03-15-2007 05:42 AM - edited 02-21-2020 01:26 AM
Hi all,
I have an odd problem on two PIX515 on two seperate customer sites.
The customers are able to access alll web sites OK through the PIX (http and https) with the exception of the personal banking pages of HSBC and FirstDirect.
Does anyone have an idea of how to resolve this issue.
Thanks,
Chris
03-15-2007 07:30 AM
When they are accessing the pages can you try checking the logging in debug mode. Check the real time logging and see what is getting blocked.
Hoogen
03-15-2007 07:41 AM
There's no messages showing any blocked traffic on the PIX.
The web page just show's as loading "waiting for http://www.banking.first-direct.com/1/2/logon/.."
Chris
03-15-2007 07:52 AM
I gave it a try with a "test user" and I had the following message:
"Your username has not been recognised. Please try again"
I can image 3 posible features the PIX might use to filter the access to such page:
1. FILTER URL
2. ACL
3. IP AUDIT
My recomendation is to see if you have enable any of those commands and focus on them and use the "DEBUG PACKET" tool to troubleshoot.
- Viquez -
03-15-2007 07:54 AM
One more thing.....You are not mention the OS you are using. It is important to know.
03-15-2007 07:31 AM
It seems those pages has something in that PIX is filtering. My recomendation is to resolve the name of the site to obtaing the real ip address then read the LOGs from the PIX. Filter out temporaly several not important LOG messages to get focuce. To do this use following commands:
conf term
no logging message 109001
no logging message 109023
no logging message 113004
no logging message 210007
no logging message 302013
no logging message 302014
no logging message 302015
no logging message 302016
no logging message 302020
no logging message 302021
no logging message 304001
no logging message 305011
no logging message 305012
no logging message 609001
no logging message 609002
no logging message 710005
logg on
logg console 7
logg monitor 7
exit
On the other hand you could use the command "debug packet inside src a.b.c.d" and "debug packet outside dst x.y.z.n" to monitor the traffic flowing thru the PIX.
These tips will give at least some idea of what is going on and if the traffic is been filter for the PIX.
Hope it helps....!
03-15-2007 01:24 PM
here's what i recommend :
fixup protocol dns maximum-length 1024
no fixup protocol http 80
cl xlate
hth
Sushil
cisco tac.
03-16-2007 09:49 AM
Hi Sushill,
thanks for your posting however it didnt help.
In the end I resolved the problem by upgrading from 7.0 to 7.2.(2). After I did this I still had the same problem however the logs showed dropped packets on the outside interface from the web server. They were dropped due to MSS Exceeded.
I implemented the suggested workaround in the Cisco documentment "PIX/ASA 7.0 Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Web Sites"
Regards,
Chris
10-15-2007 12:48 AM
Hi Chris,
Thats great, but can you let me whether you are able to acces the below link now after applying the tcp mss commands.The below link is the driver site of HP.
regards...Jkannan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide