A strange PIX problem

tonyxie76 · ‎11-19-2004

We have a site-to-site VPN connection (PIX501-VPN3005)

Our PIX501 often has a problem like below:

Every 3~5 days, I will can’t ping the inside interface of it but at the same I can ping the outside interface, then the VPN tunnel will break, we have to restart it manually, why it has this symptom? Does it because the PIX have a quality problem? Thanks

sachinraja · ‎11-20-2004

Hello tony,

Is browsing happening during this time ?? Are the nat translations happening ??

Is the PIX not responding during this time ? any error messages on the console ?

Have you enabled logging ?? please disable logging and see if this still happening.. the command to do this is "no logging on"..

do let us know...

tonyxie76 · ‎11-21-2004

Hi Please see my configuration:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname fcngu001

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list toIPSEC permit ip 10.xx.x.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list toIPSEC permit ip 10.xx.x.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list toIPSEC permit ip 10.xx.x.0 255.255.255.0 xxx.73.0.0 255.255.0.0

access-list doNotNAT permit ip 10.xx.x.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list doNotNAT permit ip 10.xx.x.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list doNotNAT permit ip 10.xx.x.0 255.255.255.0 xxx.73.0.0 255.255.0.0

access-list toOutside permit icmp any any unreachable

access-list toOutside permit icmp any any echo-reply

access-list toOutside permit icmp any any time-exceeded

pager lines 24

logging on

logging buffered errors

logging trap informational

logging history informational

logging host inside xxx.xx.254.243

mtu outside 1500

mtu inside 1500

ip address outside 210.xx.xxx.220 255.255.255.248

ip address inside 10.xx.x.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list doNotNAT

nat (inside) 1 10.xx.x.0 255.255.255.0 0 0

access-group toOutside in interface outside

route outside 0.0.0.0 0.0.0.0 210.xx.xxx.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set novo esp-aes esp-md5-hmac

crypto map cngu 10 ipsec-isakmp

crypto map cngu 10 match address toIPSEC

crypto map cngu 10 set peer xxx.155.xxx.180

crypto map cngu 10 set transform-set novo

crypto map cngu interface outside

isakmp enable outside

isakmp key ******** address xxx.155.xxx.180 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 10.0.0.0 255.0.0.0 inside

telnet xxx.73.0.0 255.255.0.0 inside

telnet timeout 5

ssh 217.xx.xx.129 255.255.255.255 outside

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

sachinraja · ‎11-22-2004

Hi tony,

when the problem happens, whats the response on the console ? are you able to see the arp ? are you able to ping the local PCs from the console ? is browsing happening at that time ? the config seems ok.. you can though try removing logging, by doing "no logging on" command and remove all other commands with respect to logging. try this and see if your problem is solved.

All the best !!

tonyxie76 · ‎11-22-2004

Hi,

Thanks, I have removed all the logging command and I will wait for at least one week to see if this problem is still exists.

Sorry, I can't see the information from console because this PIX is in our remote office.

Regarding arp, I can show arp when it's normal, but when it's time out, I will can't login and see arp.

The last thing, I don't understand 'browsing', could you please give me a detailed explanation about what is 'browsing'? Thanks a lot!

BR

sachinraja · ‎11-22-2004

hi tony,

By browsing, I meant "internet surfing" , ie the http access from the PC..

hope your problems get solved.. message us if your problem is still existing.. rate all replies if found useful...

tonyxie76 · ‎11-23-2004

Hi Thanks, I will continue to monitor it.

I have some other questions need your help:

1. If a PIX501 is a 50-licenses, does it mean that it can support up to 50 internal ip address to access outside simultaneously? Or it means there is up to 50 bi-direction session can pass this PIX simultaneously? Which one is right?

2. If a PIX501 is a 50-licenses device, how can I know the active used licenses (or available licenses remained) on this PIX?