Re: [cisco-ttl] PIX'de cpu %95'lere cikiyor

From: Mehmet Ali Suzen (msuzen_at_kibris.net)
Date: Wed Sep 15 2004 - 09:40:08 GMT

  • Next message: Devrim Yener KUCUK: "Re: [cisco-ttl] ISDN PRI Baglantisi"

    iyi gunler,
    Belki isine yarar;
    http://www.cisco.com/warp/public/110/pixperformance.html
    kolay gelsin
    Mehmet

    > Merhabalar,
    >
    > PDM ile izliyorum, Pix firewallumuzun islemcisi, özellikle trafigin yogun
    > oldugu
    > vakitlerde normalde %20-30 civarinda seyrederken birden %95-100'e cikiyor
    > ve
    > ulasilamaz hale geliyor. Bazen belli bir sure sonra (10-15 dk gibi)
    > kendiliginden
    > duzeliyor, bazen de kapatip acmak gerekiyor, hatta bazen kapatip acmak da
    > sonuc
    > vermiyor cunku cok kisa bir surede yine islemci tavan yapiyor... Tabi bu
    > kesintiler, kullanicilarin internete cikamamasina neden oluyor.
    >
    > sh xlate yaptigimda; 28424 in use, 32702 most used oldugunu gordum. Bu
    > rakamlar
    > bana anormal geldi.
    > 11 tane global outside ip adres tanimli, yine 11 tane dahili networkdeki
    > vlanlara
    > nat yapiliyor. Yaklaşık 1500 civarında bilgisayar bu natlarda internete
    > çıkıyor.
    >
    > Islemcinin bu sekilde anormal yukselmesi neye baglanabilir? Asagida sh ver
    > ciktisini ve sh run ozet ciktisini gonderiyorum...
    > Saygilarimla
    >
    > Murat BAYRAM
    > Yuzuncu Yil Universitesi
    > ------------------------------------------------------
    >
    > PixFirewall# sh ver
    >
    > Cisco PIX Firewall Version 6.3(3)
    > Cisco PIX Device Manager Version 3.0(1)
    >
    > Compiled on Wed 13-Aug-03 13:55 by morlee
    >
    > PixFirewall up 43 mins 40 secs
    >
    > Hardware: PIX-515, 128 MB RAM, CPU Pentium 200 MHz
    > Flash i28F640J5 @ 0x300, 16MB
    > BIOS Flash AT29C257 @ 0xfffd8000, 32KB
    >
    > 0: ethernet0: address is 0003.e300.6df7, irq 10
    > 1: ethernet1: address is 0003.e300.6df8, irq 7
    > Licensed Features:
    > Failover: Enabled
    > VPN-DES: Enabled
    > VPN-3DES-AES: Enabled
    > Maximum Physical Interfaces: 6
    > Maximum Interfaces: 10
    > Cut-through Proxy: Enabled
    > Guards: Enabled
    > URL-filtering: Enabled
    > Inside Hosts: Unlimited
    > Throughput: Unlimited
    > IKE peers: Unlimited
    >
    > This PIX has an Unrestricted (UR) license.
    >
    > Serial Number: xxxxxxxxxxx (xxxxxxxxxx)
    > Running Activation Key: xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx
    > xxxxxxxxxx
    > Configuration last modified by enable_15 at 13:51:20.359 EEDT Wed Sep 15
    > 2004
    >
    >
    > ----------------------------------
    >
    > PixFirewall# sh run
    > : Saved
    > :
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password xxxxxxxxxxxxx encrypted
    > passwd xxxxxxxxxxx encrypted
    > hostname PixFirewall
    > domain-name yyu.edu.tr
    > clock timezone EEST 2
    > clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    > fixup protocol dns maximum-length 512
    > fixup protocol domain 53
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > pager lines 24
    > logging timestamp
    > logging trap critical
    > logging facility 16
    > logging host inside 10.100.0.65
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 193.255.143.253 255.255.255.0
    > ip address inside 10.100.0.5 255.255.0.0
    > ip audit info action alarm drop
    > ip audit attack action alarm drop
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > no failover ip address outside
    > no failover ip address inside
    > pdm location 10.1.10.0 255.255.255.0 inside
    > pdm location 10.1.30.0 255.255.255.0 inside
    > pdm location 10.1.40.0 255.255.255.0 inside
    > pdm location 10.1.50.0 255.255.255.0 inside
    > pdm location 10.1.70.0 255.255.255.0 inside
    > pdm location 10.1.80.0 255.255.255.0 inside
    > pdm location 10.1.90.0 255.255.255.0 inside
    > .
    > .
    > .
    > .
    > .
    > .
    > .
    >
    > global (outside) 1 193.255.143.230
    > global (outside) 6 193.255.143.53
    > global (outside) 2 193.255.143.58
    > global (outside) 3 193.255.143.50
    > global (outside) 4 193.255.143.51
    > global (outside) 5 193.255.143.52
    > global (outside) 8 193.255.143.54
    > global (outside) 9 193.255.143.55
    > global (outside) 10 193.255.143.56
    > global (outside) 11 193.255.143.57
    > global (outside) 7 193.255.143.59
    > nat (inside) 2 10.90.0.0 255.255.0.0 dns 0 0
    > nat (inside) 1 10.100.0.0 255.255.0.0 dns 0 0
    > nat (inside) 3 10.110.0.0 255.255.0.0 dns 0 0
    > nat (inside) 4 10.120.0.0 255.255.0.0 dns 0 0
    > nat (inside) 5 10.130.0.0 255.255.0.0 dns 0 0
    > nat (inside) 6 10.140.0.0 255.255.0.0 dns 0 0
    > nat (inside) 7 10.145.0.0 255.255.0.0 dns 0 0
    > nat (inside) 8 10.150.0.0 255.255.0.0 dns 0 0
    > nat (inside) 9 10.160.0.0 255.255.0.0 dns 0 0
    > nat (inside) 10 10.170.0.0 255.255.0.0 dns 0 0
    > nat (inside) 11 10.180.0.0 255.255.0.0 dns 0 0
    > .
    > .
    > .
    > .
    >
    > rip outside default version 1
    > rip inside default version 1
    > .
    > .
    > .
    > .
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > .
    > .
    > .
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt noproxyarp inside
    > .
    > .
    > telnet timeout 5
    > console timeout 0
    > terminal width 80
    > Cryptochecksum:4bede6c240346fa9f1b4f85f5452ac07
    > : end
    >
    >
    >
    >
    >
    >
    > Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
    >
    > Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
    > e-posta gönderebilirsiniz.
    > Yahoo! Groups Links
    >
    >
    >
    >
    >
    >

    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/

    <*> To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com

    <*> Your use of Yahoo! Groups is subject to:
        http://docs.yahoo.com/info/terms/
     

    This archive was generated by hypermail 2.1.5 : Wed Sep 15 2004 - 13:40:47 GMT