Pix 501 license slots - part II ?

Discussion in 'Cisco' started by Rik Bain, Oct 22, 2003.

  1. Rik Bain

    Rik Bain Guest

    On Thu, 23 Oct 2003 07:30:39 +0600, Jimmy wrote:

    >
    > So, questions:
    >
    > - Is there *any* way to see how many licenses are being used at a given
    > time ?
    >


    show local-host


    > - Is there any way to reset the license table and start fresh to see if
    > that cures the problem ? (the problem does not time out right now).
    >


    clear xlate
    Rik Bain, Oct 22, 2003
    #1
    1. Advertising

  2. Rik Bain

    Jimmy Guest

    Qualifier: I'm a cisco neophyte

    Trying to figure out why a 501 with 10 licenses won't let a
    particular IP address out to the 'net. There _are_ more than 10
    systems in the local network but supposedly only 8 do 'net access.
    But I can't be sure there is no "hidden" application on these machines
    (like perhaps the win2K OS itself) that is trying to get out and
    chewing up a license slot when we are not looking.

    So, questions:

    - Is there *any* way to see how many licenses are being used at a
    given time ?

    - Is there any way to reset the license table and start fresh to see
    if that cures the problem ? (the problem does not time out right now).

    - can someone verify/clarify the license slot issue ? Is the license
    slot used if there's even an _attempt_ to get out ? So, even if I put
    in an access-list, the other systems in the network will chew up a
    slot if some application attempts 'net access ?

    Thanks,
    Jimmy, Oct 23, 2003
    #2
    1. Advertising

  3. In article <>,
    Jimmy <> wrote:
    :Trying to figure out why a 501 with 10 licenses won't let a
    :particular IP address out to the 'net. There _are_ more than 10
    :systems in the local network but supposedly only 8 do 'net access.
    :But I can't be sure there is no "hidden" application on these machines
    :(like perhaps the win2K OS itself) that is trying to get out and
    :chewing up a license slot when we are not looking.

    :So, questions:

    :- Is there *any* way to see how many licenses are being used at a
    :given time ?

    show local-host

    :- Is there any way to reset the license table and start fresh to see
    :if that cures the problem ? (the problem does not time out right now).

    clear local-host


    :- can someone verify/clarify the license slot issue ? Is the license
    :slot used if there's even an _attempt_ to get out ? So, even if I put
    :in an access-list, the other systems in the network will chew up a
    :slot if some application attempts 'net access ?

    Yes, until the xlate times out and the host container times out
    after that. There will be no connection so the 'xlate' timeout will
    apply without without the 'conn' timeout.

    The work-around is to not list the host in any 'static' or 'nat'
    so that no translation can be built; then no host container should get
    built either, I predict.
    --
    Oh, yeah, an African swallow maybe, but not a European swallow.
    That's my point.
    Walter Roberson, Oct 23, 2003
    #3
  4. Rik Bain

    Jimmy Guest

    On 23 Oct 2003 01:56:26 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:


    >
    >show local-host


    >clear local-host


    Thanks. I think someone told me that in the last series of posts I did
    and I lost it among all the wonderful detail you gave me (thanks
    again, at least it got me this far).

    >Yes, until the xlate times out and the host container times out
    >after that. There will be no connection so the 'xlate' timeout will
    >apply without without the 'conn' timeout.
    >
    >The work-around is to not list the host in any 'static' or 'nat'
    >so that no translation can be built; then no host container should get
    >built either, I predict.


    To clarify: are you saying that (you predict :) that I will not use
    up a license slot if I:

    a. build an access list and only list the IP's I want to go out
    or
    b. build a nat restriction that does not translate any addresses
    except for those IP's I want to go out

    c. something else ?

    Thanks,
    Jimmy, Oct 23, 2003
    #4
  5. In article <>,
    Jimmy <> wrote:
    :To clarify: are you saying that (you predict :) that I will not use
    :up a license slot if I:

    : a. build an access list and only list the IP's I want to go out
    :eek:r
    : b. build a nat restriction that does not translate any addresses
    :except for those IP's I want to go out

    : c. something else ?

    b.

    The building of host containers is pretty closely tied to the building
    of translations, so my prediction is that hosts for which translations
    were not possible would not have host containers built. But it is
    possible that the container would get built and torn down again
    about 30 seconds later; it's worth an experiment.
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
    Walter Roberson, Oct 23, 2003
    #5
  6. Rik Bain

    Jim Kelly Guest

    I ran into this problem also. Seems that a user license on the 501 consists
    of a TCP session or UDP transmission per port and is not one license per PC
    as you might think.

    You can see the number of licenses currently allocated by using the 'sh
    local' command. And 'clear local' will reset the licenses.

    I always use the PIX-506E now with unrestricted licensing. It's faster too.

    -Jim
    "Jimmy" <> wrote in message
    news:...
    > Qualifier: I'm a cisco neophyte
    >
    > Trying to figure out why a 501 with 10 licenses won't let a
    > particular IP address out to the 'net. There _are_ more than 10
    > systems in the local network but supposedly only 8 do 'net access.
    > But I can't be sure there is no "hidden" application on these machines
    > (like perhaps the win2K OS itself) that is trying to get out and
    > chewing up a license slot when we are not looking.
    >
    > So, questions:
    >
    > - Is there *any* way to see how many licenses are being used at a
    > given time ?
    >
    > - Is there any way to reset the license table and start fresh to see
    > if that cures the problem ? (the problem does not time out right now).
    >
    > - can someone verify/clarify the license slot issue ? Is the license
    > slot used if there's even an _attempt_ to get out ? So, even if I put
    > in an access-list, the other systems in the network will chew up a
    > slot if some application attempts 'net access ?
    >
    > Thanks,
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    Jim Kelly, Oct 23, 2003
    #6
  7. In article <bn8shc$dq2$>,
    Jim Kelly <> wrote:
    :I ran into this problem also. Seems that a user license on the 501 consists
    :eek:f a TCP session or UDP transmission per port and is not one license per PC
    :as you might think.

    No, that's not the case: it -is- one license per active local address.

    However, a local address can become active if there is a translation
    for it to the outside interface and someone attempts to connect to
    that address; if the access-list prohibits the access, then the
    address is still active until the translation expires. Translations
    are processed before access-lists [at least up to 6.3(1); it
    might have changed in 6.3(3).]

    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
    Walter Roberson, Oct 23, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rik Bain

    PIX 501 User license

    Rik Bain, Jul 9, 2003, in forum: Cisco
    Replies:
    3
    Views:
    5,683
    Walter Roberson
    Jul 12, 2003
  2. Jens Haase
    Replies:
    1
    Views:
    935
    Walter Roberson
    Jan 29, 2004
  3. ants

    Pix 501 License Upgrade

    ants, Feb 15, 2005, in forum: Cisco
    Replies:
    1
    Views:
    3,325
    Walter Roberson
    Feb 15, 2005
  4. PIX 501 License Issue

    , Jul 31, 2006, in forum: Cisco
    Replies:
    0
    Views:
    416
  5. =?Utf-8?B?SmVyZW15IFdvbmcg6buD5rOT6YeP?=

    Request for a downgrade from x64 OEM license to 32-bit OEM license

    =?Utf-8?B?SmVyZW15IFdvbmcg6buD5rOT6YeP?=, Aug 23, 2005, in forum: Windows 64bit
    Replies:
    58
    Views:
    2,672
    Cari \(MS-MVP\)
    Sep 23, 2005
Loading...

Share This Page