12-26-2004 01:27 PM - edited 02-20-2020 11:49 PM
Hi all. I am having major trouble with my pix 501. It hangs or freezes rather often, it happens rahter often, when it happens i can´t reach the internet but i can use telnet to reach the pix and after a reload it works fine again. I have tried to reconfigure the pix several times and i am using 6.3(4) and PDM 3.0(1). My connection to internet are through a DSL line with DHCP address from the isp.
Here is my config, please give me som advice of what could be wrong (i can´t figure it out myself)
/Pelz
12-26-2004 10:14 PM
Hi,
I checked with the config you attached. The config looks good and healthy. I have few questions from you:
1) How often the Pix-501 freezes?
2) Can you forward the output of:
show conn
and
show local
3) Does the Pix has 10 or 50 user-license?
4) Have you scanned the internal n/w (192.168.1.0/24) for any possible worm... (Sasser and Blaster being widely common which affects tcp ports 445 and 135 resp.)
You may e-mail me directly at: rpathani@cisco.com
Rahul Pathania.
12-27-2004 09:41 AM
Hi.
My pix freezes 2 or 3 times a day somteimes more often. I am using a 10 user license and i only have 2 pcs on my internal net. I scanned my network for infected files but there was none at all. I will add an attachment with the outputs you´ve asked for, it was taken from the pix today when it was completly frozen.
12-27-2004 10:09 AM
Hi,
I checked with the uploaded file you attached. Seems that there is no dos attack and both the internal hosts looks clean. However, just need to check that the "sh run" shows outside interface running on 100 Full Duplex wherein the "sh interface" shows the outside interface running on half duplex.
Also note the following on the outside interface:
330 collisions
26 late collisions
2606 deferred
Please make sure that you have the outside interface set to either 100full or auto.
Try:
interface e0 100full
OR
interface e0 auto
apart from that, try implementing follwoing commands on the pix:
no logging buffered errors
no fixup protocol dns
timeout conn 0:20:00
clear log
clear interface
clear xlate
clear arp
clear local
write mem
Let me know how it goes.
Regards,
Rahul Pathania.
12-27-2004 11:03 AM
ok thanks for a very fast response to my question. I will try the changes that you suggested and post a reply here how it goes.
best regards
J Pelz
12-27-2004 12:20 PM
You're not alone. The problem is not with your ISP. The problem is not the cable. The problem is not with the hosts on your network. The problem is with a bug in the code on the PIX.
Specifically, the problem is with the lease renewal. The PIX does not have the ability to *renew* DHCP leases. It can get a lease, but not renew it. When it asks for a new lease from the ISP, the ISP says that the PIX already has one and won't give the client another one until the lease is expired.
Here is the bug ID:
CSCdw11539
Complain to Cisco and tell them to fix this. I'm sure a gifted high school student could write the code to fix this in an hour. Cisco should be able to do it in less.
I've had the same problem with my 501 for the last 2 years. In fact, I don't even use my PIX 501 any more because of this. I've been using the hardware client and don't have many issues with it. Today I tried upgrading the code on my 501 and thought I would try it again at my parents' house, but I still find the bug hasn't been fixed.
12-27-2004 01:37 PM
Please note that client is running 6.3(4) code and the bug (CSCdw11539) you are talking about is associated with 6.1 code and was first fixed with 6.1(4). Let me know if that isn't clear.
Rahul.
12-28-2004 09:57 AM
Hello again.
Today i thought the pix was doing fine but suddenly it was stopping my traffic again. I think i must get something else instead of this firewall if theres no solution to my problem (such a shame i really like Cisco products alot, as i work as an it-consultant and only recommends Cisco to my customers)
.
12-28-2004 11:30 AM
Hi,
Did you try changing the outside interface speed to auto or 100full ?
12-28-2004 11:57 AM
Hi
Yes i have changed it to auto speed and the command sh int reflects that it is now running on 100 full duplex. I have monitored the DHCP client in the PDM and it really looks like it has something to do when the pix is trying to renew the address i´ve noticed that it couldnt get a lease from the isp when it has freezed.
12-28-2004 10:43 AM
Nevertheless, folks mysteriously continue to experience problems with their DHCP client on the PIX 501. I find it interesting that so many have found the PIX 501 unreliable when interfacing with their ISP, usually as a DHCP client, yet all have the latest code.
Mine loses its IP address on the outside interface (assigned by DHCP). The ip add out dhcp setroute command has no effect unless I reboot.
The exact same DSL modem does not experience similar issues with the VPN 3000 client.
12-28-2004 02:31 PM
Maybe you guys could help me, I have the same problem with a 501 not passing traffic unless I add a static address to pass-thru traffic. I have a fixed class c address on the outside interface so I don't have that DHCP problem. I am running 6.2(2) code. I have my config. attached including the static line that gets it working any at all.
12-29-2004 10:18 AM
I changed the DHCP lease time on the DSL modem to 100 days. I haven't had the problem since. We will see how long this lasts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide