[H/W] Cisco pfSense Replacement? in Cisco http://www.dslreports.com/forum/r20486491 en Sat, 06 Sep 2008 14:39:47 EDT Sat, 06 Sep 2008 14:39:47 EDT Re: [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20512329 MattE :
said by sporkme See Profile :

said by MattE See Profile :

Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory.
Something is amiss then if every client login causes 300 outbound connections and you don't peak over 800 states. Just a handful of logins should bring you near the 10K default max - the state entries linger a bit.

It certainly wouldn't hurt to bump that up to 50K or so to see what happens while you wait on the new hardware.
It actually happened again today. I'm talking with our developer now and it appears there is "retry logic" in the code that retries in a 5 batch loop, INDEFINITELY, if there is any sort of error. I think that is triggering the outbound issue.

I was on the FW when it happened today and the states were hovering around 450, then the firewall log went crazy blocking connections outbound to the same individual destination IP from 2 of our servers.]]> http://www.dslreports.com/forum/remark,20512329 Tue, 20 May 2008 14:15:36 EDT Re: [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20512207 sporkme :
said by MattE See Profile :

Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory.
Something is amiss then if every client login causes 300 outbound connections and you don't peak over 800 states. Just a handful of logins should bring you near the 10K default max - the state entries linger a bit.

It certainly wouldn't hurt to bump that up to 50K or so to see what happens while you wait on the new hardware.]]> http://www.dslreports.com/forum/remark,20512207 Tue, 20 May 2008 13:57:00 EDT Re: [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20511348 MattE : I'm being told that the ASA doesn't support forwarding the correct protocols/ports to a MS RRAS server for IPSec/L2TP VPN capability. I am being told I HAVE to use the Cisco VPN client and the ASA as the client VPN endpoint.

Is this true?]]> http://www.dslreports.com/forum/remark,20511348 Tue, 20 May 2008 11:20:15 EDT Re: [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20486743 MattE :
said by sporkme See Profile :

While you're waiting on the replacement, bump up the state table and make sure you're running the latest 1.2 release. (System->Advanced-Firewall Maximum States)

How many state entries are you peaking at now?
Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory.

And yep, this is the latest 1.2 release. It was just installed 2 months ago or so.]]> http://www.dslreports.com/forum/remark,20486743 Thu, 15 May 2008 11:35:08 EDT Re: [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20486675 sporkme : While you're waiting on the replacement, bump up the state table and make sure you're running the latest 1.2 release. (System->Advanced-Firewall Maximum States)

How many state entries are you peaking at now?]]> http://www.dslreports.com/forum/remark,20486675 Thu, 15 May 2008 11:22:56 EDT Re: [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20486564 MattE :
said by aryoba See Profile :

ASA 5510 firewall or 2811 router comes to mind ... :)
I'm reading up on the ASA 5500 Series now actually. :)

Since we don't have any users behind the box and will use it as a firewall for our servers, do I need to worry about the number of users? What about the IPSec VPN peers?

»www.cisco.com/en/US/prod/collate···ba8.html

All of those seem to be in my price range. Do any of those include the AIP (»www.cisco.com/en/US/products/ps6···dex.html) module? I'm guessing no?]]> http://www.dslreports.com/forum/remark,20486564 Thu, 15 May 2008 10:57:13 EDT Re: [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20486522 aryoba : ASA 5510 firewall or 2811 router comes to mind ... :)]]> http://www.dslreports.com/forum/remark,20486522 Thu, 15 May 2008 10:52:06 EDT [H/W] Cisco pfSense Replacement? http://www.dslreports.com/forum/remark,20486491 MattE : Hello all,

We're a growing ASP who hosts about 15 servers hanging off a 100Mbps connection in a data center. The servers range from Web Application Servers to an internal Exchange email server.

Right now, our main router/firewall/IDS is a dedicated IBM xSeries 306m running pfSense w/ Snort for IDS.

I'm am tired of "tweaking" this damn box and having to fix things that should Just Work™. Snort is the major PITA right now, but I'm also having trouble with the firewall blocking outbound connections because we apparently generate more connections than an internal threshold allows, but no one can tell me what that threshold is. (We do stock market transactions, so when a client logs into our app, we might generate anywhere from 100 to 300 outbound connection requests to our data provider, per login.)

We don't have a ton of money, but I'd like to move to a Cisco all-in-one box that will replace our pfSense box, be more reliable, and provide the following must-have features:


    • Transparent Firewalling
    • Intrusion Detection System w/ Automatic Blocking
    • IPSec VPN (Inbound to RRAS Server) Passthru Capability
    • Web-based configuration management and reporting of IDS, firewall logs


Does Cisco offer a product that can do this? Is the sticker shock going to make me spit my coffee on the screen? I could forgo the transparent firewall if 1:1 NAT is supported VERY well.

Thanks for any insight you can offer.]]> http://www.dslreports.com/forum/remark,20486491 Thu, 15 May 2008 10:46:01 EDT