So I’ve been trying to work out why network behaviour has been so erratic at work since I replaced our leased line with a 1Mb DSL line. Seemingly at random, machines would be unable to connect to the outside world. It was as if a machine was completely firewalled, but a few hours later it would be fine - and a different machine would be unable to connect. This was mostly obviously manifested by MSN Messenger failing to connect. (Note to any Sysadmins who allow MSN: This is a very quick way to piss off your entire staff!). It was only after staring at the PIX config for two straight hours, that I finally noticed this line:
For those of you not familiar with PIX IOS configuration, the
at the end of that line is the number of concurrent connections that the rule will allow. So basically, 10 machines could be NAT’d out of the network before it would stop processing them. Only when one machine stopped talking to the outside world would it let another take its place. D’oh! I changed it to:
And of course it immediately started working properly! (0 means unlimited connections.)
Lesson learned! I’m just embarrassed it took me so long to spot!
You really can’t get the staff these days…