Weird traffic problem - might be PIX 520 related.

Hi, I've got the most weird problem that I've come across in quite a while. I have a rack of Dell PowerEdge servers. These are connected to a Dell PowerConnect 5224 switch, which is in turn connected to a PIX 520. There is a mix of Windows 2000 Server, Win2003 Server and Fedora Linux servers.

Everything is setup and working (sort of), in that I have all the servers I need mapped to external IP's via the firewall and everything appears to work fine. Servers reply to pings on their external IP's, website work etc.

BUT...For some reason, traffic on the internal network does not always work. It appears to be random from what I can see.

e.g. Internal IP's are

192.168.7.10 192.168.7.20 . . 192.168.7.100 etc

These are mapped on the firewall to.

8x.xxx.xxx.178 8x.xxx.xxx.179 etc

If I ssh into a Linux server and ping a local IP from it, sometimes I get a reply and sometimes not. If I leave it pinging, it will eventually reply at some point and continue to reply forever. If it does not reply on the local IP, I then try pinging from my remote client on the same servers external IP and it will reply almost always.

This seems to happen for all the servers in my rack when pinging on local IP's, doesn't seem to matter if your pinging Windows to windows or Linux to Windows or vice versa. Sometimes they reply first time, sometimes they reply to the first ping and then don't reply again. But they almost always (failed once) reply on their external IP's.

This problem is driving me nuts, I've replaced the Dell switch as I had an un-used spare and it made no difference. I've replaced all network cables and I even swapped the PIX 520. I'm aware that it most likely not PIX related but find it weird that servers seem to respond on external IP's via the PIX.

I have various things like e-mail servers and SQL servers that need to communicate with each other on the internal network and traffic is failing and I can't find out why.

Any advice would be very much appreciated.

Thanks for reading this far.

bye.

Reply to
ho
Loading thread data ...

Could you post your PIX config ( at least the NAT/Static related command).

If you inadvertently create bad static entries in the PIX ( outside-inside instead of inside-outside) it would result in IP duplications on your network , giving a hard time to ARP to get the correct MAC address for each IPs.

Anyway , i would investigate by looking at the arp tables in your switch and servers. When a server can't ping a specific IP , do a "arp -a" and verify that the MAC correspond to the server it tries to reach. If not try to find what interface in your network have this MAC address.

Reply to
mcaissie

Here's some of the PIX config:- ip address outside 87.xxx.xx.176 255.255.255.224 ip address inside 192.168.7.1 255.255.255.0

static (inside,outside) 87.xxx.xx.178 192.168.7.20 netmask

255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.180 192.168.7.50 netmask 255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.179 192.168.7.60 netmask 255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.186 192.168.7.61 netmask 255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.182 192.168.7.70 netmask 255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.181 192.168.7.90 netmask 255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.185 192.168.7.45 netmask 255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.183 192.168.7.40 netmask 255.255.255.255 0 0 static (inside,outside) 87.xxx.xx.184 192.168.7.10 netmask 255.255.255.255 0 0

I've checked out the MAC addresses and everything looks fine. I should point out that I had all my servers in a Rack at a different location and it's only since I moved them and set them all up again that I am having the problem.

The only real pattern I've noticed is when pinging, sometimes the first will reply then then next 3 fail, or the first fails and the next 3 will reply.

mcaissie wrote:

Reply to
ho

That seems to be ok

This is weird .

Do you have failover NIC on your servers. I add some cases where a server was constantly switching from one NIC to the other . Everything was working but was very slow. Ping was giving 3 replies for 3 timeout.

Other than that i don't see...

This is normal , and is caused by the time it takes to ARP to resolve the MAC address

Reply to
mcaissie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.