UK - Webpages fail to personal banking on HSBC and FirstDirect Thru PIX

Unanswered Question
Mar 15th, 2007

Hi all,

I have an odd problem on two PIX515 on two seperate customer sites.

The customers are able to access alll web sites OK through the PIX (http and https) with the exception of the personal banking pages of HSBC and FirstDirect.

Does anyone have an idea of how to resolve this issue.

Thanks,

Chris

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoogen_82 Thu, 03/15/2007 - 07:30

When they are accessing the pages can you try checking the logging in debug mode. Check the real time logging and see what is getting blocked.

Hoogen

greivin.viquez Thu, 03/15/2007 - 07:52

I gave it a try with a "test user" and I had the following message:

"Your username has not been recognised. Please try again"

I can image 3 posible features the PIX might use to filter the access to such page:

1. FILTER URL

2. ACL

3. IP AUDIT

My recomendation is to see if you have enable any of those commands and focus on them and use the "DEBUG PACKET" tool to troubleshoot.

- Viquez -

greivin.viquez Thu, 03/15/2007 - 07:54

One more thing.....You are not mention the OS you are using. It is important to know.

greivin.viquez Thu, 03/15/2007 - 07:31

It seems those pages has something in that PIX is filtering. My recomendation is to resolve the name of the site to obtaing the real ip address then read the LOGs from the PIX. Filter out temporaly several not important LOG messages to get focuce. To do this use following commands:

conf term

no logging message 109001

no logging message 109023

no logging message 113004

no logging message 210007

no logging message 302013

no logging message 302014

no logging message 302015

no logging message 302016

no logging message 302020

no logging message 302021

no logging message 304001

no logging message 305011

no logging message 305012

no logging message 609001

no logging message 609002

no logging message 710005

logg on

logg console 7

logg monitor 7

exit

On the other hand you could use the command "debug packet inside src a.b.c.d" and "debug packet outside dst x.y.z.n" to monitor the traffic flowing thru the PIX.

These tips will give at least some idea of what is going on and if the traffic is been filter for the PIX.

Hope it helps....!

suschoud Thu, 03/15/2007 - 13:24

here's what i recommend :

fixup protocol dns maximum-length 1024

no fixup protocol http 80

cl xlate

hth

Sushil

cisco tac.

ccpagel Fri, 03/16/2007 - 09:49

Hi Sushill,

thanks for your posting however it didnt help.

In the end I resolved the problem by upgrading from 7.0 to 7.2.(2). After I did this I still had the same problem however the logs showed dropped packets on the outside interface from the web server. They were dropped due to MSS Exceeded.

I implemented the suggested workaround in the Cisco documentment "PIX/ASA 7.0 Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Web Sites"

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Regards,

Chris

Actions

This Discussion