Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > High memory usage on PIX 501

Reply
Thread Tools

High memory usage on PIX 501

 
 
Kris D ---- tehlotus@gmail.com
Guest
Posts: n/a
 
      11-30-2006
Currently running 6.3(5) with the latest version of pdm on my 501,
however I dont know if I have a comfort level that running 14m constant
memory utilization is making my internet connections run as well as I
think it should. Some apps that I use are slow to respond, slow to
shut down when pipes are made through this pix. What would I do about
figuring out what is using up that much memory as well as, is it
possible to run this 501 without pdm installed? would that increase
throughput or does that even dictate how connections are established?

An example, using remote desktop to connect to a corporate environment.
Before the pix I could disonnect and it was fast. Now with the pix is
appears like its slow taking down the pipe established and lags.
Overall takes about 30 seconds for the session to truely end.


overall question, can I operate without PDM and if so, would that
reduce memory usage? Also, how would you clear that from the flash as
I couldnt find anything except for upgrading to newer versions.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname firewall
domain-name firewall.com
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any traceroute
access-list outside_access_in permit icmp any any time-exceeded
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside
mtu outside 1458
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.0.110 /
floodguard enable
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd address 10.0.0.100-10.0.0.150 inside
dhcpd dns X.X.X.X
dhcpd lease 18000
dhcpd ping_timeout 750
dhcpd domain firewall.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end

 
Reply With Quote
 
 
 
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      12-01-2006

Kris D ---- http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Currently running 6.3(5) with the latest version of pdm on my 501,
> however I dont know if I have a comfort level that running 14m constant
> memory utilization is making my internet connections run as well as I
> think it should. Some apps that I use are slow to respond, slow to
> shut down when pipes are made through this pix. What would I do about
> figuring out what is using up that much memory as well as, is it
> possible to run this 501 without pdm installed? would that increase
> throughput or does that even dictate how connections are established?
>
> An example, using remote desktop to connect to a corporate environment.
> Before the pix I could disonnect and it was fast. Now with the pix is
> appears like its slow taking down the pipe established and lags.
> Overall takes about 30 seconds for the session to truely end.
>
>
> overall question, can I operate without PDM and if so, would that
> reduce memory usage? Also, how would you clear that from the flash as
> I couldnt find anything except for upgrading to newer versions.
>
>
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname firewall
> domain-name firewall.com
> clock timezone MST -7
> clock summer-time MDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list outside_access_in permit icmp any any echo-reply
> access-list outside_access_in permit icmp any any echo
> access-list outside_access_in permit icmp any any traceroute
> access-list outside_access_in permit icmp any any time-exceeded
> pager lines 24
> icmp permit any echo-reply outside
> icmp permit any echo outside
> icmp permit any echo inside
> icmp permit any echo-reply inside
> mtu outside 1458
> mtu inside 1500
> ip address outside dhcp setroute retry 4
> ip address inside 10.0.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group outside_access_in in interface outside
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> aaa authentication ssh console LOCAL
> http 10.0.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> tftp-server inside 10.0.0.110 /
> floodguard enable
> telnet 10.0.0.0 255.255.255.0 inside
> telnet timeout 5
> ssh 0.0.0.0 0.0.0.0 outside
> ssh 10.0.0.0 255.255.255.0 inside
> ssh timeout 10
> console timeout 0
> dhcpd address 10.0.0.100-10.0.0.150 inside
> dhcpd dns X.X.X.X
> dhcpd lease 18000
> dhcpd ping_timeout 750
> dhcpd domain firewall.com
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> : end


I am not that familiar with the Pix, more wth routers, but I
would be astonished if memory was an issue.

There is no virtual memory system or anything like that,
if it does not have enough memory it does not work
if it has enough memory it does.
End of story.

As long as there are no memory allocation failures it is OK,
you do not need ANY free memory at all.

You said: "14m constant memory utilization".
IIRC the Pix 501 has 16M of DRAM.

2M if free memory is a LOT.
The critical values in the case of a router
(and I think that the pix is similar) are the "lowest" and "largest"

This is an 837.

sh mem
Head Total(b) Used(b) Free(b) Lowest(b)
Largest(b)
Processor 81BA60F4 31406860 15770120 15636740 15431392
15132544
I/O 3999C00 6710272 1068540 5641732 5514176
5641156

You can see that the lowesr EVER free memory is only a little less that
the current free memory and that the largest block is
only a little smaller than the total free. I my pix 501 had
largest and lowest greater than 200k after a weeks operation
I would be happy-ish.

The 837 has a LOT more free than you pix but the new 837
code has just tipped it over needing 16M less than it has now.

Look elsewhere for your solution, if indeed there is
anything to solve.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
501 Memory Usage high ikendo Cisco 2 09-17-2006 09:52 PM
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Memory leak??? (top reporting high memory usage under Solaris) Mark Probert Ruby 4 02-09-2005 06:13 PM
Pix 501 Usage stats stedlar Cisco 2 01-15-2004 05:06 PM



Advertisments