cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
645
Views
0
Helpful
8
Replies

WAN side of PIX 501 not responding after 10 minutes of idle time.

ctijoshtatton
Level 1
Level 1

I have a pix 501 which has a public outside address, and a private inside address. Everything works perfectly until there is 10 minutes of idle time...after that I can't even ping the public side of the pix. If I log into the PDM and ping a different public address from within that utility, everything starts working again. I have played with the timeout commands to no avail. Please help.

Josh

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Hi Josh

When you can't ping the public IP address of the pix have you looked at the arp table of the pix ? It does sound like some issue with arp tables and once you ping out from the pix then the arp tables get updated.

When you say you can't ping the public IP where are you pinging from ?

Also when it stops responding what happens if you try to initiate a connection from the inside of the pix to the internet.

If possible could you post a sanitised version of the pix config.

HTH

Jon

Jon,

Thanks for responding.

I don't have any static arp entries.

When I show arp, I just get the ip and mac of my outside default route, and the ip and mac of the only pc on the inside network of the pix.

When I can't ping the public IP, I mean, I try to ping it from other networks, from home, from a hotel, etc. Or I try to connect to the vpn from these places. Both the vpn and ping work beautifully until 10 minutes of idle time passes.

If I try to initiate a connection from the inside of the pix to the internet, everything works perfectly again. I can ping the public, I can connect to the vpn...all is well until 10 minutes of idle time passes at which point it stops responding again.

Here is some information that may be helpful including a cleaned up version of my config.

You will see that I have some access-lists entries and some static entries. These are an attempt to make an inside pc an ftp and web server, these don't seem to work either, but that is not the primary issue.

The config will follow in the next post.

Josh

Legend:

public ip: xxx.xxx.xxx.22

private ip of the pix: 10.111.0.1

-------------------------------------------------------

(this doesn't change whether it's responding or not)

Result of show arp

outside xxx.xxx.xxx.1 (mac shows here)

inside 10.111.0.2 (mac shows here)

-------------------------------------------------------

(this doesn't change whether it's responding or not)

Result of show arp timeout

arp timeout 14400 seconds

-------------------------------------------------------

(this doesn't change whether it's responding or not)

Result of show arp statistics

Dropped blocks in ARP: 0

Maximum Queued blocks: 1

Queued blocks: 0

Interface collision ARPs Received: 0

ARP-defense Gratuitous ARPS sent: 0

Total ARP retries: 0

Unresolved hosts: 0

Maximum Unresolved hosts: 1

-------------------------------------------------------

Config

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 10.111.0.48 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 10.111.0.48 255.255.255.240

access-list acl_out permit tcp any host xxx.xxx.xxx.22 eq ftp

access-list acl_out permit tcp any host xxx.xxx.xxx.22 eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.22 255.255.255.0

ip address inside 10.111.0.1 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 10.111.0.50-10.111.0.60

pdm location 10.111.0.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp 10.111.0.2 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.111.0.2 www netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup blablavpn address-pool vpnpool

vpngroup blablavpn dns-server yyy.yyy.yyy.3 yyy.yyy.yyy.6

vpngroup blablavpn idle-time 1800

vpngroup blablavpn password ********

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.111.0.2-10.111.0.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:

: end

Hi Josh

There is nothing obviously wrong with the conig in terms of this timing out. Couple of futher things

1) What device is upstream of the pix - presumably a router, is this controlled by you ?

2) When it stops responding, when you do a traceroute to pix external interface from the internet does it get to upstream router before timing out ie. does it still know how to route to this address.

3) Are there any other devices on the subnet that the pix and the upstream router share ?

Jon

The device upstream of the pix is a dsl router/modem provided by my ISP. When the tech installed it, he said it was a "bridge"...He told me it did not have an IP in it. He gave me the public IP for me to enter into the PIX. I am not in control of the dsl modem.

When it stops responding, and I do a traceroute to the public ip, it does not get to the final address. It hits several ip's within the ISP, but never gets to my final ip.

There are no other devices. The entire network consists of: dslrouter>pix 501>pc

Total of 3 boxes.

The pc at the end of the stream has a second nic which connects to a different intranet network entirely. (192.168 address instead of 10.111 address)

Josh

Josh

When is working and you do a traceroute do you get a response from the pix or not ?

When it is not working does it stop "one short" of where it gets to when it is working.

It doesn't sound like an issue with pix, it sounds more like an issue with either the ISP routing to your pix or a mac-address issue in the sense that the ISP upstream device does not have the correct mac-address for the pix.

Have you checked with the ISP if they are seeing any issues on your connection ?

Jon

Jon,

When it is working tracert does get a response from the pix...and when it is not, it does fall 1 short of finding the pix.

I will call my ISP and see what they say.

Thank you for all of your help Jon. I'll follow up after I talk to them.

Josh

Jon,

I called my ISP. They told me the upstream device is not capable of having a mac-address in it. They said it just acts like a switch. They say traffic is routed just fine to my pix but after a while the pix stops responding, so to them it is like it just drops off the dsl network.

Any other thoughts?

Josh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: