1. Home
  2. Cisco Systems
  3. question pix firewall

question pix firewall

Hi,

I have a quick question in regards to some dropped packets.

I have a T1 from Bell, that goes into their "managed router" and then into my PIX Firewall. Froim time to time I have to call bell to reset the router because the internet goes down, and they keep on telling me that the problem is not on their side, and that they see a lot of dropped packets in the router's log.

I've asked them several times now, to send those logs as I don't have access to the router, and I cannot see anything wrong in PIX's log either (not that pix is very good at reporting)...

What /how can I see if there's something wrong with either of the setup /devices?

Any idea would be much appreciated!

Julian Dragut

Reply to
Julian Dragut
Loading thread data ...

Hi Julian,

You may be experiencing the PIX's "shun" feature. When the PIX see's a large amount of traffic from a source it may "shun" the traffic for a period of time.

Sincerely,

Brad Reese BradReese.Com Cisco Resource Center Toll Free: 877-549-2680 International: 828-277-7272 Website:

formatting link

Reply to
BradReeseCom

In article , BradReeseCom wrote: :You may be experiencing the PIX's "shun" feature. When the PIX see's a :large amount of traffic from a source it may "shun" the traffic for a :period of time.

PIX 6.x does not have such a feature under that name. The PIX "shun" command has to be put in manually or sent to it by an IDS: the PIX never automatically does a "shun" by itself.

The PIX does have "floodguard" and does have mechanisms in the 'static' command to control connection rates and the number of pending "half-open" comnections, but "shun" is completely differen than either of those.

Reply to
Walter Roberson

Whatever your PIX drop, your ISP should not see. You may have a physical problem? How do you connect to your ISP router? Xover cable? or a hub/switch? If your isp router has fastethernet, make sure to force your PIX outside interface to 100/Full. Next, I will try swapping out the cable between your isp router and pix.

Tom

Reply to
Dumbkid

Thanks Tom,

Reply to
Julian Dragut

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.