https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237759#M593539 <P>Help! We have a PIX firewall, an HP server running Windows 2000 Terminal server &amp; several PCs connected to a 3Com switch. A router is connected on the PIX¡¯s outside interface.</P><P></P><P>Problem: When users log in from their PCs (Windows XP Service Pack 1) to the domain, the first time each day, the login is extremely slow &amp; their error logs all show they could not find the DC. Checking the the PC's ARP cache now you find there are two entries: 192.168.100.1 (PIX gateway) &amp; 192.168.100.2 (Server)</P><P>Both these IPs are resolved to the PIX¡¯s MAC address If you now open a webpage &amp; check the ARP cache again the PIX &amp; server now are resolved to their respective MAC addresses. Logging out now (not rebooting) &amp; logging back in is error-free.</P><P></P><P>Removing the NAT entry for the server &amp; reloading the PIX stops the problem. Restoring the NAT entry again to allow external access brings the problem back again.</P><P></P><P>Any suggestions where the problem lies? The firewall configuration is attached.</P><P></P><P></P><P> </P><P></P> Fri, 21 Feb 2020 07:19:49 GMT peterlebaige 2020-02-21T07:19:49Z https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237759#M593539 <P>Help! We have a PIX firewall, an HP server running Windows 2000 Terminal server &amp; several PCs connected to a 3Com switch. A router is connected on the PIX¡¯s outside interface.</P><P></P><P>Problem: When users log in from their PCs (Windows XP Service Pack 1) to the domain, the first time each day, the login is extremely slow &amp; their error logs all show they could not find the DC. Checking the the PC's ARP cache now you find there are two entries: 192.168.100.1 (PIX gateway) &amp; 192.168.100.2 (Server)</P><P>Both these IPs are resolved to the PIX¡¯s MAC address If you now open a webpage &amp; check the ARP cache again the PIX &amp; server now are resolved to their respective MAC addresses. Logging out now (not rebooting) &amp; logging back in is error-free.</P><P></P><P>Removing the NAT entry for the server &amp; reloading the PIX stops the problem. Restoring the NAT entry again to allow external access brings the problem back again.</P><P></P><P>Any suggestions where the problem lies? The firewall configuration is attached.</P><P></P><P></P><P> </P><P></P> Fri, 21 Feb 2020 07:19:49 GMT https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237759#M593539 peterlebaige 2020-02-21T07:19:49Z https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237760#M593541 <HTML><HEAD></HEAD><BODY><P>static (outside,inside) 192.168.100.2 219.235.192.10</P><P>netmask 255.255.255.255 0 0 </P><P></P><P></P><P>do you need this command? I don't think it can possibly help matters. It would probably force the pix to expect 192.168.100.2 to be on the outside interface of the pix, and the pix might proxy arp for it, creating the problematic arp entries. </P><P></P><P>it appears that you otherwise have a fairly simply network with nat. </P><P></P><P>trying removing that command, clear xlate, and see if the problem persists</P></BODY></HTML> Tue, 06 Apr 2004 10:36:21 GMT https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237760#M593541 mostiguy 2004-04-06T10:36:21Z https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237761#M593543 <HTML><HEAD></HEAD><BODY><P>Thanks. We haven't had a chance to try the fix yet, but it seems from looking at some other PIX configs we've found that the entry you mentioned is superfluous, &amp; may be causing the problem. </P><P>Will let you know the result.</P></BODY></HTML> Fri, 09 Apr 2004 03:07:16 GMT https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237761#M593543 peterlebaige 2004-04-09T03:07:16Z https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237762#M593545 <HTML><HEAD></HEAD><BODY><P>Thanks very much for your help, the command you identified was indeed the one causing the problem. As soon as it was erased, logging in was normal for the PCs again.</P></BODY></HTML> Fri, 16 Apr 2004 01:48:56 GMT https://community.cisco.com/t5/network-security/pix-domain-controller-conflict/m-p/237762#M593545 peterlebaige 2004-04-16T01:48:56Z