Cisco firewall filling ip addresses & not releasing them

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
stephen500
Member
Posts: 105
Joined: Sun Feb 15, 2009 8:45 am
Location: Chester, England

Cisco firewall filling ip addresses & not releasing them

Postby stephen500 » Sun Oct 23, 2011 6:53 pm

At Chester Stake I have a particular problem.
We use a Cisco Pix 501, global services tell me this is the oldest firewall the church operates and have advised it's replacement.
So here is the problem and how I deal with it.
Am I doing any thing wrong and can you give some advice, thanks in advance.
Problem and context:
We have 3 family history, two Young single adult center and one MLS computer(s) in our stake centre.
We use cisco pix 501 firewall with Cisco wireless.
One family history computer is Lan connected, the rest of the computers are wireless.
It seems that as members visit the stake centre and use their blackberrys, i-pads etc using Ldsaccess, that the cisco pix 501 assigns them an IP address each.
The capacity, I am told by global services, is around 30 devices.
However when the members leave the cisco pix 501 appears to remember those ip addresses and not release them for use again.
This appears to result in wireless devices showing Ldsaccess connection, but in reality on some devices the taskbar shows a connection with a problem and the internet cannot be accessed.
I have tried to correct the problem by 1) rebooting the cisco pix 501, 2) If this does not work releasing the ip address (cmd ipconfig/release ipconfig/renew). This fixes the problem for lots of devices, but still some won't connect.
However this does not appear to be a long term solution as
1) I am having to do this more frequently.
2) I am told by global services that the more time I do this, the more I will degrade the cisco pix 501.
Can you suggest a more lasting fix to the temp one above, thanks.
Stephen Sinclair,
butt Stake clerk,
Stake tech Specialist.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Sun Oct 23, 2011 7:19 pm

What you report are indications of a failing device. There is nothing you can do to correct this other than to replace the device.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

stephen500
Member
Posts: 105
Joined: Sun Feb 15, 2009 8:45 am
Location: Chester, England

Postby stephen500 » Sun Oct 23, 2011 7:21 pm

Thank you.

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sun Oct 23, 2011 11:25 pm

stephen500 wrote:The capacity, I am told by global services, is around 30 devices.


IIRC, they shipped with 10 licenses but could be expanded to 50.

Even if it issues an IP address, it may not grant Internet access based on the licenses in use.

stephen500 wrote:However when the members leave the cisco pix 501 appears to remember those ip addresses and not release them for use again.


I'm not sure what the church has set for IP leasing. One day is not unusual. Unfortunately that means that the first ward could be tying up all the IP addresses even after they leave.

stephen500 wrote:I am told by global services that the more time I do this, the more I will degrade the cisco pix 501.


I call bogus.

It does however create another problem. When you reboot the PIX 501, you wipe it's memory of what IPs it has leased out. Devices that are still in the building already have a valid lease and I would not expect them to tell the rebooted PIX about it. This could result in the PIX issuing a lease for a IP that's already in use. I'm not sure how that plays out.

I think the long term solution is to get a firewall that can handle the needs of your unit. As more and more members bring in wireless devices, I suspect this will become a more common problem.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

User avatar
Biggles
Senior Member
Posts: 922
Joined: Tue May 27, 2008 4:14 am
Location: Watford, England

Postby Biggles » Mon Oct 24, 2011 3:21 am

We have been having very similar problems with our Cisco 501. As a temporary measure all our FHC & Stake Clerk computers are using a temporary router, installed after the Firewall. This means only one licence is used for all those computers. All our computers are wireless connected.

We also changed the LDSAccess password, as many unauthorized persons had access. GSD will do this, although reluctantly. We also introduced a Stake wide internet policy.

We are waiting for a new Cisco 881W to be supplied, but unfortunately will probably have to wait until after the internet roll out, in the UK has, happened.

If you would like to PM me, I will give you the details of what we did. also check this link: https://tech.lds.org/forum/showthread.php?2897-Wireless-Router-configured-as-WAP/page8 Just read on to the end of the posts.

User avatar
johnshaw
Senior Member
Posts: 1839
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Postby johnshaw » Mon Oct 24, 2011 5:11 am

We had a similar issue in one of our buildings, and used an additional router as mentioned above.

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Oct 24, 2011 11:13 am

Can a 1040 work though a "consumer" router ok? Since those are where I'd expect the majority of IP requests to come from, that's one of the first things I'd put behind an added router.

Of course this brings up another reason why I think ordering the 881 with a internal WAP was/is a bad idea.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Mon Oct 24, 2011 1:49 pm

I am going to revise my assessment of stephen500's PIX problem. I only see one issue that could be attributed to PIX degradation and pending failure.

stephen500 wrote:It seems that as members visit the stake centre and use their blackberrys, i-pads etc using Ldsaccess, that the cisco pix 501 assigns them an IP address each.
This is as it should be. Otherwise there could be no network communication.

stephen500 wrote:The capacity, I am told by global services, is around 30 devices.
However when the members leave the cisco pix 501 appears to remember those ip addresses and not release them for use again.
How do you know they are not released? What software or method are you using to determine this?

If in fact the PIX is not releasing the IP addresses there are two possible explanations. The first is that the PIX is failing. That is why I made my original assessment in post #2. The second requires more explanation.

Properly functioning wireless client devices will release their IP address lease when disconnecting. A year and a half ago there were reported bugs with some mobile devices that did not release the lP address lease. This could contribute to the issue for those devices that have not upgraded their firmware. However, it is hard for me to believe that there are a large number of those faulty mobile devices that have not upgraded the firmware in one location a year and a half later.

But that brings me back to my question about how you know the IP addresses are not being released. It is more likely that all the IP address licenses are being used, whether that is 10 (the default for the PIX) or 30 that global services claims you have.

stephen500 wrote:This appears to result in wireless devices showing Ldsaccess connection, but in reality on some devices the taskbar shows a connection with a problem and the internet cannot be accessed.
A wireless client can establish a connection to the WAP, a part of the network. However if there are no available IP addresses the wireless client will not be able to connect to the Internet. The result is a displayed connection but no Internet. Internet access will only be available once an IP address is available. You can test this by using a mobile device, such as a laptop, that can report the IP address it has been assigned. If using a laptop, use ipconfig to display the IP address when no Internet connection is present. You will see an IP address of 0.0.0.0 but no lease.

stephen500 wrote:I have tried to correct the problem by 1) rebooting the cisco pix 501, 2) If this does not work releasing the ip address (cmd ipconfig/release ipconfig/renew). This fixes the problem for lots of devices, but still some won't connect.
By rebooting I am assuming you are powering down the PIX for at least 30 seconds. A shorter power down may cause anomalous behavior.

Rebooting the PIX will shut down the LAN and reset the IP leases. Each device previously connected will attempt to reconnect and attempt to renew its lease. When that fails it will assume it has gone to a new network and will attempt to obtain a new lease.

Releasing and renewing the IP leases using ipconfig only works for the network adapters on the computer the command is run on. That will only free up the IP addresses that computer was using. You would have to do a DHCP release and a DHCP renew for the router to reset the IP address leases for the LAN. This is not possible locally since the PIX is remotely managed.

The workaround that Biggles uses will provide relief for the limited number of licenses but with a reduction in available bandwidth to wireless clients as the number of connected clients increase. The router behind the PIX will provide stability in the DHCP IP lease requests and may reduce the connectivity failures. It will only mask the pending failure of the PIX for a period of time, if in fact it is failing.

I would continue to try and get a replacement for the PIX.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Oct 24, 2011 2:06 pm

jdlessley wrote:Properly functioning wireless client devices will release their IP address lease when disconnecting.


I wonder how many "improperly" functioning devices there may be? Considering that many portable devices are only put to sleep and not turned off. It would be interesting to monitor the network to see what is happening. In fact I may start a small project to build a monitor as I know I'll need the information.


jdlessley wrote:Rebooting the PIX will shut down the LAN and reset the IP leases. Each device previously connected will attempt to reconnect and attempt to renew its lease.


Only if the device has detected the loss of connection. If the devices are directly connected to the PIX, they'll know. If they're not, I'm not sure as they would notice. Hence the possibility of IP collisions.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Mon Oct 24, 2011 2:57 pm

RussellHltn wrote:I wonder how many "improperly" functioning devices there may be? Considering that many portable devices are only put to sleep and not turned off. It would be interesting to monitor the network to see what is happening. In fact I may start a small project to build a monitor as I know I'll need the information.
When a mobile device goes to sleep it does not send a release notice. The IP address lease is retained. However, it is not renewed. If the device is not awaken in time the lease can expire. When the mobile device is awake again it it enters the DHCP INIT-REBOOT state. If the lease is still valid it will renew that lease. If not it will request a new lease.

RussellHltn wrote:Only if the device has detected the loss of connection. If the devices are directly connected to the PIX, they'll know. If they're not, I'm not sure as they would notice. Hence the possibility of IP collisions.
The loss of connection would be detected on the first transmission of a packet request to the router. The router would compare the MAC address assigned to the IP address. The router would then respond to the wireless device and the wireless device would request a new IP address lease. IP collisions are possible for a few microseconds but would be quickly resolved.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest