Hi all, we have noticed a strange issue lately with users on our inside network. When they copy files to or from a number of servers in our DMZ, they do not have any issues until another user connects via Cifs/Windows SMB to the same server. When the new user connects, the existing user's transfer fails, and they get an error message that the Network name is no longer available. I am not seeing this issue with a separate DMZ server that we have off of an ASA firewall.
I have done a bit of searching and found people mentioning that the problem is due to NAT, and if you try to connect to a Cifs share over Nat, then there is only one connection that will work at any one time.
Does anyone have any input on what could be done on the Pix to make this work? Turning off Nat for this connection is not a possibility.
Thanks in advance.
From the description you have mentioned, I think the Server accepts only one connection per IP address, and you have PAT users to the DMZ interface IP. Thus all connections appear to be coming from the same IP address.
[This is generally done, if the server accepts connections only from its own subnet.]
If this is the case, then you could try NAT to a pool of IP addresses, so that two people don't appear to be using the same IP. The pool of IPs should be large enough to accomodate the number of simultaneous users at peak times.
Alternately, I think there might be some setting on the server, which would allow multiple connections from the same IP.
Hope this helps.
P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.
Thanks for the reply. One question, do you have any idea why a server (same hardward, same OS) sitting behind an ASA firewall in the DMZ does not experience the same issues? I was hoping that it was a line of config that needed to be added to the Pix to make this work.
Could you check if the buffer size is 65535 on the server which is affected? Here is a link on how to do this:
Let me know.
P.S. Please mark this question as answered if it is resolved. Do rate helpful posts.
Thanks for the reply Anu. I checked the server in question, there is no Key named 'SizReqBuf' as described in the KB article, my server has a 'Size' key. I checked the parameters that can be entered there, it can either be 1, 2, or 3- 3 being the largest buffer, and we're already set to 3.
Thanks for your help anyways.
Not sure if you found a solution to your problem. Can you attach sanitized versions of configuration from the ASA and the PIX? Also, please do attach a topology mentioning where the server and the clients are located with respec to the ASA and the PIX.