Re: PIX 515 problem

slasher UG · ‎07-22-2010

Recently some of our users complained not reaching some sites. So I did some steps to isolate the problem.

1. ISP port -> Single workstation (I was able to reach any site without any problem).

2. ISP port -> Router -> Single workstation ( Like the first setup, no problem encountered).

3. ISP port -> Router -> PIX 515 - > Single workstation (This is where the problem showed. Some sites returned an error: The connection was reset. The connection to the server was reset while the page was loading.)

What could be the problem with our PIX 515? Please note that this issue showed only recently. I already rebooted the PIX but did not help.

PIX version:

Cisco PIX Firewall Version 6.1(2)
Cisco PIX Device Manager Version 1.1(2)

Thanks

Manny

Jennifer Halim · ‎07-22-2010

The version of PIX that you are currently running is very very old to start with.

However, a few questions to ask is:

1) Can the user access any other websites, or only this particular website is not working?

2) Can any other user behind the PIX access the same website?

3) You mention that the connection is resetting while the page is trying to load, does it mean it's partly loaded, and it's just a little bit slow to load the entire page, and the TCP connection gets reset after that? In this case, you might want to check the embryonic timeout setting for TCP connection on your firewall.

slasher UG · ‎07-23-2010

1) Can the user access any other websites, or only this particular website is not working?

Users can access other sites. Here are just some of the known sites that we cannot access; subnames of debian.org and all subnames of comodo.com. These sites previously were accessible from our network.

2) Can any other user behind the PIX access the same website?

The problem looks pretty consistent. All user can access the same website and are having problem with the same unreachable sites.

3) You mention that the connection is resetting while the page is trying to load, does it mean it's partly loaded, and it's just a little bit slow to load the entire page, and the TCP connection gets reset after that? In this case, you might want to check the embryonic timeout setting for TCP connection on your firewall.

Totally nothing until we get a timed out error.

Jennifer Halim · ‎07-23-2010

Base on the description, I wouldn't think that it's a PIX issue. Normally if it's a PIX issue, browsing the internet will either work and doesn't work. Do you happen to have any web filtering software that might be blocking the access?

August Ritchie · ‎07-23-2010

Hello,

I notice that you are running pix 6.1(2)

Have you considered trying to update to 6.3(5)? It would be nice to eliminate any possible software issues.

slasher UG · ‎07-23-2010

We do not have any web filtering service installed on our network. Kindly read back my first post, the single workstation I used was a newly installed Windows XP workstation starting from the ISP's port down to the PIX.

Jennifer Halim · ‎07-23-2010

As advised earlier, version 6.1 is really old, and is already EOL:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/prod_end-of-life_notice0900aecd800f8954.html

The last software maintenance release on this version is back in November 2005.

As August suggested, maybe you should upgrade it to at least version 6.3.5 to start with, bearing in mind that PIX firewall is also coming EOL depending on which model you have.

Here is the EOL list for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html