Sunday, February 1, 2009

PIX - "sh block" command

I would like to thank Mr. Don Edelmon who shared this helpful information with us. DON is a Network Security Specialist working for xxxxx :-)

Anyways below is the information:

When the PIX boots, it copies the OS from Flash into RAM and runs the OS from RAM (just like routers
do). Next, the PIX copies the its startup configuration from Flash and places it into RAM.

Finally, the PIX carves out RAM to create the block pools. Once this is completed, the PIX is up and
running and need additional RAM only if the configuration increases in size. In addition, the PIX
stores the translation and connection entries in RAM. During normal operation, the free memory on
the PIX should change very little, if at all.

Typically, the only time you should run low on memory is if you are under attack and there are
hundreds of thousands of connections going through the PIX. You can check this by issuing the show
conn count command, which will display the current and
maximum number of connections through the PIX.

The 'show block' command will change during normal operation in the PIX...
For example... When a packet comes into a PIX's interface, it is placed on the input interface
queue, passed up to the OS, and placed in a block. For Ethernet packets, the 1550-byte blocks are
used; if the packet comes in on a 66 MHz Gigabit Ethernet card, the 16384-byte blocks are used. The
PIX determines whether the packet should be permitted or denied based on the Adaptive Security
Algorithm (ASA) and processes the packet through to the output queue on the outbound interface. If
the PIX is having trouble keeping up with the traffic load, the number of available 1550-byte blocks
(or 16384-byte blocks for 66 MHz GE) will hover close to 0 (as shown in the CNT column of the
command output). When the CNT column hits zero, the PIX attempts to allocate more blocks, up to a
maximum of 8192. If no more blocks are available, the PIX drops the packet.

The 256-byte blocks are mainly used for stateful failover messages. The active PIX generates and
sends packets to the standby PIX to update the translation and connection table. During periods of
bursty traffic where high rates of connections are created or torn down, the number of available
256-byte blocks may drop to 0. This indicates that one or more connections were not updated to the
standby PIX. This is generally acceptable, because the stateful failover protocol will catch the
missing xlate or connection the next time around. If the CNT column for 256-byte blocks stays at or
near 0 for extended periods of time, however, then the PIX is having trouble keeping the translation
and connection tables synchronized because of the number of connections per second that the PIX is
processing. If this happens consistently, you should consider upgrading the PIX to a faster model.
Syslog messages sent out from the PIX also use the 256-byte blocks, but they are generally not
released in such quantity to cause a depletion of the 256-byte block pool. If the CNT column shows
that the number of 256-byte blocks is near 0, ensure that you are not logging at Debugging (level 7)
to the syslog server. This is indicated by the logging trap line in the PIX configuration. It is
recommended to set logging at Notification (level 5) or lower, unless you require additional
information for debugging purposes.

pixfirewall# show blocks
4 1600 1597 1600
80 400 399 400
256 500 495 499
1550 1444 1170 1188
16384 2048 1532 1538

The following describes the columns in the show blocks output.
Column Description
SIZE = The size, in bytes, of the block pool.
MAX = The maximum number of blocks available for the specified byte block pool. Note that the
maximum number of blocks are carved out of memory at bootup. Typically, the maximum number of blocks
does not change. The exception is for the 256- and 1550-byte blocks, where the PIX can dynamically
create more when needed, up to a maximum of 8192.
LOW = The low water mark. This is the lowest number of this size blocks
available since the PIX was powered up, or since the last clearing of the
blocks (with the clear blocks command).
CNT = The current number of blocks available for that specific size block
The following describes the rows in the show blocks output.

Here is the documentation on the Interfaces and Memory blocks I mentioned to you.
Memory blocks.

Even though this is a little garbled you just need to know what the block size is used for.
Block Size Used to MAX Created at Startup
4 Duplicating existing blocks in DNS, isakmp, url-filtering, uauth, h323, tftp, and TCP
80 Used in TCP Intercept to generate an ACK packet, fover hello messages. 400400
256 Stateful Failover, Syslog, TCP module
1550 Ethernet Packets, buffering url filtered packets.8192400
1552 QoS Metrics 40960
2560 IKE Messages 81920
4096 QoS Metrics 2000
8192 QoS Metrics 1500
16384 Only used for the Livengood (i82543 ) Gig Ethernet cards 92160
65536 QoS Metrics160

No comments: