PIX disallowing access to 1 web site?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
We are having problems accessing one web site in particular and we have
isolated the problem to the PIX 515.  By taking the PIX out of the
picture we can access this site no problem.  Looking at the logs, I'm
unable to determine what the problem is.  Am I missing something?

Reading from the bottom up, as is the order of events:

06-07-2006    11:21:42    Local4.Info    172.20.1.70    Jun 07 2006 11:09:40 :
%PIX-6-609002: Teardown local-host outside:216.64.54.26 duration
0:02:46
06-07-2006    11:21:42    Local4.Info    172.20.1.70    Jun 07 2006 11:09:40 :
%PIX-6-302014: Teardown TCP connection 527517 for
outside:216.64.54.26/80 to inside:jeff-mis/2942 duration 0:02:46 bytes
412 TCP Reset-O
06-07-2006    11:18:56    Local4.Notice    172.20.1.70    Jun 07 2006 11:06:54 :
%PIX-5-304001: jeff-mis Accessed URL
216.64.54.26:/msaweb/store/home.aspx
06-07-2006    11:18:56    Local4.Info    172.20.1.70    Jun 07 2006 11:06:54 :
%PIX-6-302013: Built outbound TCP connection 527517 for
outside:216.64.54.26/80 (216.64.54.26/80) to inside:jeff-mis/2942
(64.194.142.178/2942)
06-07-2006    11:18:56    Local4.Info    172.20.1.70    Jun 07 2006 11:06:54 :
%PIX-6-609001: Built local-host outside:216.64.54.26


Re: PIX disallowing access to 1 web site?
Quoted text here. Click to load it

Check for MTU problems; check to see whether you permit incoming
ICMP Unreachable in order to support Path MTU Discovery (PMTUD).

Is there a VPN somewhere between you and them? (You wouldn't
necessarily know, if it is at their end.)

Re: PIX disallowing access to 1 web site?
jeffhoover70@gmail.com wrote:
Quoted text here. Click to load it

try setting tcpmss to 1380 or around there.  as mentioned in the
previous reply, there are probably some icmp window messages getting
denied/dropped.  usually having the PIX set the tcpmss max would help.

Site Timeline