Re: Cannot reach a certain website until I do a clear xlate

spfeffer · ‎03-02-2005

I have the weirdest thing going on. Some of our workstations CAN reach the website http://www.capwiz.com/nach and some cannot. I go to our pix and do a clear xlate and some machines are magically fixed, yet others are not able to reach the website. I have a global nat pool of about 100 addresses and one global PAT address beyond that. Any ideas would be greatly appreciated as this is a real problem for us. I don't know of any other websites that we have ever had this problem with. Thanks.

Sonny Pfeffer

Network Support Specialist I

Driscoll Children's Hospital

jcalvert · ‎03-02-2005

You need to find out if the connections are being established, and if so, why they are being torn down.

Check the logs and see:

1. Is the connection is built. (Built outbound TCP connection ...)

2. Is the URL being accesses ( Accessed URL ...)

3. Why is the connection torn down? (Teardown TCP connection ... )

The reason will tell you the direction and why it was torn down.

Jeff

spfeffer · ‎03-03-2005

It looks like the connection is being built and then immediately torn down with a result of "Reset-O". If after trying to access the website from a certain pc and don't reach the website, I immediately go to our pix and do a "clear xlate" on it, all of a sudden that machine (10.200.152.57) can reach the website. Others may still not be able to reach it. This is the strangest thing I've ever dealt with.

<190>Mar 03 2005 10:28:05: %PIX-6-302013: Built outbound TCP connection 274634 for outside:64.14.114.203/80 (64.14.114.203/80) to inside:10.200.152.57/2074 (67.67.242.253/26303)

<190>Mar 03 2005 10:28:08: %PIX-6-302014: Teardown TCP connection 274634 for outside:64.14.114.203/80 to inside:10.200.152.57/2074 duration 0:00:03 bytes 724 TCP Reset-O

spfeffer · ‎03-03-2005

Also...it seems real intermittent. Some machines CAN get to the website at one point, then can't later. I understand the "Reset-O" means the connection was reset from the outside, but I'm not sure what that means. Is it our internet router maybe? Should I be looking there? I almost think it has to do with our PIX, because the "clear xlate" seems to take care of the problem at least some of the time for some of the workstations. It's all very strange to me.

Sonny

jmia · ‎03-03-2005

Sonny,

Just as a test, can you add the following to your pix config: (in config mode)

> sysopt noproxyarp inside

Save with wr m and issue clear xlate.

And also clear the ARP table on your internet router and pix. If you have a internal LAN router that is acting as a gateway, clear the ARP on this router too.

Let me know your results.

Jay

cpnewton · ‎03-03-2005

I am having the same problem as the starter of this thread. It seems very random and almost such that is a DDoS situtation. it lasts for about an hour or so and then it "magically" stops. i have checked my connections and it only runs around 400 or so active connections throughout the day. I can't do a clear xlate during the day due to come VoIP phones that freak out if you kill their connection.

jcalvert · ‎03-03-2005

The reset-O means the tcp reset packet came from the far end connection. I do not think it's the firewall.

Are you running ip inspection on the internet router?

Can you run "show conn foreign "? Check and see if you're PATing most of the connections.

Jeff

kingnascar · ‎03-04-2005

I have also seen this type of behavior from web sites doing reverse lookup and not all ports had ptr records in dns.

spfeffer · ‎03-05-2005

Here's what I did to remedy the situation...I originally had a NAT pool of 100 IP addresses and a single overflow address for PAT. I eliminated the NAT pool for outgoing TCP connections, so now everyone going out is using the single IP address in a PAT configuration. This seems to have resolved the issue. I'm not sure what the root cause of the problem is except maybe the TCP connection that was being built outbound when trying to reach the website was being torn down too quickly by other outbound connections needing to get out and the return address the outside web server was trying to reach was no longer available. I guess....it was a real frustrating issue, but seems to be resolved.

Sonny