Solved: Re: PIX 506 - can't connect to PDM any more

davea · ‎07-10-2003

We have a PIX 506 in a test environment that has been configured in the past using Netscape. Now when we try to connect via https, Netscape says "unable to connect to server (TCP error: I/O error)". The PIX is version 6.1(1) and PDM is 1.0(2). I can connect via telnet and change the configuration but I have not been able to get the web connection working any more.

I captured the connection with ethereal and I see the 3 packets establishing the connection, then the client sends an SSLv2 Client Hello, then the PIX closes the connection. When I dump the configuration from telnet, I get:

<snip>

http server enable

http clientname 255.255.255.255 inside

<snip>

where clientname is defined earlier in name and "pdm location" entries.

The PDM Install guide has a Troubleshooting section and it says to make sure the clock is set to UTC. "show clock" shows the time and date, but no zone is listed.

gfullage · ‎07-10-2003

Have you changed the IP address on the PIX interface at some point? If so, try regenerating the public/private key pairs. Do:

> ca zeroize rsa

> ca gen rsa key 512

> ca save all

or you can just run the "setup" command from within config mode and it'll do all that for you. Then try reconnecting.

View solution in original post

gfullage · ‎07-10-2003

Have you changed the IP address on the PIX interface at some point? If so, try regenerating the public/private key pairs. Do:

> ca zeroize rsa

> ca gen rsa key 512

> ca save all

or you can just run the "setup" command from within config mode and it'll do all that for you. Then try reconnecting.

davea · ‎07-11-2003

I don't think the IP has changed on either PIX interface. I did do a setup in config mode yesterday to set the clock - it was set to the year 2088. I didnt change any other values with setup. It didnt seem to help any.

I will give those commands a try when I get to the office.

davea · ‎07-11-2003

That fixed it!

Thanks!