hi folks,
Desc...my webservers login page keeps timing out when connecting to an Oracle DB behind a PIX 501 firewall.
This seems to happen in the morning and at lunch.
After the page times-out it then connects on the second try, and works until lunch time when it will timeout again.
The webserver has an ip of 192.168.10.23, the db has an ip of
192.168.0.30. The error on my syslog server is...%PIX-6-106015: Deny TCP (no connection) from 192.168.10.23/33734 to 192.168.0.30/1521 flags PSH ACK on interface outsideI've read that this can be caused by no SYN Flag being in the packet, this SYN flag only occurs when a new connection is being made, now that doesn't appear so it look's like the web server still thinks it's connected to the database, and the database to the webserver. Now if that's correct it looks like the PIX is timing out the connection. Seems to make sense?
If this is the case how do I get the connection to stay open without affecting timeout values, I've heard of conduits and established connections but I'm a bit of a newbie and don't want to jump in with both feet. I've changed "Connection" and "Translate" timeouts to 5 minutes and it does indeed timeout now after 5 minutes, so it's definetly timing out.
Here's my running config... (I've left out access rules and groups so there's not so much stuff)
PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100
domain-name vianet.co.uk fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error no fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 no fixup protocol sqlnet 1521
access-list inside_access_in permit ip Internal-Network 255.255.255.0 any access-list outside_access_in permit icmp any any access-list outside_access_in permit ip host CASTOR object-group AD-Access-Inside access-list outside_access_in permit ip VianetStaffPool 255.255.255.248 Internal-Network 255.255.255.0 access-list outside_access_in permit ip host Collaboration host EXTRANET access-list outside_access_in permit ip host Collaboration host MAIL access-list outside_access_in permit ip host db any access-list outside_access_in permit tcp host T1Server2 host Alcanet-db eq 1533 access-list outside_access_in permit tcp host T1Server2 host QA eq sqlnet access-list outside_access_in permit ip host T1Server1 host QA log 7 access-list inside_outbound_nat0_acl permit ip any VianetStaffPool
255.255.255.248 access-list inside_outbound_nat0_acl permit ip any host CASTOR access-list inside_outbound_nat0_acl permit ip any host Collaboration access-list inside_outbound_nat0_acl permit ip any Alcanet 255.255.0.0 access-list inside_outbound_nat0_acl permit ip any host ARENA access-list inside_outbound_nat0_acl permit ip any host db access-list inside_outbound_nat0_acl permit ip any host T1Server1 access-list inside_outbound_nat0_acl permit ip any host T1Server2 pager lines 24 logging on logging timestamp logging trap debugging logging history debugging logging facility 16 logging host inside 192.168.0.56 mtu outside 1500 mtu inside 1500 ip address outside 192.168.10.1 255.255.255.0 ip address inside 192.168.0.4 255.255.255.0 ip audit info action alarm ip audit attack action alarmarp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 0 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside established udp 0 177 permitto tcp 6000 permitfrom tcp 1024-65535 route outside 0.0.0.0 0.0.0.0 192.168.10.2 1 route outside CASTOR 255.255.255.255 192.168.10.2 1 timeout xlate 1:00:00 timeout conn 0:05:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225
1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http Internal-Network 255.255.255.0 inside snmp-server host inside 192.168.0.6 no snmp-server location no snmp-server contact snmp-server community vianetsnmp snmp-server enable traps tftp-server outside ARENA /pix1.vianet.co.uk floodguard enable sysopt connection tcpmss 0 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80thanks Dave