
> domain-name xxxxxx.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list out_acces_in permit icmp any any
> pager lines 24
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1500
> mtu inside 1500
> ip address outside xxx.xxx.xxx.xxx 255.255.255.252
> ip address inside 10.34.240.3 255.255.240.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
> route inside 10.35.128.0 255.255.240.0 10.34.240.1 1
> timeout xlate 3:00:00
> timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> http server enable
> http xxx.xxx.xxx.xxx 255.255.255.255 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> Cryptochecksumxxxxxxxxxxxxxxxxxxxxxxx
> : end
> [OK]
>



 
Reply With Quote
 
 
 
 
Hugo Drax
Guest
Posts: n/a
 
      11-03-2003

"Jimmy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> OK... after you folks have educated me on the basics, I am
> finally back with some specific info on my problem of licenses
> not getting released after use.
>
> Config: Pix 501, default configuration for security (no specific
> nat entries or access-list entries). It's essentially the same as
> if you just plugged it in new, set the gateway, and let it rip.
>
> Problem: Licenses are being used and not released. The source of
> the problem - too many systems asking to go out vs. number of
> licenses is another issue - I am working that. However, the fact
> remains that licenses seem to be held almost forever once they
> are granted - despite no activity from the licensed internal
> IP address (i.e. the machines are shut down overnight, the
> licensed is still in the 501 "show local" in the morning.)
>
> Ideas ? Configuration is shown below. I did make a change to the
> timeout setting for closed and half closed, see below. I'm not sure if
> that was correct to try and/or advisable (comments?) Note: anything
> below with "xxx" was masked by me.
>
> Thanks,
>
>
> Building configuration...
> : Saved
> :
> PIX Version 6.1(2)


You should go to 6.1.5 (General Deployment) lots of bugfixes and I believe
some license issues were resolved. go and browse the bug toolkit
http://www.cisco.com/cgi-bin/Support...nch_bugtool.pl

if that does not resolve the problem I would capture traffic on the pix with
the capture command and do a pcap dump to a pc running ethereal and see
whats going on if problems persist after the 6.1.5 upgrade.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-03-2003
In article <(E-Mail Removed)>,
Jimmy <(E-Mail Removed)> wrote:
:OK... after you folks have educated me on the basics, I am
:finally back with some specific info on my problem of licenses
:not getting released after use.

IX Version 6.1(2)

As I informed you 2003-10-18, there was a bug in the early releases
that caused licenses to not be released, and the bug was fixed in
6.1(4).

http://groups.google.ca/groups?selm=...c.umanitoba.ca
--
What is "The Ultimate Meme"? Would it, like Monty Python's
"The World's Funniest Joke", lead to the deaths of everyone who
encountered it? Ideas *have* lead to the destruction of entire cultures.
-- A Child's Garden Of Memes
 
Reply With Quote
 
Jimmy
Guest
Posts: n/a
 
      11-03-2003
On 3 Nov 2003 17:58:22 GMT, http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter
Roberson) wrote:

>As I informed you 2003-10-18, there was a bug in the early releases
>that caused licenses to not be released, and the bug was fixed in
>6.1(4).


Whoops. Thanks Walter. I recalled your post, but I had it fixed in
my mind that the release on this PIX was *after* that fix, not
before it. Apologies for the "doh" post . My only excuse is
that I am overwhelmed by trying to figure out all this. Thanks
for pointing out my mis-step.

The user does have a cisco support agreement so I assume that they
can download the patch. Do you have any pointers on how we go
about setting up a "TFTP server" to load this update ? About all
I know about the TFTP server is that I read that I need one because
we don't have a floppy in this unit. Or, does the PDM software make
it possible to load updates via the local network ?

Many thanks,
 
Reply With Quote
 
Jo Knight
Guest
Posts: n/a
 
      11-03-2003
> The user does have a cisco support agreement so I assume that they
> can download the patch. Do you have any pointers on how we go
> about setting up a "TFTP server" to load this update ? About all
> I know about the TFTP server is that I read that I need one because
> we don't have a floppy in this unit. Or, does the PDM software make
> it possible to load updates via the local network ?




Fora good and free TFTP server check out one from Solarwinds.net

http://support.solarwinds.net/update...stomerFree.cfm


 
Reply With Quote
 
Jimmy
Guest
Posts: n/a
 
      11-03-2003
On Mon, 3 Nov 2003 18:40:38 -0000, "Jo Knight"
<(E-Mail Removed)> wrote:

>> The user does have a cisco support agreement so I assume that they
>> can download the patch. Do you have any pointers on how we go
>> about setting up a "TFTP server" to load this update ? About all
>> I know about the TFTP server is that I read that I need one because
>> we don't have a floppy in this unit. Or, does the PDM software make
>> it possible to load updates via the local network ?

>
>
>
>Fora good and free TFTP server check out one from Solarwinds.net


Thanks for the pointer. I assume that since this is a windows
tool that I can run it from any system that can do PDM
access to the PIX ?

Thanks,


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX 501 newbie aaa servers for pix Greg Gibson Cisco 3 05-09-2004 06:33 PM
pix 515 to pix 501 Cisco 2 02-05-2004 01:55 AM
Cisco VPN through a PIX 501 to another PIX? Andrew J Instone-Cowie Cisco 5 01-22-2004 05:44 PM



Advertisments