Re: PIX 520 dropping packets to two remote networks

jjrreid · ‎01-07-2003

Our PIX 520 running 5.1(2) -- it is scheduled for upgrade in two weeks -- has "suddenly" begun dropping all packets to two remote networks. There are no ACL entries preventing access to these two networks and there are no indications in the syslog (set to 'debugging' level) that these packets are even being dropped. Has anyone ever seen this type of behavior before? Any suggestions are appreciated. Thanks.

Jon Dudding

gfullage · ‎01-07-2003

What do you mean "dropping all packets to two remote networks"? Do you mean packets from the outside interface, going to these two networks on the inside aren't getting through?

Are you sure there isn't an ACL or something similar on another device in between these two networks and the PIX? Can you ping anything on these networks from the PIX itself? Does the PIX have valid route statements pointing to a valid next hop in it's configuration? Do the two remote networks have routes back to wherever you're trying to connect from?

If nothing appears in the syslog then there's a good chance the packets aren't even reaching the PIX, or they're passing through the PIX as you would expect.

jjrreid · ‎01-08-2003

The packets are in fact passing through the PIX and it turns out that that is not the source of the problem. We have a VPN device that is fouling up packets destined for certain networks outside of our own. My sniffer was mirroring a port that passes packets after they pass through the VPN. When I changed the mirrored port to one that passes packets to the VPN, I began to see packets as I right where they should be. So, the PIX is doing it's job. Thanks for the response.

Jon Dudding