High memory usage on PIX 501

Discussion in 'Cisco' started by Kris D ---- tehlotus@gmail.com, Nov 30, 2006.

  1. Currently running 6.3(5) with the latest version of pdm on my 501,
    however I dont know if I have a comfort level that running 14m constant
    memory utilization is making my internet connections run as well as I
    think it should. Some apps that I use are slow to respond, slow to
    shut down when pipes are made through this pix. What would I do about
    figuring out what is using up that much memory as well as, is it
    possible to run this 501 without pdm installed? would that increase
    throughput or does that even dictate how connections are established?

    An example, using remote desktop to connect to a corporate environment.
    Before the pix I could disonnect and it was fast. Now with the pix is
    appears like its slow taking down the pipe established and lags.
    Overall takes about 30 seconds for the session to truely end.


    overall question, can I operate without PDM and if so, would that
    reduce memory usage? Also, how would you clear that from the flash as
    I couldnt find anything except for upgrading to newer versions.


    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname firewall
    domain-name firewall.com
    clock timezone MST -7
    clock summer-time MDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit icmp any any echo
    access-list outside_access_in permit icmp any any traceroute
    access-list outside_access_in permit icmp any any time-exceeded
    pager lines 24
    icmp permit any echo-reply outside
    icmp permit any echo outside
    icmp permit any echo inside
    icmp permit any echo-reply inside
    mtu outside 1458
    mtu inside 1500
    ip address outside dhcp setroute retry 4
    ip address inside 10.0.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 10.0.0.110 /
    floodguard enable
    telnet 10.0.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.0.0.0 255.255.255.0 inside
    ssh timeout 10
    console timeout 0
    dhcpd address 10.0.0.100-10.0.0.150 inside
    dhcpd dns X.X.X.X
    dhcpd lease 18000
    dhcpd ping_timeout 750
    dhcpd domain firewall.com
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    : end
    Kris D ---- , Nov 30, 2006
    #1
    1. Advertising

  2. Kris D   ----

    Guest

    Kris D ---- wrote:
    > Currently running 6.3(5) with the latest version of pdm on my 501,
    > however I dont know if I have a comfort level that running 14m constant
    > memory utilization is making my internet connections run as well as I
    > think it should. Some apps that I use are slow to respond, slow to
    > shut down when pipes are made through this pix. What would I do about
    > figuring out what is using up that much memory as well as, is it
    > possible to run this 501 without pdm installed? would that increase
    > throughput or does that even dictate how connections are established?
    >
    > An example, using remote desktop to connect to a corporate environment.
    > Before the pix I could disonnect and it was fast. Now with the pix is
    > appears like its slow taking down the pipe established and lags.
    > Overall takes about 30 seconds for the session to truely end.
    >
    >
    > overall question, can I operate without PDM and if so, would that
    > reduce memory usage? Also, how would you clear that from the flash as
    > I couldnt find anything except for upgrading to newer versions.
    >
    >
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname firewall
    > domain-name firewall.com
    > clock timezone MST -7
    > clock summer-time MDT recurring
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list outside_access_in permit icmp any any echo-reply
    > access-list outside_access_in permit icmp any any echo
    > access-list outside_access_in permit icmp any any traceroute
    > access-list outside_access_in permit icmp any any time-exceeded
    > pager lines 24
    > icmp permit any echo-reply outside
    > icmp permit any echo outside
    > icmp permit any echo inside
    > icmp permit any echo-reply inside
    > mtu outside 1458
    > mtu inside 1500
    > ip address outside dhcp setroute retry 4
    > ip address inside 10.0.0.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group outside_access_in in interface outside
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > aaa authentication ssh console LOCAL
    > http 10.0.0.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > tftp-server inside 10.0.0.110 /
    > floodguard enable
    > telnet 10.0.0.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh 10.0.0.0 255.255.255.0 inside
    > ssh timeout 10
    > console timeout 0
    > dhcpd address 10.0.0.100-10.0.0.150 inside
    > dhcpd dns X.X.X.X
    > dhcpd lease 18000
    > dhcpd ping_timeout 750
    > dhcpd domain firewall.com
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > : end


    I am not that familiar with the Pix, more wth routers, but I
    would be astonished if memory was an issue.

    There is no virtual memory system or anything like that,
    if it does not have enough memory it does not work
    if it has enough memory it does.
    End of story.

    As long as there are no memory allocation failures it is OK,
    you do not need ANY free memory at all.

    You said: "14m constant memory utilization".
    IIRC the Pix 501 has 16M of DRAM.

    2M if free memory is a LOT.
    The critical values in the case of a router
    (and I think that the pix is similar) are the "lowest" and "largest"

    This is an 837.

    sh mem
    Head Total(b) Used(b) Free(b) Lowest(b)
    Largest(b)
    Processor 81BA60F4 31406860 15770120 15636740 15431392
    15132544
    I/O 3999C00 6710272 1068540 5641732 5514176
    5641156

    You can see that the lowesr EVER free memory is only a little less that
    the current free memory and that the largest block is
    only a little smaller than the total free. I my pix 501 had
    largest and lowest greater than 200k after a weeks operation
    I would be happy-ish.

    The 837 has a LOT more free than you pix but the new 837
    code has just tipped it over needing 16M less than it has now.

    Look elsewhere for your solution, if indeed there is
    anything to solve.
    , Dec 1, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    690
    Andre
    Feb 20, 2005
  2. ikendo

    501 Memory Usage high

    ikendo, Sep 17, 2006, in forum: Cisco
    Replies:
    2
    Views:
    1,677
  3. Clayton

    High memory usage

    Clayton, Jul 12, 2008, in forum: Windows 64bit
    Replies:
    2
    Views:
    688
    mikeyhsd
    Jul 12, 2008
  4. Clayton

    High Memory Usage

    Clayton, Jul 18, 2008, in forum: Windows 64bit
    Replies:
    12
    Views:
    843
    Tony Sperling
    Jul 21, 2008
  5. seanblee
    Replies:
    0
    Views:
    3,901
    seanblee
    Jan 26, 2009
Loading...

Share This Page