Re: PIX hangs when running OSPF

oniant · ‎07-01-2004

I have a PIX 515e with UR licence. When I enabled OSPF on the pix, the pix suddenly hangs intermittently. As soon as I disable OSPF, it returns back to normal. Any ideas on how to fix this. The pix has 64 Mb of RAM. do i need more?

ehirsel · ‎07-01-2004

Please post the pix config, scrubbing any sensitive data.

With OSPF you need to insure that the hello and dead timers match between peers. Is OSPF running over IPSEC?

When you state that the "pix suddenly hangs intermittenly" do you mean that it becomes unresponsive for a while, then responsive, and then unresponsive, etc.?

oniant · ‎07-01-2004

Here is the config:

: Saved

: Written by enable_15 at 18:13:38.982 UTC Thu Jul 1 2004

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_int permit ip 10.100.50.0 255.255.255.0 any

access-list acl_int permit ip 10.0.0.0 255.0.0.0 any

access-list acl_ext deny ip any any

pager lines 20

logging on

logging timestamp

logging monitor debugging

logging buffered debugging

logging history errors

logging host inside 10.100.50.38

icmp permit 10.100.50.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address inside 10.100.50.254 255.255.255.0

no ip address intf2

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

pdm location 10.100.50.38 255.255.255.255 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 xxxxxxxx

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_ext in interface outside

access-group acl_int in interface inside

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxx 1

route inside 10.0.0.0 255.0.0.0 10.100.50.253 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.100.50.0 255.255.255.0 inside

snmp-server host inside 10.100.50.38

snmp-server enable traps

floodguard enable

telnet 10.100.50.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

terminal width 500

: end

I will look into the hello and dead timers as you suggested. However when I was configuring OSPF, i didn't come accross these comands.

ehirsel · ‎07-02-2004

I don't see the ospf config. Can you post that too?

What do you mean by "suddnely hanging intermittenly"? That the pix becomes unresponsive for a while, and then responds, and then unresponds again, etc.?

oniant · ‎07-02-2004

I do apologise for sending an incomplete config. Howeve, I seem to have solved the problem. I simply added a new vlan to the layer 3 switch and added the port connecting the firewall to this new vlan. changed the firewall ip address and then reconfigured it with ospf (basic configs without chaging any timers from the default). This worked first time. I am still observing to make sure that it is ok. So far so good.

oniant · ‎07-02-2004

The hanging intermittently is just as you described. Running a continuous ping, it will timeout about 6 - 8 times and then reply 5 times continuously. However, at the moment it is running smoothly.