skeatingMemberOct 29, 2015 at 11:55 am #165924
I have a Cisco 515E PIX, with VPN tunnels setup for workers off site. When I run the command sh isakmp sa, I see all of the current connections. Under the column Connection, I will see as many as 1432 connections for a particular IP address. Is this normal, or is it symptomatic of another problem. I noticed that when I have several of these, the connections run slow or stop all together. If this is being caused by a problem, what do I need to do?
AnonymousOct 29, 2015 at 1:42 pm #371877
The more connections in place at one time, the less bandwidth or physical resources available to handle each connection, hence the slowdown. That is your problem.
First, how many people do you normally expect to remote in at any one time? Does this number exceed the spec of your PIX (RAM, CPU, throughput?)
Second, is it possible that your VPN credentials have been let into ‘the wild’ and not all of those connections are valid users?
Third, have you done a reverse IP lookup to see who owns that IP to try & track back to location or user?
newITgirlMemberOct 29, 2015 at 1:49 pm #391067
We have a total of 11 people who can use this, each with an IP phone and computer, so no it does not exceed our limit. I have checked all the IPs that are logged in, and they belong to our allowed users (but I’ll keep an eye on that). I have not done a reverse IP. Would it be normal to have multiple connections per IP? I would understand two (phone and computer), but literally dozens from an IP?
AnonymousOct 30, 2015 at 1:55 pm #371880
Yes, 1 person from 1 device can have multiple TCP connections from a single IP to your resources, that’s how TCP works (traffic is sourced from random numbered ports at point of transmission to the server). If that person is using a laptop and an iPhone from their home, say, at the same time, that’s 2 different devices establishing VPN connections from the same public source IP (assigned by their ISP) to your PIX. If each device has multiple activities running on it, then you’ll have multiple connections per IP. I’d’ve thought your number was a bit high, though. See if you can get some of your co-workers to contact you before they start working remotely, and talk to you as they begin, so you can see what’s happening on your PIX as they go. And don’t forget to alternately have the phones or laptops off to help narrow it down. If it continues to be an issue, maybe you’ll see a trend of what activities they’re doing which cause the traffic increases, which might dictate a newer, beefy-er firewall device to handle it.
lordigirlMemberDec 21, 2015 at 3:38 am #382896
I agree with RicklesP, each client can open several connections/sockets for example, if you open a browser i.e. chrome and open 7 tabs then you’ll see 7 connections each with a different source port on your firewall but all from the same IP of the client – That’s how PAT works. The amount of connections does look a little high for your number of users so again as per RicklesP check what’s running from your clients before you waste your time exporting the connections list into excel and siphoning through them.
You must be logged in to reply to this topic.