Problem With Pix 515e. A strange connectivity problem

Unanswered Question
Apr 24th, 2007

Hello..

I have been facing a problem since 2 weeks with a brand new PIX 515e. I cannot ping from or to the PIX even from or to an inside host !! I tried every configuration I've managed to find on Internet with no success.. Also, I am not able to telnet to the unit.. I enabled the debugging for ICMP and for packets, and when I ping to the inside interface from an inside host, I get debugging messages for the packets but not for ICMP.. All the needed information is in the attached file.

I am connecting to the firewall by console only, and I tried all the ICMP permit commands, access-lists, static and dynamic natting, and everything else with no success. Any idea about fixing the problem? I am really out of ideas

Thanks

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajupanicker Tue, 04/24/2007 - 03:15

Hi there,

I am also facing a similar problem with the PIX515E with 7.2(2).I am not able to assign an IP address for the inside interface,it shows ip address on the running config,but on show interface output it shows "ip address unassigned".

Linking my query at netpro to this post.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde402f

hanankz07 Tue, 04/24/2007 - 04:59

It is not the same.. I am able to assign the IP addresses, and they show up through the debug command.. The interfaces recieve the packets, but it stops there !!

gwong@atpco.net Tue, 04/24/2007 - 09:02

Is your host machine connected directly to the PIX interface ethernet1 via straight-thru cat5? If you are then its not possible and you would need a crossover cable in order to be able to connect directly to the PIX interface.

You test config looks fine to me. Its probably a layer 1 issue. Also try using acces-list capture to debug the situation, it would ease on the main focus which is the transversing packets not the packet details themselves.

If you like the review please provide some level of rating.

hanankz07 Tue, 04/24/2007 - 12:48

I used a cross cable for the direct connection.. Then I connected them through straight cables and a switch.. Do you have any suggestions to check the root of the problem?

hanankz07 Tue, 04/24/2007 - 23:48

The below is the output of sh ver command:

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee

pix up 1 hour 23 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 1100.1cbb.48d4, irq 10

1: ethernet1: address is 1100.1cbb.49d4, irq 11

2: ethernet2: address is 0090.2774.d98d, irq 5

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 3

Maximum Interfaces: 5

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted ? license.

acharyr123 Tue, 04/24/2007 - 22:32

Hi,

Almost same incident happened to me as well.But it was related to static natting issue. I upgraded the IOS to 7.1 (2)& changed nothing. It started working fine & still going on in a good shape. I would suggest you to try once.

another point: create 1 access list "access-list 10 permit ip any any" & bind this to inside interface by " ip access-group 10 in interface inside)& try to ping the inside interface.

If both the 2 points doesn't make any sense then there must be a problem with the ethernet port (h/w related issue).

i faced the booting problem for consecutive times with a brand new IPS. In trasit it may got faulty.

zubairjalal Wed, 04/25/2007 - 00:38

hi.

Since you dont have any ACL's on the inside, i would suggest you to try putting a conduit for icmp..just for testing purposes and see if it works..

conduit permit icmp any any

mark.j.hodge Wed, 04/25/2007 - 01:55

From the PIX, clear down the ARP cache, ping a known good adfdress and see if the cache gets populated.

If it does, then it is a layer 3 issue, if not layer 1 or 2.

hanankz07 Wed, 04/25/2007 - 02:01

Thanks for all the suggestions, but I tried them all with no success :-(

mark.j.hodge Wed, 04/25/2007 - 02:27

Is it possible to log into the switch where the inside interface is connected?

Check to see if the switch interface becomes active.

If so try a ping from the switch to the PIX and see if the PIX MAC address shows up in the interface MAC address table.

hanankz07 Wed, 04/25/2007 - 02:43

The addresses are there in the debug messages.. Also, the firewall is able to get even the ip addresses of the connected hosts which I used to ping to it from..

zubairjalal Wed, 04/25/2007 - 02:28

i hope that you have NOT been doing the testing using just one laptop. I hope that it is not the personal firewall issue with the laptop. Have you tried using some other machine.

rajbhatt Wed, 04/25/2007 - 04:05

Hi ,

You can try this ;

Restore the box to the factory default config ( do a wr erase) and reload and try and put the config back in before changing to another version of software.

Raj

mark.j.hodge Wed, 04/25/2007 - 06:16

OK, just to summerise

Layer 1 and 2 seem to be operating correctly, as you get the MAC address to populate the ARP cache.

You have tried multiple target devices, so the Layer 3 issue has to be with the PIX itself.

This suggests some sort of hardware issue, has the device ever worked?

Do you have access to another PIX image to reload, either at the same version or upgrade, assuming you have sufficient memory?

Clutching as straws here, but have you tried fixing the Speed/Duplex on both the PIX and the Switch?

Have you tried connecting the device via a hub or not inteligent device? Just in case the switch has ARP issues.

hanankz07 Wed, 04/25/2007 - 10:24

The device is a brand new; it has never worked since we have taken it out of the box !

I don't have another image, and the memory is 64 MB; so it is not too much for an upgrade.

And, yes; I tried fixing Speed/Duplex settings.. Also, I used a switch when the PIX didn't work with the cross cables.. Nothing worked..

gwong@atpco.net Wed, 04/25/2007 - 11:23

My advise is to open a Cisco Tac case and have it RMA asap because you have 90 days of warranty from the day you purchase it.

rajbhatt Mon, 05/07/2007 - 01:35

Hi,

Before you go in for an RMA just check if you have the sh crash info.It may point to some bug.

I had similar problem with pix 515 e with 6.3.5 but with failover license .

It did not ping tftp server except from the moniter mode.

So I ran failover and once the config sync happned everthing worked like a magic.

But in stand alone mode I tried everything but could not get the box to ping the tftp server.

Raj

Actions

This Discussion