Loading ...
Sorry, an error occurred while loading the content.

Re: [fhctech] A Curious Phenomenon

Expand Messages
  • mkitchen@juno.com
    The PIX, as shipped is programed only for 10 licences, and my first suspicion would be that for some reason, you are running into that limit. If that is the
    Message 1 of 11 , Jun 6, 2006
    • 0 Attachment

      The PIX, as shipped is programed only for 10 licences, and my first suspicion would be that for some reason, you are running into that limit.

      If that is the problem, SLC can reprogram it to 50 licences easily.

      I also learned recently from talking to some support person that the PIX retains a history list of some nature, something like 2000 long.  That list can be cleared by de-powering and repowering the PIX, which he told me to do once in a while.

      Merlin Kitchen

       

    • Bob Hegerich
      Hi Merlin: I will add recycling the router power to my bi-weekly maintenance list. I did check with SLC, and they don t believe it is a license problem [at
      Message 2 of 11 , Jun 6, 2006
      • 0 Attachment
        Hi Merlin:
         
        I will add recycling the router power to my bi-weekly maintenance list.
         
        I did check with SLC, and they don't believe it is a license problem [at least at the moment], so are unwilling to up the license limit to 50, given that we only have nine devices attempting to access the Internet. I think they are probably right in that this problem has occurred when only six boxes were turned on.
         
        -----Bob H-----
         
         
        ----- Original Message -----
        Sent: Tuesday, June 06, 2006 4:33 PM
        Subject: Re: [fhctech] A Curious Phenomenon

        The PIX, as shipped is programed only for 10 licences, and my first suspicion would be that for some reason, you are running into that limit.

        If that is the problem, SLC can reprogram it to 50 licences easily.

        I also learned recently from talking to some support person that the PIX retains a history list of some nature, something like 2000 long.  That list can be cleared by de-powering and repowering the PIX, which he told me to do once in a while.

        Merlin Kitchen

         

      • Russell Hltn
        The question is how does the PIX determine what devices are trying to access the Internet? And how long does it hold that license? Since you ve got 9
        Message 3 of 11 , Jun 6, 2006
        • 0 Attachment
          The question is how does the PIX determine what devices are trying to access the Internet?  And how long does it hold that license?  Since you've got 9 computers and quite possibly a printer and/or something else, then you are close to that limit.  Turning machines off may not clear that license count until you reboot the PIX and/or wait for a long time.
           
          For kicks and grins, keep track of the IP address assigned to the failing computer and see if it follows that IP address - or if the problem shows up after something has been rebooted (possibly increasing the number of users the PIX sees as accessing the Internet.)
           
          You said you checked with SLC, but did you check with Global Connect?  Those are the guys who have the smarts to fix this, not the staff at the FHD.

           
          On 6/6/06, Bob Hegerich <BobH36@...> wrote:

          Hi Merlin:
           
          I will add recycling the router power to my bi-weekly maintenance list.
           
          I did check with SLC, and they don't believe it is a license problem [at least at the moment], so are unwilling to up the license limit to 50, given that we only have nine devices attempting to access the Internet. I think they are probably right in that this problem has occurred when only six boxes were turned on.
           
          -----Bob H-----
           
           
          ----- Original Message -----
          Sent: Tuesday, June 06, 2006 4:33 PM
          Subject: Re: [fhctech] A Curious Phenomenon

           

          The PIX, as shipped is programed only for 10 licences, and my first suspicion would be that for some reason, you are running into that limit.

          If that is the problem, SLC can reprogram it to 50 licences easily.

          I also learned recently from talking to some support person that the PIX retains a history list of some nature, something like 2000 long.  That list can be cleared by de-powering and repowering the PIX, which he told me to do once in a while.

          Merlin Kitchen

           


        • Merlin R Kitchen
          The Global connect guru s have a way to look into the PIX and see the list of IP addresses which are logged in (I guess it requires a special password that
          Message 4 of 11 , Jun 6, 2006
          • 0 Attachment
            The Global connect guru's have a way to look into the PIX and see the list of IP addresses which are logged in (I guess it requires a special password that they don't give out).  That way, you could actually see if all the licences are used up at the moment.
            I vaguely remember that they had me hook up the blue serial cable to the PIX (that cable came with the PIX).  And it was hooked onto a computer at the serial port.  I ran a program on the computer which allowed my input to go thru the serial cable to the PIX and the PIX responses were put on my screen
            Merlin Kitchen 
             
            On Tue, 6 Jun 2006 12:10:02 -1000 "Russell Hltn" <RussellHltn@...> writes:
            The question is how does the PIX determine what devices are trying to access the Internet?  And how long does it hold that license?  Since you've got 9 computers and quite possibly a printer and/or something else, then you are close to that limit.  Turning machines off may not clear that license count until you reboot the PIX and/or wait for a long time.
          • Bob Hegerich
            Yes, I did talk to the Global Connect people, but not at a time when the problem was actually occurring. Next time it does, assuming I am in the center to see
            Message 5 of 11 , Jun 6, 2006
            • 0 Attachment
              Yes, I did talk to the Global Connect people, but not at a time when the problem was actually occurring.  Next time it does, assuming I am in the center to see it, we plan to talk again.  :-)
               
              -----Bob H-----
               
              ----- Original Message -----
              Sent: Tuesday, June 06, 2006 6:10 PM
              Subject: Re: [fhctech] A Curious Phenomenon

              The question is how does the PIX determine what devices are trying to access the Internet?  And how long does it hold that license?  Since you've got 9 computers and quite possibly a printer and/or something else, then you are close to that limit.  Turning machines off may not clear that license count until you reboot the PIX and/or wait for a long time.
               
              For kicks and grins, keep track of the IP address assigned to the failing computer and see if it follows that IP address - or if the problem shows up after something has been rebooted (possibly increasing the number of users the PIX sees as accessing the Internet.)
               
              You said you checked with SLC, but did you check with Global Connect?  Those are the guys who have the smarts to fix this, not the staff at the FHD.

               
              On 6/6/06, Bob Hegerich <BobH36@...> wrote:

              Hi Merlin:
               
              I will add recycling the router power to my bi-weekly maintenance list.
               
              I did check with SLC, and they don't believe it is a license problem [at least at the moment], so are unwilling to up the license limit to 50, given that we only have nine devices attempting to access the Internet. I think they are probably right in that this problem has occurred when only six boxes were turned on.
               
              -----Bob H-----

               
               
              ----- Original Message -----
              Sent: Tuesday, June 06, 2006 4:33 PM
              Subject: Re: [fhctech] A Curious Phenomenon

               

              The PIX, as shipped is programed only for 10 licences, and my first suspicion would be that for some reason, you are running into that limit.

              If that is the problem, SLC can reprogram it to 50 licences easily.

              I also learned recently from talking to some support person that the PIX retains a history list of some nature, something like 2000 long.  That list can be cleared by de-powering and repowering the PIX, which he told me to do once in a while.

              Merlin Kitchen

               


            • Bill Henderson
              Serial cable? I think you mean a rollover cable. There are 3 types of cables that look like the standard ethernet, RJ45 cable. First is the standard
              Message 6 of 11 , Jun 7, 2006
              • 0 Attachment
                Serial cable?  I think you mean a "rollover" cable.  There are 3 types of cables that look like the standard ethernet, RJ45 cable. First is the standard ethernet twisted-pair, patch cable.  If you look at the ends, the orange wires are on the left (both ends), then the blue pair, then the green pair, and finally the brown pair.  This is normally used between a hub or switch and a PC (the rule is: use for unlike or dissimilar devices). 
                 
                The Second cable is the cross-over cable. Here the transmit and receive lines are crossed, so that transmit goes to receive and vice versa.  If you look at the ends of this cable one will have the color sequence stated above the other will have the orange in the middle of the group. The rule for this cable is: use on like devices. This cable is used for computer to computer without the need for a hub or switch, or between to routers, or two switches (although nowdays most switches have a crossover built-in to the port, so it may not matter).
                 
                The last cable is a rollover cable, used to connect a computer's serial port  to the "console" port on the box (here the PIX).  It will say console on the PIX's port (from the sound of it, this is what you did).  Here the wire ends are mirror images of each other. On one end the orange will be on the left and on the other end orange will be on the right, each wire color moving thru blue, green, and brown toward the opposite end (I guess the newer cables have a serial connector molded into the end, so you may not be able to see the wire layout).   Rollover cable are almost exclusively for console connections.  Also, most console cables are flat instead of round, and mine (from Cisco) is light blue.  Your computer becomes the console for the PIX, kinda like the old days where we used dumb terminals to connect to a mainframe computer.
                 
                If you want to connect up to the pix, there are two levels of access, User mode and Enable mode.  Equivalent to user and administrator logins.  Both have  passwords, and you have to login to one before you can login the the other, so getting in is not too likely, without help from Global Services.  User mode is a look but don't touch mode.  They might let you get there.  Never hurts to ask?  Then if you know Cisco Internetwork Operating System (IOS) syntax you can look around a little. The show command is a good beginning.  The IOS doesn't have too much management stuff built in, just basic do's and undo's and commands that show the status of the unit's configuration (diagnostics for setting up and fixing the box).  To see how many people are connected, or manage them, I believe there is special management software bought separately for that. 
                 
                To address Russell's questions: PIX knows who is going to the internet by means of port numbers (layer 4 protocols).  Keep in mind that the internet connection to you DSL is one or two IP addresses to service up to 4000 computers inside the firewall (most of us have less than 10, but the idea is the same).  If PIX has to keep track of port numbers it knows how many sessions are running.  Now I'll throw you a curve.  As one user on one computer, I can have a dozen or more internet links running simultaneously. If three or four of us are donig the same thing, we may have well over 50 links to the internet.  How does PIX deal with that?   The obvious answer is that the licenses have nothing to do with connecting to the internet.  Those license only say how many connections can be locally active at one time.
                 
                If anyone wants to see how long the leases are given out for,  run ipconfig -all.  The lease times are at the bottom of the display.  I believe they last for an hour (I'm not close by to check).  Changes in DHCP lease addresses begin in the fourth octet (the D portion of IP address A.B.C.D) of the 10 network. They will start with either:  A.B.C.11, or A.B.C.75, or A.B.C.139, or A.B.C.203 and extend upward.  On a PIX with 10 licenses, it may seem like the next 9 addresses would be the remaining  leases available.  Not quite true.  If Joe Patron brings his laptop in and connects to use the internet, he is taking an IP lease and thus a license.  Since other hardware have already taken some of the addresses, the next available address may be A.B.C.25.  DHCP remembers which device got what address, but also sees that there are only 6 IP devices active.  It hands out number 25 and allows that device to interact with your network and the world.  Now, if all ten licenses get busy and number 15 (well within the original 10 licenses) wants to play too.  It can't, because all the available licenses are being used, no matter what addresses are being used.  When number 25, goes home, that license becomes available again and DHCP says to number 15, you can join my network now; kind of like a door guard at a swanky nightclub. Because of fire and occupancy laws, that guard can allow only so many in at a time.  PIX works largely the same way.
                 
                Managing the PIX to get control of the IP addresses and thus the licenses, should be do-able, if the PIX is unplugged, AND the computers having DHCP leases are released while the PIX is down, but it shouldn't have to come to that.  When a host no longer needs a license (gone home), PIX can hand out that license to someone else.  The lease time determines which IP address you get not the licenses. Conversely, licenses determine how many can get connected, not the IP addresses. 
                 
                If you want to know which IP addresses are alive, you can run a batch file to ping each address in your DHCP's scope (or range).  Just a for loop driving ping (I'd set the pings to 2 instead of 4), and redirecting it to a text file, will tell you.  UNIX has the who command which will do the same thing.  I think one of the Windows resource kits (NT, 2000, and/or XP) also has a who or whoami, which can be run thru a similar batch file to get the same results.  Who/whoami should be a little faster.  Because it uses a different mechanism to identify active network members.
                 
                Bill H,

                Merlin R Kitchen <mkitchen@...> wrote:
                The Global connect guru's have a way to look into the PIX and see the list of IP addresses which are logged in (I guess it requires a special password that they don't give out).  That way, you could actually see if all the licences are used up at the moment.
                I vaguely remember that they had me hook up the blue serial cable to the PIX (that cable came with the PIX).  And it was hooked onto a computer at the serial port.  I ran a program on the computer which allowed my input to go thru the serial cable to the PIX and the PIX responses were put on my screen
                Merlin Kitchen 
                 
                On Tue, 6 Jun 2006 12:10:02 -1000 "Russell Hltn" <RussellHltn@...> writes:
                The question is how does the PIX determine what devices are trying to access the Internet?  And how long does it hold that license?  Since you've got 9 computers and quite possibly a printer and/or something else, then you are close to that limit.  Turning machines off may not clear that license count until you reboot the PIX and/or wait for a long time.

                __________________________________________________
                Do You Yahoo!?
                Tired of spam? Yahoo! Mail has the best spam protection around
                http://mail.yahoo.com

              • mkitchen@juno.com
                My flat cable that came with my pix has an ethernet connector on one end and plugs into the console (blue marker) connection on the PIX. The other end of the
                Message 7 of 11 , Jun 7, 2006
                • 0 Attachment

                  My flat cable that came with my pix has an ethernet connector on one end and plugs into the console (blue marker) connection on the PIX.  The other end of the cable has a connector that connects to the serial port of the computer.  The cable is flat and  blue in color and came with the PIX.

                  Global connect had me use a console program on the computer to talk to the PIX.  They then took over control of my computer and updated files in it. 

                  Maybe everything has changed now with LANDESK.  But that is what I have and how I used it within the last few months.

                  Merlin Kitchen

                   

                • Bill Henderson
                  I wasn t an FHC techie when our PIX was installed, so I don t know how it was shipped or setup. But, Yep, that s the cable and that s it sole purpose. You
                  Message 8 of 11 , Jun 7, 2006
                  • 0 Attachment
                    I wasn't an FHC techie when our PIX was installed, so I don't know how it was shipped or setup.  But, Yep, that's the cable and that's it sole purpose.  You can telnet into PIX too, if you know the secret handshake.  When they fouled up my FHC last Christmas they had me go in too.  Last week, I called Global Services on another matter, and thought to ask how the Christmas issue was going.  Apparently, open trouble tickets are still out there (after six months?!?!?!).  The answer I get seems to depend on who I talk to.   I dunno, I am getting the feeling they don't want to hold casual conversations with me anymore.  Do I have bad breath?
                     
                    You refer to them as Global Connect.  I thought I heard they were called Global Services.  Is one a subordinate of the other or just a different name for the same entity?  Whenever I call up for a "clarification" the guy manning the helpdesk phone refers to a group of propeller-heads called CCN.  CCN is/are the group wielding the power out there in LDS' WAN world.  The Global 'whatever' org is still pretty nebulous to me, but I'm persistent.  I'll ferret them out yet.
                     
                    Bill H.

                    "mkitchen@..." <mkitchen@...> wrote:
                    My flat cable that came with my pix has an ethernet connector on one end and plugs into the console (blue marker) connection on the PIX.  The other end of the cable has a connector that connects to the serial port of the computer.  The cable is flat and  blue in color and came with the PIX.
                    Global connect had me use a console program on the computer to talk to the PIX.  They then took over control of my computer and updated files in it. 
                    Maybe everything has changed now with LANDESK.  But that is what I have and how I used it within the last few months.
                    Merlin Kitchen
                     

                    __________________________________________________
                    Do You Yahoo!?
                    Tired of spam? Yahoo! Mail has the best spam protection around
                    http://mail.yahoo.com

                  • Merlin R Kitchen
                    I m not sure of their current official title. But I got the impression when talking to them that the really capable ones I was talking to were situated on BYU
                    Message 9 of 11 , Jun 8, 2006
                    • 0 Attachment
                      I'm not sure of their current official title.  But I got the impression when talking to them that the really capable ones I was talking to were situated on BYU campus.
                      M. Kitchen
                       
                      On Wed, 7 Jun 2006 16:20:27 -0700 (PDT) Bill Henderson <wch3120@...> writes:
                      You refer to them as Global Connect.  I thought I heard they were called Global Services.  Is one a subordinate of the other or just a different name for the same entity?  Whenever I call up for a "clarification" the guy manning the helpdesk phone refers to a group of propeller-heads called CCN.  CCN is/are the group wielding the power out there in LDS' WAN world.  The Global 'whatever' org is still pretty nebulous to me, but I'm persistent.  I'll ferret them out yet.
                    • Russell Hltn
                      I have it written down as Global Connect but I could be wrong.
                      Message 10 of 11 , Jun 8, 2006
                      • 0 Attachment
                        I have it written down as "Global Connect" but I could be wrong.
                         
                      Your message has been successfully submitted and would be delivered to recipients shortly.