Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
2
Replies

Pix 501 dropping devices from network

cwcadmin1
Level 1
Level 1

‎11-19-2012 08:54 AM - edited ‎03-11-2019 05:25 PM

Hi All.

I'm having a quirky problem with a PIX 501 and was wondering if anyone had any ideas.

Recently I've pulled a PIX 501 out of a closet (having never been used) and configured it for a VPN with my PIX 506e at an offsite location. This offsite location has a PC, Printer, Access Point, and remote VOIP phone. The VPN itself works great, but periodically the PIX just drops some network devices, specifically the Access Point and the Firewall. Both devices stay off until I reboot it (through an SSH connection) they then spring back to life.

Before I go buy another firewall only to have the same thing happen I was wondering if it could be a config issue. Or is this most likely a hardware problem?

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password W.42MAXXZHhUnW7N encrypted
passwd tVCAzWYvj2lO5MWD encrypted
hostname Firewall1
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.111.0 255.255.255.0 192.168.112.0 255.255.255.0
access-list nonat permit ip 192.168.111.0 255.255.255.0 192.168.114.0 255.255.255.0
access-list RemoteVPN permit ip 192.168.111.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
logging host inside 192.168.112.95
mtu outside 1500
mtu inside 1500
ip address outside 111.111.111.111 255.255.255.248
ip address inside 192.168.111.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 111.111.111.111 255
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP_3DES esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address RemoteVPN
crypto map newmap 10 set peer 113.111.111.11
crypto map newmap 10 set transform-set ESP_3DES
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 113.111.111.11 netmask 255.255.255.248
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
management-access inside
console timeout 0
dhcpd address 192.168.111.10-192.168.111.40 inside
dhcpd dns 192.168.112.5 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username cwcchicago password NcrNMAXXMuaQjZ.I encrypted privilege 15
username CWCChicago password WZyMAXXX9wrptdcx encrypted privilege 2
terminal width 80

Labels:
0 Helpful
2 Replies 2

lcambron
Level 3
Level 3

‎11-19-2012 07:49 PM

Hello Jim,

Have you tried other troubleshooting? like; 'clear arp', try to ping the AP, take captures, see logs, etc.

The PIX firewall is getting to end of support, but further troubleshooting needs to be performed at the moment you have the issue to confirm if this is harware of software.

Regards,

Felipe.

0 Helpful

cwcadmin1
Level 1
Level 1
In response to lcambron

‎11-20-2012 07:39 AM

Hi Felipe,

Thanks for responding.

I've tried the following things to no avail:

  • Clearing ARP - ARP doesn't have a listing for the disconnected devices once their dropped.
  • Set up a Syslog server on debug mode and looked for some sort of indication as to why these were dropping.
  • Looked at licensing issue with show local-host but it did not report any denied traffic

When the devices drop neither VPN traffic nor local LAN traffic can ping them.

I don't have a good means of capturing traffic, nothing I have in this location has a monitor port.

The timing on the dropping of theses devices is inconsistent as well. It can be anywhere from 30 minutes to 3 days. Lately it seems less than 24 hours passes by before they're dropped.

Thanks,

- Jim

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card