Pix 501 -Not releasing liscenses

Discussion in 'Cisco' started by Jimmy, Nov 3, 2003.

  1. Jimmy

    Jimmy Guest

    OK... after you folks have educated me on the basics, I am
    finally back with some specific info on my problem of licenses
    not getting released after use.

    Config: Pix 501, default configuration for security (no specific
    nat entries or access-list entries). It's essentially the same as
    if you just plugged it in new, set the gateway, and let it rip.

    Problem: Licenses are being used and not released. The source of
    the problem - too many systems asking to go out vs. number of
    licenses is another issue - I am working that. However, the fact
    remains that licenses seem to be held almost forever once they
    are granted - despite no activity from the licensed internal
    IP address (i.e. the machines are shut down overnight, the
    licensed is still in the 501 "show local" in the morning.)

    Ideas ? Configuration is shown below. I did make a change to the
    timeout setting for closed and half closed, see below. I'm not sure if
    that was correct to try and/or advisable (comments?) Note: anything
    below with "xxx" was masked by me.

    Thanks,


    Building configuration...
    : Saved
    :
    PIX Version 6.1(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx encrypted
    passwd xxx encrypted
    hostname xxx
    domain-name xxxxxx.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list out_acces_in permit icmp any any
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.xxx 255.255.255.252
    ip address inside 10.34.240.3 255.255.240.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    route inside 10.35.128.0 255.255.240.0 10.34.240.1 1
    timeout xlate 3:00:00
    timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http xxx.xxx.xxx.xxx 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
    : end
    [OK]
    Jimmy, Nov 3, 2003
    #1
    1. Advertising

  2. Jimmy

    Hugo Drax Guest

    "Jimmy" <> wrote in message
    news:...
    > OK... after you folks have educated me on the basics, I am
    > finally back with some specific info on my problem of licenses
    > not getting released after use.
    >
    > Config: Pix 501, default configuration for security (no specific
    > nat entries or access-list entries). It's essentially the same as
    > if you just plugged it in new, set the gateway, and let it rip.
    >
    > Problem: Licenses are being used and not released. The source of
    > the problem - too many systems asking to go out vs. number of
    > licenses is another issue - I am working that. However, the fact
    > remains that licenses seem to be held almost forever once they
    > are granted - despite no activity from the licensed internal
    > IP address (i.e. the machines are shut down overnight, the
    > licensed is still in the 501 "show local" in the morning.)
    >
    > Ideas ? Configuration is shown below. I did make a change to the
    > timeout setting for closed and half closed, see below. I'm not sure if
    > that was correct to try and/or advisable (comments?) Note: anything
    > below with "xxx" was masked by me.
    >
    > Thanks,
    >
    >
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.1(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password xxx encrypted
    > passwd xxx encrypted
    > hostname xxx
    > domain-name xxxxxx.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 1720
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > access-list out_acces_in permit icmp any any
    > pager lines 24
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside xxx.xxx.xxx.xxx 255.255.255.252
    > ip address inside 10.34.240.3 255.255.240.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    > route inside 10.35.128.0 255.255.240.0 10.34.240.1 1
    > timeout xlate 3:00:00
    > timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > http server enable
    > http xxx.xxx.xxx.xxx 255.255.255.255 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > no sysopt route dnat
    > telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
    > telnet timeout 5
    > ssh timeout 5
    > terminal width 80
    > Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
    > : end
    > [OK]
    >
    Hugo Drax, Nov 3, 2003
    #2
    1. Advertising

  3. Jimmy

    Hugo Drax Guest

    "Jimmy" <> wrote in message
    news:...
    > OK... after you folks have educated me on the basics, I am
    > finally back with some specific info on my problem of licenses
    > not getting released after use.
    >
    > Config: Pix 501, default configuration for security (no specific
    > nat entries or access-list entries). It's essentially the same as
    > if you just plugged it in new, set the gateway, and let it rip.
    >
    > Problem: Licenses are being used and not released. The source of
    > the problem - too many systems asking to go out vs. number of
    > licenses is another issue - I am working that. However, the fact
    > remains that licenses seem to be held almost forever once they
    > are granted - despite no activity from the licensed internal
    > IP address (i.e. the machines are shut down overnight, the
    > licensed is still in the 501 "show local" in the morning.)
    >
    > Ideas ? Configuration is shown below. I did make a change to the
    > timeout setting for closed and half closed, see below. I'm not sure if
    > that was correct to try and/or advisable (comments?) Note: anything
    > below with "xxx" was masked by me.
    >
    > Thanks,
    >
    >
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.1(2)


    You should go to 6.1.5 (General Deployment) lots of bugfixes and I believe
    some license issues were resolved. go and browse the bug toolkit
    http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

    if that does not resolve the problem I would capture traffic on the pix with
    the capture command and do a pcap dump to a pc running ethereal and see
    whats going on if problems persist after the 6.1.5 upgrade.
    Hugo Drax, Nov 3, 2003
    #3
  4. In article <>,
    Jimmy <> wrote:
    :OK... after you folks have educated me on the basics, I am
    :finally back with some specific info on my problem of licenses
    :not getting released after use.

    :pIX Version 6.1(2)

    As I informed you 2003-10-18, there was a bug in the early releases
    that caused licenses to not be released, and the bug was fixed in
    6.1(4).

    http://groups.google.ca/groups?selm=bmsi5b$p3l$
    --
    What is "The Ultimate Meme"? Would it, like Monty Python's
    "The World's Funniest Joke", lead to the deaths of everyone who
    encountered it? Ideas *have* lead to the destruction of entire cultures.
    -- A Child's Garden Of Memes
    Walter Roberson, Nov 3, 2003
    #4
  5. Jimmy

    Jimmy Guest

    On 3 Nov 2003 17:58:22 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >As I informed you 2003-10-18, there was a bug in the early releases
    >that caused licenses to not be released, and the bug was fixed in
    >6.1(4).


    Whoops. Thanks Walter. I recalled your post, but I had it fixed in
    my mind that the release on this PIX was *after* that fix, not
    before it. Apologies for the "doh" post :). My only excuse is
    that I am overwhelmed by trying to figure out all this. Thanks
    for pointing out my mis-step.

    The user does have a cisco support agreement so I assume that they
    can download the patch. Do you have any pointers on how we go
    about setting up a "TFTP server" to load this update ? About all
    I know about the TFTP server is that I read that I need one because
    we don't have a floppy in this unit. Or, does the PDM software make
    it possible to load updates via the local network ?

    Many thanks,
    Jimmy, Nov 3, 2003
    #5
  6. Jimmy

    Jo Knight Guest

    > The user does have a cisco support agreement so I assume that they
    > can download the patch. Do you have any pointers on how we go
    > about setting up a "TFTP server" to load this update ? About all
    > I know about the TFTP server is that I read that I need one because
    > we don't have a floppy in this unit. Or, does the PDM software make
    > it possible to load updates via the local network ?




    Fora good and free TFTP server check out one from Solarwinds.net

    http://support.solarwinds.net/updates/New-customerFree.cfm
    Jo Knight, Nov 3, 2003
    #6
  7. Jimmy

    Jimmy Guest

    On Mon, 3 Nov 2003 18:40:38 -0000, "Jo Knight"
    <> wrote:

    >> The user does have a cisco support agreement so I assume that they
    >> can download the patch. Do you have any pointers on how we go
    >> about setting up a "TFTP server" to load this update ? About all
    >> I know about the TFTP server is that I read that I need one because
    >> we don't have a floppy in this unit. Or, does the PDM software make
    >> it possible to load updates via the local network ?

    >
    >
    >
    >Fora good and free TFTP server check out one from Solarwinds.net


    Thanks for the pointer. I assume that since this is a windows
    tool that I can run it from any system that can do PDM
    access to the PIX ?

    Thanks,
    Jimmy, Nov 3, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?ZHdpZ2h0?=

    Releasing ip

    =?Utf-8?B?ZHdpZ2h0?=, Mar 22, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    521
    Chris Catt
    Mar 23, 2005
  2. Andre
    Replies:
    7
    Views:
    694
    Andre
    Feb 20, 2005
  3. Replies:
    4
    Views:
    4,321
    sandman85
    Feb 12, 2009
  4. FattyMcGee
    Replies:
    0
    Views:
    859
    FattyMcGee
    Mar 30, 2005
  5. jes lookn

    Windows 7 64 bit not releasing memory

    jes lookn, Nov 28, 2009, in forum: Windows 64bit
    Replies:
    6
    Views:
    7,056
    Dave Warren
    Nov 29, 2009
Loading...

Share This Page