Re: PIX 501 freeze

pelz · ‎12-26-2004

Hi all. I am having major trouble with my pix 501. It hangs or freezes rather often, it happens rahter often, when it happens i can´t reach the internet but i can use telnet to reach the pix and after a reload it works fine again. I have tried to reconfigure the pix several times and i am using 6.3(4) and PDM 3.0(1). My connection to internet are through a DSL line with DHCP address from the isp.

Here is my config, please give me som advice of what could be wrong (i can´t figure it out myself)

/Pelz

rpathani · ‎12-26-2004

Hi,

I checked with the config you attached. The config looks good and healthy. I have few questions from you:

1) How often the Pix-501 freezes?

2) Can you forward the output of:

show conn

and

show local

3) Does the Pix has 10 or 50 user-license?

4) Have you scanned the internal n/w (192.168.1.0/24) for any possible worm... (Sasser and Blaster being widely common which affects tcp ports 445 and 135 resp.)

You may e-mail me directly at: rpathani@cisco.com

Rahul Pathania.

pelz · ‎12-27-2004

Hi.

My pix freezes 2 or 3 times a day somteimes more often. I am using a 10 user license and i only have 2 pcs on my internal net. I scanned my network for infected files but there was none at all. I will add an attachment with the outputs you´ve asked for, it was taken from the pix today when it was completly frozen.

rpathani · ‎12-27-2004

Hi,

I checked with the uploaded file you attached. Seems that there is no dos attack and both the internal hosts looks clean. However, just need to check that the "sh run" shows outside interface running on 100 Full Duplex wherein the "sh interface" shows the outside interface running on half duplex.

Also note the following on the outside interface:

330 collisions

26 late collisions

2606 deferred

Please make sure that you have the outside interface set to either 100full or auto.

Try:

interface e0 100full

OR

interface e0 auto

apart from that, try implementing follwoing commands on the pix:

no logging buffered errors

no fixup protocol dns

timeout conn 0:20:00

clear log

clear interface

clear xlate

clear arp

clear local

write mem

Let me know how it goes.

Regards,

Rahul Pathania.

pelz · ‎12-27-2004

ok thanks for a very fast response to my question. I will try the changes that you suggested and post a reply here how it goes.

best regards

J Pelz

robertcrabbe · ‎12-27-2004

You're not alone. The problem is not with your ISP. The problem is not the cable. The problem is not with the hosts on your network. The problem is with a bug in the code on the PIX.

Specifically, the problem is with the lease renewal. The PIX does not have the ability to *renew* DHCP leases. It can get a lease, but not renew it. When it asks for a new lease from the ISP, the ISP says that the PIX already has one and won't give the client another one until the lease is expired.

Here is the bug ID:

CSCdw11539

Complain to Cisco and tell them to fix this. I'm sure a gifted high school student could write the code to fix this in an hour. Cisco should be able to do it in less.

I've had the same problem with my 501 for the last 2 years. In fact, I don't even use my PIX 501 any more because of this. I've been using the hardware client and don't have many issues with it. Today I tried upgrading the code on my 501 and thought I would try it again at my parents' house, but I still find the bug hasn't been fixed.

rpathani · ‎12-27-2004

Please note that client is running 6.3(4) code and the bug (CSCdw11539) you are talking about is associated with 6.1 code and was first fixed with 6.1(4). Let me know if that isn't clear.

Rahul.

pelz · ‎12-28-2004

Hello again.

Today i thought the pix was doing fine but suddenly it was stopping my traffic again. I think i must get something else instead of this firewall if theres no solution to my problem (such a shame i really like Cisco products alot, as i work as an it-consultant and only recommends Cisco to my customers)

.

rpathani · ‎12-28-2004

Hi,

Did you try changing the outside interface speed to auto or 100full ?

pelz · ‎12-28-2004

Hi

Yes i have changed it to auto speed and the command sh int reflects that it is now running on 100 full duplex. I have monitored the DHCP client in the PDM and it really looks like it has something to do when the pix is trying to renew the address i´ve noticed that it couldnt get a lease from the isp when it has freezed.

robertcrabbe · ‎12-28-2004

Nevertheless, folks mysteriously continue to experience problems with their DHCP client on the PIX 501. I find it interesting that so many have found the PIX 501 unreliable when interfacing with their ISP, usually as a DHCP client, yet all have the latest code.

Mine loses its IP address on the outside interface (assigned by DHCP). The ip add out dhcp setroute command has no effect unless I reboot.

The exact same DSL modem does not experience similar issues with the VPN 3000 client.

gcameron · ‎12-28-2004

Maybe you guys could help me, I have the same problem with a 501 not passing traffic unless I add a static address to pass-thru traffic. I have a fixed class c address on the outside interface so I don't have that DHCP problem. I am running 6.2(2) code. I have my config. attached including the static line that gets it working any at all.

robertcrabbe · ‎12-29-2004

I changed the DHCP lease time on the DSL modem to 100 days. I haven't had the problem since. We will see how long this lasts.