08-12-2010 12:03 AM - edited 03-11-2019 11:24 AM
Hi All,
we have one https ulr of one of our customer...which is not opening from office... This URL is hosted over internet...
Normally we open url in two way...via enabling proxy & other is disabling proxy (just to following diff paths).
Access using any of above method does the patting over PIX 535 firewall (different pat)
This https url is not opening from Windows 7 Machines using without proxy.... but using proxy it opens.
However doing without proxy we can able to telnet to destination over port 443. that confirms we have necessry access from our source --pix to destination..
but still web open is not opening...
Yes from Win XP you use any method this url opens....
Win 7 from outside office net / other office where we have ASA firewall it opens..
Is their anythig to do with PIX...../ any method to drill this issue.
Please guide..
Solved! Go to Solution.
08-16-2010 05:58 AM
https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
Follow this link and add the fix to allow mss-exceed.
No need to change the MTU on the firewall.
-KS
08-12-2010 12:57 AM
Reading the problem description, if you are able to telnet on port 443 without the proxy from windows 7 PC outbound via the PIX firewall, that proves that there is nothing within the PIX firewall that is causing the issue that you are experiencing.
I would suggest that you try different browser with your testing if you were using IE for testing (eg: Opera, Mozilla, Google Crome).
08-12-2010 01:24 AM
HI,
thanks for reply...we tried with many other browers too...
but still the issue is same.
This is only happing with win 7 in our office...but in our other office this is not a issue.
only difference is they have asa instead of PIX...
Please guide...
08-12-2010 01:33 AM
You might want to try disabling the http inspection on the PIX and see if you still have the issue. What version of PIX are you running?
08-12-2010 01:47 AM
HI,
PIX Version is 6.3(5)....
destination site it https...
still will it help? can u provide url which will help to understand it.
Also in our pix i dont see fix up for https...fixup protocol https 443 will help?
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
advise...
08-12-2010 01:55 AM
It sounds strange that it works through Proxy, but it doesn't work through browser directly.
No, there is no inspection for https, only for http, so it doesn't apply in your case.
What did you get when you are trying to browse the website directly (which error code)? and if you bring this very same Windows 7 host outside the network, it works fine?
Is the Windows 7 host in the same subnet/directly connected to the PIX interface?
08-12-2010 02:28 AM
HI,
We tried connecting same win 7 system, outside of firewall & it worked very well..
Please find the attached screen...when it fails to open the web page..
error 1 . Internet connection has been lost - (it can not be because at same time telnet to destination keeps on)
2 The Website is temperorily unavailable ...(at same time from another win 7 system with proxy it is working)
3. DNS not reachable (but we are able to resovled the name)
Last option of TLS & SSL has been already tried.
Please advise how we can isolate this issue...
08-12-2010 05:03 AM
You might want to take a packet capture on the PIX inside and outside interfaces when you are trying to browse that website, and download the packet capture in pcap format to further review where it's failing.
PIX version 6.3.5 is pretty old version of code and it's already EOL, so potentially there might be bug that cause that issue. Here is the EOL notification for your reference:
You might want to upgrade the PIX to the latest interim of 6.3.5 or even upgrade to higher version. Please also be advised that PIX hardware itself has also reached EOL, and the replacement is ASA firewall. Here is the list of all PIX related EOL notifications for your reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html
08-12-2010 06:06 AM
Thanks halijenn,
You are true , its older IOS , being win7 the new OS issue could not see anywhere & it could be bug with this IOS.
one more thing we are trying to isolate this issue , that is with DNS , in all test inside our network w/o proxy we were using internal DNS.
While using same machine from outside ,DNS settings were outside DNS....it could be the possibility that 1st level resoluation is happening but somewhere it is not responding..becuase TCP session is ok all the time...Will keep you posted on this test..
Anyways ,Can you please guide through packet capture in PIX & its downloading method...
Regards
Yogesh
08-12-2010 06:20 AM
Here we go:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html#wp1053548
If you are going to configure ACL, then capture on the inside interface, the ACL should match the inside host ip address and the web server ip address, while capture on the outside interface would then match the PATed ip address towards the web server ip address.
08-13-2010 01:45 AM
HI,
One more observation for this issue which is isolating the internet PIX.
we have one more site from where this link iw working w/o proxy....& it uses same internet PIX to throw traffic to Internet.
Topology we have for both sites are
Inside LAN -->Corp ASA 5510 .---> Internet PIX ---> Interenet Routers ---> Internet.
From Site W ..url is working (ASA5510 ver 8.2 (1) )
From Site K url is not working ....(ASA Version 7.2(3)
we tried to reach microsoft & as per microsoft Corp ASA is blocking some TLS packets due which it is not opening..
advise how can we go ahead with this.
08-14-2010 04:53 PM
I would suggest that you try lowering the MSS value to 1300.
Command: sysopt connection tcpmss 1300
08-15-2010 12:53 AM
Tried but still it is not working...
Following is output taken from system, command prompt..
C:\Users\194645>ping -f -l 1300 medimmune.mdsol.com
Pinging medimmune.mdsol.com [70.42.4.189] with 1300 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 70.42.4.189:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
C:\Users\194645>ping -f -l 1260 medimmune.mdsol.com
Pinging medimmune.mdsol.com [70.42.4.189] with 1260 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 70.42.4.189:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Tried with setting up 1260 still not worked..
where could be issue & how we can isolate the same.
Regards
Yogesh
08-15-2010 06:42 AM
1260 seems ok. May be 70.42.4.189 doesn't respond to icmp.
Pls. try to see if you can load the page with the mss set to 1260.
If you are unable to load, then post the syslogs for that connection.
-KS
08-16-2010 01:02 AM
Tried mss 1260 but still unable to load page.
but i see following mtu on interfaces.
do i need to change the interface mtu?
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
Regards
Yogesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide