1. Home
  2. Cisco Systems
  3. URGENT! PIX 501, Timeout between outside server and inside server

URGENT! PIX 501, Timeout between outside server and inside server

hi folks,

Desc...my webservers login page keeps timing out when connecting to an Oracle DB behind a PIX 501 firewall.

This seems to happen in the morning and at lunch.

After the page times-out it then connects on the second try, and works until lunch time when it will timeout again.

The webserver has an ip of 192.168.10.23, the db has an ip of

192.168.0.30. The error on my syslog server is...%PIX-6-106015: Deny TCP (no connection) from 192.168.10.23/33734 to 192.168.0.30/1521 flags PSH ACK on interface outside

I've read that this can be caused by no SYN Flag being in the packet, this SYN flag only occurs when a new connection is being made, now that doesn't appear so it look's like the web server still thinks it's connected to the database, and the database to the webserver. Now if that's correct it looks like the PIX is timing out the connection. Seems to make sense?

If this is the case how do I get the connection to stay open without affecting timeout values, I've heard of conduits and established connections but I'm a bit of a newbie and don't want to jump in with both feet. I've changed "Connection" and "Translate" timeouts to 5 minutes and it does indeed timeout now after 5 minutes, so it's definetly timing out.

Here's my running config... (I've left out access rules and groups so there's not so much stuff)

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100

domain-name vianet.co.uk fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error no fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 no fixup protocol sqlnet 1521

access-list inside_access_in permit ip Internal-Network 255.255.255.0 any access-list outside_access_in permit icmp any any access-list outside_access_in permit ip host CASTOR object-group AD-Access-Inside access-list outside_access_in permit ip VianetStaffPool 255.255.255.248 Internal-Network 255.255.255.0 access-list outside_access_in permit ip host Collaboration host EXTRANET access-list outside_access_in permit ip host Collaboration host MAIL access-list outside_access_in permit ip host db any access-list outside_access_in permit tcp host T1Server2 host Alcanet-db eq 1533 access-list outside_access_in permit tcp host T1Server2 host QA eq sqlnet access-list outside_access_in permit ip host T1Server1 host QA log 7 access-list inside_outbound_nat0_acl permit ip any VianetStaffPool

255.255.255.248 access-list inside_outbound_nat0_acl permit ip any host CASTOR access-list inside_outbound_nat0_acl permit ip any host Collaboration access-list inside_outbound_nat0_acl permit ip any Alcanet 255.255.0.0 access-list inside_outbound_nat0_acl permit ip any host ARENA access-list inside_outbound_nat0_acl permit ip any host db access-list inside_outbound_nat0_acl permit ip any host T1Server1 access-list inside_outbound_nat0_acl permit ip any host T1Server2 pager lines 24 logging on logging timestamp logging trap debugging logging history debugging logging facility 16 logging host inside 192.168.0.56 mtu outside 1500 mtu inside 1500 ip address outside 192.168.10.1 255.255.255.0 ip address inside 192.168.0.4 255.255.255.0 ip audit info action alarm ip audit attack action alarm

arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 0 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside established udp 0 177 permitto tcp 6000 permitfrom tcp 1024-65535 route outside 0.0.0.0 0.0.0.0 192.168.10.2 1 route outside CASTOR 255.255.255.255 192.168.10.2 1 timeout xlate 1:00:00 timeout conn 0:05:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http Internal-Network 255.255.255.0 inside snmp-server host inside 192.168.0.6 no snmp-server location no snmp-server contact snmp-server community vianetsnmp snmp-server enable traps tftp-server outside ARENA /pix1.vianet.co.uk floodguard enable sysopt connection tcpmss 0 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80

thanks Dave

Reply to
Dave
Loading thread data ...

In article , Dave wrote: :Desc...my webservers login page keeps timing out when connecting to an :Oracle DB behind a PIX 501 firewall.

:timeout xlate 1:00:00 :timeout conn 0:05:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225 1:00:00 :timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 :timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity

Those are the lines you have to look at. Those are in hours:minutes:seconds so your connection timeout is 5 minutes. That means that if 5 minutes goes by on a tcp connection with no data going over the connection, then the PIX will destroy the connection.

With your mention of this happening over lunch, it sounds like your database is kept active through the day, but then when people go for lunch there -happens- to be a pause in activity that lasts more than

5 minutes.

The easiest solution is to push the conn timeout to be longer than the lunch break... e.g., timeout conn 1:00:00 for one hour.

Reply to
Walter Roberson

Hi Walter,

I thought the timeouts caused these issues. But the webserver doesn't get many hits and so doesn't generate that much traffic so setting it to 1 hour would still cause timeouts, all be it maybe not as many or as often.

So that in mind I was thinking about setting it to 24 hours, but that means all other connections will be kept open for 24 hours!

Can I set it up so only the connection from 192.168.10.23 has a timeout of 24 hours when connecting to 192.168.0.30?

Are these timeouts for security or to help the performance of the PIX?

thanks Walter, Dave

Reply to
Dave

Sory Walter, I meant to say also that they timeout values were changed back to their defaults, but I done that after I done the sh ru.

Since I wrote the last reply I've also came across and article about the same config as mine. It sated that the webserver (Suse Linux 9) has a standard TCP Timeout of 2 hours, this could explain what were seeing as the PIX is set to 1 Hour, I'll change the linux box and see if that does anything. If it does I'll write back for the sake of anyone else reading this.

cheers Dave

Reply to
Dave

looks like it still happens, even though I've changed the TCP timeout value on the webservers to 45 minutes, it also appears as if it's the xlate timeout, this is why the webserver doesn't know it's been timed out, is there any way to make the xlate timeout different for specific traffic ie. traffic from 192.168.10.23 to 192.168.0.30 has a 24 hour xlate timeout?

cheers Dave

Reply to
Dave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.