Solved: Re: Pix not allowing loarge packets

jimmysturm · ‎04-08-2005

I can ping with -l 992, but fail with -l 993.

Pinging 172.16.17.1 with 992 bytes of data:

Reply from 172.16.17.1: bytes=992 time=1ms TTL=254

Ping statistics for 172.16.17.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

Pinging 172.16.17.1 with 993 bytes of data:

Request timed out.

Ping statistics for 172.16.17.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

I am also seeing that attaching to devices in the DMZ are taking excessivly long times.

The MTU size on all interfaces is still on the default of 1500.

bphan · ‎04-10-2005

Hi Jimmysturn:

What's likely happened here is that you have IDS attack policy binded to your outside interface with the action to 'drop' or 'reset' any packets that match the signatures in the Attack category.

Signature 2151 (Large ICMP) will drop the packets hitting the PIX outside interface or those that go through the PIX outside interface when you ping with large packet size (993+ bytes):

From your post, you must have had the following IDS policy on your PIX:

ip audit name attackpolicy attack action drop

(or

ip audit name attackpolicy attack action drop alarm

or

ip audit name attackpolicy attack action reset alarm

or both)

If you want to ping with large packet, there are several things that you can do:

1) Remove the 'attackpolicy' policy completely from your outside interface. This will turn off all IDS signatures in the Attack category.

Carefully examine this and see if that's what you want to do.

To achieve the above, issue the following command:

'no ip audit interface outside attackpolicy'

2)Disable signature 2151 by issuing the command:

'ip audit signature 2151 disable'

That would disable only the large ICMP attack signature while leaving other attack signatures in the Attack sig category ON.

3) Set signature action to log (to a syslog server or internal buffer) the large ICMP packets instead of dropping them. Again, this needs to be carefully determined just as the 1st option.

Issue the following command to achieve the above goal:

ip audit name attackpolicy attack action alarm

Hope it helps.

Please rate the post accordingly if you find it helpful.

Sincerely,

Binh

View solution in original post

mostiguy · ‎04-08-2005

What device is between you and the pix? The ttl is showing as 254 - if you were on the same subnet as the pix, it would be 255

jimmysturm · ‎04-08-2005

cisco 3550 is acting as a router between the segments. It to has alll ports configured with an MTU of 1500.

I'm not ruling it out as a culpret here. However, my pings to my Cisco Avvid servers (172.16.16.2 & .3) that traverse the same cisco 3550 have no problems with pings greater than 992.

jimmysturm · ‎04-10-2005

From the Routing/Switching forum somebody posted about removing the following statement from the PIX:

ip audit interface outside attackpolicy

What does this command do, and should it be removed?

bphan · ‎04-10-2005

Hi Jimmysturn:

What's likely happened here is that you have IDS attack policy binded to your outside interface with the action to 'drop' or 'reset' any packets that match the signatures in the Attack category.

Signature 2151 (Large ICMP) will drop the packets hitting the PIX outside interface or those that go through the PIX outside interface when you ping with large packet size (993+ bytes):

From your post, you must have had the following IDS policy on your PIX:

ip audit name attackpolicy attack action drop

(or

ip audit name attackpolicy attack action drop alarm

or

ip audit name attackpolicy attack action reset alarm

or both)

If you want to ping with large packet, there are several things that you can do:

1) Remove the 'attackpolicy' policy completely from your outside interface. This will turn off all IDS signatures in the Attack category.

Carefully examine this and see if that's what you want to do.

To achieve the above, issue the following command:

'no ip audit interface outside attackpolicy'

2)Disable signature 2151 by issuing the command:

'ip audit signature 2151 disable'

That would disable only the large ICMP attack signature while leaving other attack signatures in the Attack sig category ON.

3) Set signature action to log (to a syslog server or internal buffer) the large ICMP packets instead of dropping them. Again, this needs to be carefully determined just as the 1st option.

Issue the following command to achieve the above goal:

ip audit name attackpolicy attack action alarm

Hope it helps.

Please rate the post accordingly if you find it helpful.

Sincerely,

Binh

jimmysturm · ‎04-11-2005

Well, that fixed the pings, but I think I still have a problem.

I thought by fixing the pings, it would fix what I think is a packet size problem to my VPN consentrator. If I connect it to the inside of my network, it responds just fine. But when I move it outside the PIX (to a DMZ) I get speratic response at best. It is acting like I never get the last packet of a new screan. If I wait long enough it will finially get there, or sometimes I can ckick on the [Stop-button] and it will finish. I guess it's time to get the Sniffer out and see what's happening.

Any thoughts are appreciated.