06-19-2007 11:00 AM - edited 03-11-2019 03:32 AM
Dear All,
I am facing a strange issue with TomCat application . But before all getting in to a conclusion that application could be the culprit let me explain the situation.
Application runs on tomcat which is having a ssl running on it. Server running ths application is also opened for port 25 and 80 and through PIX we are able to reach 25 and 80 with out any issue But when application listens to 443 pix behaves in a weired way.
i have debugged it with sh conn it is connection is getting in .. but i dont know why it is not responding for application.
Then application team changed the port for to 8443 it startedworking fine..
To test whether its problem with tomcat running over application , we have bypassed firewall and directly assigned public IP and checked it it was working with out any issue on port 443.
again we reverted back to pix , issue still persist , when aplication changed to all the others ports its working fine, but with 443 HUH!!! its not. For all your information we are using certificates also.
Now since customer wants this at any cost on 443 , we have replaced PIX from natting and dedicated PIX only for VPN site to site and natting and all those features are done by an ISA server.
and currently it is working fine. Do any one has any idea.. about why tomacat and pix is behaving in this cruel WAY :-)
I need to provide a solution or reason.. and nothing is blinking .. helping hands please. techies I am waiting for you
06-19-2007 03:42 PM
Can you post a scrubbed config? Any possible conflicts in the config?
06-19-2007 08:40 PM
Dear,
c.c.c.c is the dmz ip address where server resides and a.a.a.a is outside ip address where it is natted
06-19-2007 08:48 PM
here is the config
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address a.a.a.a 255.255.255.0
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address b.b.b.b 255.255.255.0
interface Ethernet2
speed 100
duplex full
nameif dmz
security-level 50
ip address c.c.c.c 255.255.255.0
access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 c.c.c.c 255.255.255.0
access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 x.x.x.x 255.255.255.0
access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 y.y.y.y 255.255.255.0
access-list acl-nat0 extended permit ip 192.168.1.0 255.255.255.0 b.b.b.b 255.255.255.0
access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl-dmz-nat0 extended permit ip c.c.c.c 255.255.255.0 x.x.x.x 255.255.255.0
access-list acl-dmz-nat0 extended permit ip c.c.c.c 255.255.255.0 y.y.y.y 255.255.255.0
access-list acl-dmz-nat0 extended permit ip c.c.c.c 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl-dmz extended permit tcp host c.c.c10 y.y.y.y 255.255.255.0 eq smtp
access-list acl-dmz extended permit ip host c.c.c100 any
access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 x.x.x.x 255.255.255.0
access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 y.y.y.y 255.255.255.0
access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 b.b.b.b 255.255.255.0
access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl-dmz extended permit tcp host c.c.c10 any eq smtp
access-list acl-dmz extended permit icmp any any
access-list acl-dmz extended permit tcp host c.c.c10 any eq 8443
access-list acl-dmz extended permit ip any any
access-list acl-outside extended permit tcp any host a.a.a.195 eq https
access-list acl-outside extended permit tcp any host a.a.a.195 eq www
access-list acl-outside extended permit tcp any host a.a.a.195 eq 8080
access-list acl-outside extended permit tcp any host a.a.a.195 eq smtp
access-list acl-outside extended permit tcp any host a.a.a.195 eq 8443
access-list acl-outside extended permit icmp any host a.a.a.195
access-list acl-outside extended permit tcp host a.a.a.195 any eq 8443
access-list acl-outside extended permit icmp any any
access-list acl-outside extended permit tcp host a.b.c.d host a.a.a.195 eq 9090
access-list acl-outside extended permit tcp host a.b.c.d host a.a.a.195 eq 3389
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl-nat0
nat (dmz) 0 access-list acl-dmz-nat0
nat (dmz) 1 c.c.c.c 255.255.255.0
static (inside,dmz) b.b.b.b b.b.b.b netmask 255.255.255.0
static (dmz,outside) a.a.a.195 c.c.c10 netmask 255.255.255.255 tcp 1000 1000
access-group acl-outside in interface outside
access-group acl-dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 a.a.a.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
06-22-2007 11:13 PM
Why no reply for my request.. No one is there?
06-23-2007 05:26 AM
Swap here...
i have thought of a few more enhancements on the pix...we'll apply a TCP map for this server and fine tune the MSS options and TCP option 19...checksum etc.
we'll debug more on this...
06-23-2007 07:35 AM
I think the best action at this point would be to do a packet capture on the egress interface to determine if the packets are flowing in both directions.
access-list cap_https permit tcp host c.c.c10 eq 443 any
access-list cap_https permit ip any host c.c.c10 eq 443
cap cap_https access-list cap_https interface dmz
Generate the 443 traffic.
Do a "sh cap cap_https"
You should see the request going to the server. Also do the following to see if any logs are being generated.
logging on
logging buffered 6
Then do a "sh log" and see if the PIX is logging any info in regards to the traffic. Also do a "sh conn local c.c.c10" and post the results here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide