Weird PIX Problem

darkbeatzz · ‎10-08-2007

Hi All,

I have 2 pix firewalls in failover mode. All of a sudden the primary started dropping all traffic on the inside interface.

when doing a sh log I was seeing litterally hundreds of Deny UDP reverse path check errors on the inside interface. the log counter was going up hundreds in seconds with these messages.

so I turned off the primary firewall and the standby kicked in and there are no issues at all. as soon as you turn the primary back on same problem, all traffic on inside is dropped.

I have the

ip verify reverse-path interface inside

command turned on so its doing its job if its spoofing but why am I not seeing the same problem on the secondry firewall once that has become active?

Im stumped with this

thanks

oh yeah and the ip address source in the log message is a 169.254.127.47 so 169.254.255.255 which the last two octets in the source address changing all the time.

vkapoor5 · ‎10-12-2007

The use of a pair of identical PIX devices (model, memory, network interface cards (NICs), operating system versions), high availability can be provided with no operator intervention.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

autobot130 · ‎10-14-2007

Sounds like it might be dropping packets due to CPU overutilization due a DoS attack from someone inside spoofing those IP address of 169.254.x.x. Have you checked the CPU when that occurs?

if you had that command in there working before, then something other than configuration or hardware is triggering the packets on the inside interface to be dropped. My guess is someone is causing trouble perhaps.