Solved: Re: Random users can not access external hosts. Changes Daily.

k-noonan · ‎08-26-2003

I have this on-going issue where some of my users are unable to access external resources one day, then the next day they are able to.

I have tried the normal troubleshooting techniques to eliminate any PC side variables that I could think of.

These users can access 100% of the internal network resources but they can not access any ports external to the network, ie: (dns, ftp, www) - I have plugged them into different ports, switches, manually assigned IP's, checked routing tables, etc.

Currently my network has a 2500 (2514?) router and a pix520 series firewall both connected to a 5 port 10/100 hub. The firewall passes from the hub to one of the main switches on the LAN.

I thought perhaps I am out of connection licenses on the firewall but I can not find any such information on the 520. It is running an old software rev 4.2.2

I can take one of the 'afflicted' PCs and plug it into the hub and assign it an external address and it works. Internal address, doesn't work.

If I do a traceroute from the problem PC to an outside source, initially (before route is populated with outside host's route) the first hop will be my router, then the second hop will be the router also. then it times out. subsequent traceroutes from this PC will time out on ALL hops. I can clear the route and then we get 2 hops again. All other PC's on the network can traceroute outside.

Can anyone give me a tip or a decent way to troubleshoot this? I don't have any high-end sniffing equipment, just normal tools.

deilert · ‎08-27-2003

Could yu be running out of addresses in your nat pool ?

View solution in original post

k-noonan · ‎08-26-2003

Also some of the users are Macintosh and the others are Windows 2000/XP

thisisshanky · ‎08-26-2003

Once you find that a PC is having a problem, log on to the PIX and clear the translation entries (clear xlate) Note that this would clear all active translations, I would recommend using this not during peak hours.

See if the problem clears up after you clear the translation entries.

You could also download some free sniffer tools such as Ethereal and see whats happening.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

k-noonan · ‎08-26-2003

Hi and thanks for the reply. I have cleared the translation tables with no apparent results on the problem pcs.

deilert · ‎08-27-2003

Could yu be running out of addresses in your nat pool ?

k-noonan · ‎08-27-2003

This very well could be happening but I am not really familiar with this unit. Can you suggest a way to figure this?

I did put both a syslog server and a sniffer software package on SPAN'd port that connects to the problem PC (today its a Dell)

What I am seeing is that when a 'working' user access the internet I get Syslog records of it. But I have no Syslog records of the users that can not get to the internet. This leads me to believe that they are having connection issues to the firewall. But they can ping the inside firewall interface.

The port sniff shows that there is a DNS resolution for the HTTP pages that they are trying to access, and it shows a HTTP /SYN type of packet to the external site. But it does not show anything about the firewall.

I would think that if I am running out of POOLed IPs that I would see a Syslog message about it. Or not?

k-noonan · ‎08-27-2003

I went ahead and enabled PAT for the time being. I hope this clears up my particular issue.

I just wish that there was a quick way to tell or that Syslog would indicate this type of error.