UK - Webpages fail to personal banking on HSBC and FirstDirect Thru PIX

Unanswered Question
Mar 15th, 2007
User Badges:

Hi all,


I have an odd problem on two PIX515 on two seperate customer sites.


The customers are able to access alll web sites OK through the PIX (http and https) with the exception of the personal banking pages of HSBC and FirstDirect.


Does anyone have an idea of how to resolve this issue.


Thanks,

Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoogen_82 Thu, 03/15/2007 - 07:30
User Badges:
  • Silver, 250 points or more

When they are accessing the pages can you try checking the logging in debug mode. Check the real time logging and see what is getting blocked.


Hoogen

greivin.viquez Thu, 03/15/2007 - 07:52
User Badges:

I gave it a try with a "test user" and I had the following message:


"Your username has not been recognised. Please try again"


I can image 3 posible features the PIX might use to filter the access to such page:


1. FILTER URL

2. ACL

3. IP AUDIT


My recomendation is to see if you have enable any of those commands and focus on them and use the "DEBUG PACKET" tool to troubleshoot.


- Viquez -

greivin.viquez Thu, 03/15/2007 - 07:54
User Badges:

One more thing.....You are not mention the OS you are using. It is important to know.

greivin.viquez Thu, 03/15/2007 - 07:31
User Badges:

It seems those pages has something in that PIX is filtering. My recomendation is to resolve the name of the site to obtaing the real ip address then read the LOGs from the PIX. Filter out temporaly several not important LOG messages to get focuce. To do this use following commands:


conf term

no logging message 109001

no logging message 109023

no logging message 113004

no logging message 210007

no logging message 302013

no logging message 302014

no logging message 302015

no logging message 302016

no logging message 302020

no logging message 302021

no logging message 304001

no logging message 305011

no logging message 305012

no logging message 609001

no logging message 609002

no logging message 710005

logg on

logg console 7

logg monitor 7

exit


On the other hand you could use the command "debug packet inside src a.b.c.d" and "debug packet outside dst x.y.z.n" to monitor the traffic flowing thru the PIX.


These tips will give at least some idea of what is going on and if the traffic is been filter for the PIX.


Hope it helps....!

suschoud Thu, 03/15/2007 - 13:24
User Badges:
  • Gold, 750 points or more

here's what i recommend :


fixup protocol dns maximum-length 1024

no fixup protocol http 80

cl xlate


hth

Sushil

cisco tac.

ccpagel Fri, 03/16/2007 - 09:49
User Badges:

Hi Sushill,


thanks for your posting however it didnt help.


In the end I resolved the problem by upgrading from 7.0 to 7.2.(2). After I did this I still had the same problem however the logs showed dropped packets on the outside interface from the web server. They were dropped due to MSS Exceeded.


I implemented the suggested workaround in the Cisco documentment "PIX/ASA 7.0 Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Web Sites"


http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml


Regards,

Chris

Actions

This Discussion