cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
0
Helpful
8
Replies

UK - Webpages fail to personal banking on HSBC and FirstDirect Thru PIX

ccpagel
Level 1
Level 1

Hi all,

I have an odd problem on two PIX515 on two seperate customer sites.

The customers are able to access alll web sites OK through the PIX (http and https) with the exception of the personal banking pages of HSBC and FirstDirect.

Does anyone have an idea of how to resolve this issue.

Thanks,

Chris

8 Replies 8

hoogen_82
Level 4
Level 4

When they are accessing the pages can you try checking the logging in debug mode. Check the real time logging and see what is getting blocked.

Hoogen

There's no messages showing any blocked traffic on the PIX.

The web page just show's as loading "waiting for http://www.banking.first-direct.com/1/2/logon/.."

Chris

I gave it a try with a "test user" and I had the following message:

"Your username has not been recognised. Please try again"

I can image 3 posible features the PIX might use to filter the access to such page:

1. FILTER URL

2. ACL

3. IP AUDIT

My recomendation is to see if you have enable any of those commands and focus on them and use the "DEBUG PACKET" tool to troubleshoot.

- Viquez -

One more thing.....You are not mention the OS you are using. It is important to know.

greivin.viquez
Level 1
Level 1

It seems those pages has something in that PIX is filtering. My recomendation is to resolve the name of the site to obtaing the real ip address then read the LOGs from the PIX. Filter out temporaly several not important LOG messages to get focuce. To do this use following commands:

conf term

no logging message 109001

no logging message 109023

no logging message 113004

no logging message 210007

no logging message 302013

no logging message 302014

no logging message 302015

no logging message 302016

no logging message 302020

no logging message 302021

no logging message 304001

no logging message 305011

no logging message 305012

no logging message 609001

no logging message 609002

no logging message 710005

logg on

logg console 7

logg monitor 7

exit

On the other hand you could use the command "debug packet inside src a.b.c.d" and "debug packet outside dst x.y.z.n" to monitor the traffic flowing thru the PIX.

These tips will give at least some idea of what is going on and if the traffic is been filter for the PIX.

Hope it helps....!

here's what i recommend :

fixup protocol dns maximum-length 1024

no fixup protocol http 80

cl xlate

hth

Sushil

cisco tac.

Hi Sushill,

thanks for your posting however it didnt help.

In the end I resolved the problem by upgrading from 7.0 to 7.2.(2). After I did this I still had the same problem however the logs showed dropped packets on the outside interface from the web server. They were dropped due to MSS Exceeded.

I implemented the suggested workaround in the Cisco documentment "PIX/ASA 7.0 Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Web Sites"

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Regards,

Chris

Hi Chris,

Thats great, but can you let me whether you are able to acces the below link now after applying the tcp mss commands.The below link is the driver site of HP.

http://h20180.www2.hp.com/apps/Lookup?h_lang=en&h_cc=us&cc=us&h_page=hpcom〈=en&h_client=S-A-R163-1&h_query=Pavilion+7955&submit.x=5&submit.y=9

regards...Jkannan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: