1. Home
  2. Cisco Systems
  3. Interesting problem with pix 515 UR

Interesting problem with pix 515 UR

just an interesting problem with a pix515E-UR:

running 6.3(5)

This pix have only 2 ethernet interfaces; i have connected the ethernet0(outside) via a cross cable to the 1760 installed by my connectivity provider; this have public IP addresses. To compensate for the lack of other ethernet interfaces, i have configured the ethernet1 to do

802.1Q encap and connected to the GE0/2 of a catalyst2950.

All the servers are directly connected to the catalyst 2950 and i see the error counters on the phisical interfaces involved all at 0; all are at a correct speed/duplex setting as reported at both ends.

My problem is related to the basic connectivity. what i see is that the connectivity is present either from the pix itself (i can ping to destinations from it) and through the pix (i can use the connections) but every now and then, i cannot reach destinations *though* the pix and i

*cannot ping from the pix* itself the destinations.

The simple "clear arp" solves the problem, for another quantum of time, that is as longer as smaller is the "arp timeout" programmed in the pix; with the default (14400 secs) i can see the problem in 10 minutes or so, with a much smaller (150) seconds i see the problem only then there are no traffic for a time (typically at night).

I have checked the arp cache and the mac-address-table on the switch and i can positively conclude that the addresses are correct and in the correct vlan.

because i can always connect to the pix externally even during the problem, i sent the pix log to a server and noted simply that there aren't abnormal messages. I see the connections built, and some time later the SYN timeout because evidently the pix cannot send the traffic to the destination.

Any ideas? i'm frankly run out of ideas (and quite tempted to leave this *as is* and go to the beach for some days... :)

following i am sending the pix config and the relevant part of the 2950 config (with any sensitive information purged)

*PLEASE DO NOT TELL ME TO REVISE THE SECURITY POLICY* i know that, this is a fresh install and i want to have a stable connectivity before hardening IP security and opening the ipsec VPNs i need to. In fact, i have sensed this problem without access-lists or security at all, directly from the pix console while installing the device.

bye Andrea

------------- Catalyst 2950 vlan config Switch#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11,Fa0/12 Fa0/13, Fa0/14,Fa0/15,Fa0/16 Fa0/17, Fa0/18,Fa0/19,Fa0/20 2 server active Fa0/21, Fa0/22,Fa0/23,Fa0/24 3 external active 4 extra active 999 NativeForTrunks active

Switch#sh run Building configuration...

Current configuration : 2034 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! logging buffered 32768 debugging enable secret 5 XXXXXXXXXXXXXXXXXXXX ! username root privilege 15 password 0 XXXXXXXXXXX ip subnet-zero ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! [..] ! interface FastEthernet0/21 description server webvecchio switchport access vlan 2 load-interval 30 spanning-tree portfast ! interface FastEthernet0/22 description server readytec switchport access vlan 2 load-interval 30 spanning-tree portfast ! interface FastEthernet0/23 description www server switchport access vlan 2 load-interval 30 spanning-tree portfast ! interface FastEthernet0/24 description Mail Server switchport access vlan 2 load-interval 30 spanning-tree portfast ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 description Link to firewall PIX515 mode .1Q eth1 switchport trunk native vlan 999 switchport mode trunk load-interval 30 duplex full speed 100 ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan2 ip address 10.10.10.2 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.10.1 no ip http server ! logging trap debugging logging facility local3 logging source-interface Vlan2 logging 10.10.10.60 ! [..] ! end

------------------------- Pix config:

pix# sh ver

Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4) Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: ethernet0: address is 0017.9514.6751, irq 10 1: ethernet1: address is 0017.9514.6752, irq 11 This PIX has an Unrestricted (UR) license.

pix# sh run PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface ethernet1 vlan1 physical interface ethernet1 vlan2 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan2 dmz security90 enable password XXXXXXXXXX encrypted passwd XXXXXXXXXXX encrypted hostname pix domain-name XXXXXXX.it clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.10.10.60 mail name 10.10.10.50 www name 10.10.10.70 www-vecchio name X.Y.Z.0 my-net name X.X.X.40 public-net name 10.10.10.80 rtec name 10.10.10.2 switch1 name 192.168.3.0 Vpn name 10.10.10.0 dmz-net name 192.168.1.0 inside-net name X.X.X.41 fastweb-gw object-group service public-services tcp description public services port-object eq www port-object eq smtp port-object eq 90 port-object eq pop3 port-object eq imap4 object-group service my-access-tcp tcp description Service access TCP Protocol port-object eq 24 port-object eq telnet port-object eq 81 port-object eq 3389 access-list outside_access_in permit tcp any interface outside object-group public-services access-list outside_access_in permit tcp my-net 255.255.255.128 interface outside object-group my-access-tcp access-list outside_access_in permit icmp any any access-list outside_access_in permit ip Vpn 255.255.255.0 dmz-net 255.255.255.0 access-list inside_outbound_nat0_acl remark local traffic access-list inside_outbound_nat0_acl permit ip inside-net 255.255.255.0 dmz-net

255.255.255.0 access-list dmz_outbound_nat0_acl permit ip dmz-net 255.255.255.0 Vpn 255.255.255.0 pager lines 24 logging on logging monitor debugging logging buffered debugging logging trap debugging logging facility 21 logging device-id string fw logging host dmz mail logging host outside X.Y.Z.66 icmp permit any outside icmp permit any inside icmp permit any dmz mtu outside 1500 mtu inside 1500 ip address outside X.X.X.42 255.255.255.252 ip address inside 192.168.1.10 255.255.255.0 ip address dmz 10.10.10.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface dmz ip audit info action alarm ip audit attack action alarm ip local pool vpdn_pool 192.168.3.1-192.168.3.250 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz pdm location mail 255.255.255.255 dmz pdm location www 255.255.255.255 dmz pdm location www-vecchio 255.255.255.255 dmz pdm location my-net 255.255.255.128 outside pdm location rtec 255.255.255.255 dmz pdm location switch1 255.255.255.255 dmz pdm location Vpn 255.255.255.0 outside pdm location dmz-net 255.255.255.0 dmz pdm location inside-net 255.255.255.0 inside pdm location fastweb-gw 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 150 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 inside-net 255.255.255.0 0 0 nat (dmz) 0 access-list dmz_outbound_nat0_acl nat (dmz) 1 dmz-net 255.255.255.0 0 0 static (dmz,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface www www-vecchio www netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface 24 mail ssh netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface 90 mail www netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface imap4 mail imap4 netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface 3389 www-vecchio 3389 netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface telnet switch1 telnet netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 fastweb-gw 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL ntp server 84.16.227.160 source outside ntp server 194.100.206.70 source outside ntp server 83.245.15.97 source outside ntp server 85.214.43.186 source outside ntp server 80.74.144.230 source outside ntp server 192.36.143.150 source outside ntp server 195.228.155.101 source outside ntp server 80.203.145.142 source outside http server enable http my-net 255.255.255.128 outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet inside-net 255.255.255.0 inside telnet mail 255.255.255.255 dmz telnet timeout 5 ssh my-net 255.255.255.128 outside ssh timeout 60 console timeout 0 vpdn group pptp_vpn accept dialin pptp vpdn group pptp_vpn ppp authentication chap vpdn group pptp_vpn ppp authentication mschap vpdn group pptp_vpn ppp encryption mppe 40 required vpdn group pptp_vpn client configuration address local vpdn_pool vpdn group pptp_vpn pptp echo 300 vpdn group pptp_vpn client authentication local vpdn username XXXXXXXX password ********* vpdn enable outside dhcpd address 192.168.1.200-192.168.1.254 inside dhcpd dns mail dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain XXXXXXXX.it dhcpd auto_config outside dhcpd enable inside username root password XXXXXXXXXXXXXX encrypted privilege 15 terminal width 80
Reply to
Andrea Borghi
Loading thread data ...

ethernet0(outside) via a cross cable

addresses. To compensate for

802.1Q encap and

error counters on the

setting as reported at both ends.

connectivity is present either

(i can use the connections)

*cannot ping from the pix*

is as longer as smaller is

see the problem in 10 minutes

no traffic for a time

positively conclude that

sent the pix log to a server

built, and some time later the

fresh install and

the ipsec VPNs i

at all, directly

The only thing that jumps out at me is that this could be an IP conflict on the backside of the Pix. Frankly I don't what a Pix would do if it encountered a conflicting IP. Would it only affect the one L3 interface or would it put the whole L2 interface in a state of limbo? You might try shutting down all the VLANs but one and see if it lasts. Then add them back one by one to see if the problem is tied to one VLAN.

J
Reply to
J

[..]

I have analyzed that scenario. I cannot do that because these days i am

*not* on the site, so i cannot translate the configurations to another vlan and close it. the problem is that the client pcs are on VLAN1 via another series of switches and i cannot reache these to change parameters yet.

I have analyzed the arp table on the pix during the problem and the addresses are the same so it seems to me that the pix must try to send the traffic to the correct L2 addr, so there is something we are not considering.

I have the 2950 doing buffered logging and the switch is silent of relevant messages, i remember that the 3548s i had will tell someting as "mac address XXXX relearned on interface XY zz times" but there is *not* a message concerning mac addresses in the logs and the arp and the mac-address-tables are ok in the switch.

Andrea

Reply to
Andrea Borghi

ethernet0(outside) via a cross cable

addresses. To compensate for

802.1Q encap and

error counters on the

setting as reported at both ends.

connectivity is present either

(i can use the connections)

*cannot ping from the pix*

is as longer as smaller is

see the problem in 10 minutes

no traffic for a time

positively conclude that

sent the pix log to a server

built, and some time later the

fresh install and

the ipsec VPNs i

at all, directly

public-services

outside object-group my-access-tcp

dmz-net 255.255.255.0

Reply to
saharan.jasbir

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.