Urgent PIX 525 AAA Failure

Urgent PIX 525 AAA Failure

Post by Rowd » Sat, 01 Dec 2001 08:45:13



Hi,

I have just installed a 525 PIX to replace a checkpoint firewall.  I have
over 2000 users behind this box and I am required to do RADIUS
authentication for users that need Internet access, pretty simple really.

Everything seems to work fine until the UAUTH count gets to about 900+ then
I start receiving the following error:

"Users at 155.155.155.155 exceended auth proxy connection limit (Max 3)"
(source IP Address never seems to be the same)

Now I had a look at the Cisco pages and they don't tell me much at all about
this error.
It seems to continue to run fine giving this error once and a while, then
about 24 hrs later when the load has gone down and is starting to rise again
I receive this error:

"alloc_users () out of tcp_user objects"

And yes I have floodguard enabled (that's what cisco reccomends)

Basically is stops authenticting users and I need to reload to get it up and
running again.
I have 256K of Ram and using ICRADIUS on a LINUX box.

Does anyone know the PIX UAUTH limitations or had any experience with large
authentication requests?

 
 
 

Urgent PIX 525 AAA Failure

Post by Masud Re » Sun, 02 Dec 2001 00:21:16



> Hi,
> "alloc_users () out of tcp_user objects"

> And yes I have floodguard enabled (that's what cisco reccomends)

> Basically is stops authenticting users and I need to reload to get it up and
> running again.
> I have 256K of Ram and using ICRADIUS on a LINUX box.

> Does anyone know the PIX UAUTH limitations or had any experience with large
> authentication requests?

Hi:

Can you post your config here?

You may want to open a case with TAC. It may be a problem with the PIX
code as well. Which version of the PIX software are you using??

Masud

 
 
 

Urgent PIX 525 AAA Failure

Post by Jeff » Mon, 03 Dec 2001 01:41:37


Rowdy,

This looks like Bug CSCdv57122,
"AAA proxy limit exceeded and out of Tcb_user errors"
This bug has been fixed.  Use Bug Toolkit to see more details and find version
in which the bug fix is
incorporated.

Jeff


> Hi,

> I have just installed a 525 PIX to replace a checkpoint firewall.  I have
> over 2000 users behind this box and I am required to do RADIUS
> authentication for users that need Internet access, pretty simple really.

> Everything seems to work fine until the UAUTH count gets to about 900+ then
> I start receiving the following error:

> "Users at 155.155.155.155 exceended auth proxy connection limit (Max 3)"
> (source IP Address never seems to be the same)

> Now I had a look at the Cisco pages and they don't tell me much at all about
> this error.
> It seems to continue to run fine giving this error once and a while, then
> about 24 hrs later when the load has gone down and is starting to rise again
> I receive this error:

> "alloc_users () out of tcp_user objects"

> And yes I have floodguard enabled (that's what cisco reccomends)

> Basically is stops authenticting users and I need to reload to get it up and
> running again.
> I have 256K of Ram and using ICRADIUS on a LINUX box.

> Does anyone know the PIX UAUTH limitations or had any experience with large
> authentication requests?

 
 
 

Urgent PIX 525 AAA Failure

Post by TimS » Fri, 07 Dec 2001 20:29:04


How new is the PIX, was it bought in the last 6 months...

PIX had a hardware fault on certain serial numbers....that causes the box to
freeze on mid to high usage...the only fix was to reset the box.....They
have a recall in place to replace the affected units..

 http://www.cisco.com/warp/public/770/fn15490.shtml

 The serials affected are within these two ranges:-

 4440520000 to 44405399999

 4448120000 to 44481399999



Quote:> > Hi,
> > "alloc_users () out of tcp_user objects"

> > And yes I have floodguard enabled (that's what cisco reccomends)

> > Basically is stops authenticting users and I need to reload to get it up
and
> > running again.
> > I have 256K of Ram and using ICRADIUS on a LINUX box.

> > Does anyone know the PIX UAUTH limitations or had any experience with
large
> > authentication requests?

> Hi:

> Can you post your config here?

> You may want to open a case with TAC. It may be a problem with the PIX
> code as well. Which version of the PIX software are you using??

> Masud

 
 
 

Urgent PIX 525 AAA Failure

Post by Jeff » Sat, 08 Dec 2001 10:12:51


That's true, I'd check the notice,  but the bug I mentioned appears to be the
problem here.

Jeff

Subject: Re: Urgent PIX 525 AAA Failure
Date: Sat, 01 Dec 2001 16:41:37 GMT

Rowdy,

This looks like Bug CSCdv57122,
"AAA proxy limit exceeded and out of Tcb_user errors"
This bug has been fixed.  Use Bug Toolkit to see more details and find
version in which the bug fix is
incorporated.

Jeff


> How new is the PIX, was it bought in the last 6 months...

> PIX had a hardware fault on certain serial numbers....that causes the box to
> freeze on mid to high usage...the only fix was to reset the box.....They
> have a recall in place to replace the affected units..

>  http://www.cisco.com/warp/public/770/fn15490.shtml

>  The serials affected are within these two ranges:-

>  4440520000 to 44405399999

>  4448120000 to 44481399999





> > > Hi,
> > > "alloc_users () out of tcp_user objects"

> > > And yes I have floodguard enabled (that's what cisco reccomends)

> > > Basically is stops authenticting users and I need to reload to get it up
> and
> > > running again.
> > > I have 256K of Ram and using ICRADIUS on a LINUX box.

> > > Does anyone know the PIX UAUTH limitations or had any experience with
> large
> > > authentication requests?

> > Hi:

> > Can you post your config here?

> > You may want to open a case with TAC. It may be a problem with the PIX
> > code as well. Which version of the PIX software are you using??

> > Masud