strange issue with PIX and TomCat - very very strange

Unanswered Question
Jun 19th, 2007
User Badges:

Dear All,

I am facing a strange issue with TomCat application . But before all getting in to a conclusion that application could be the culprit let me explain the situation.

Application runs on tomcat which is having a ssl running on it. Server running ths application is also opened for port 25 and 80 and through PIX we are able to reach 25 and 80 with out any issue But when application listens to 443 pix behaves in a weired way.

i have debugged it with sh conn it is connection is getting in .. but i dont know why it is not responding for application.


Then application team changed the port for to 8443 it startedworking fine..


To test whether its problem with tomcat running over application , we have bypassed firewall and directly assigned public IP and checked it it was working with out any issue on port 443.


again we reverted back to pix , issue still persist , when aplication changed to all the others ports its working fine, but with 443 HUH!!! its not. For all your information we are using certificates also.


Now since customer wants this at any cost on 443 , we have replaced PIX from natting and dedicated PIX only for VPN site to site and natting and all those features are done by an ISA server.


and currently it is working fine. Do any one has any idea.. about why tomacat and pix is behaving in this cruel WAY :-)


I need to provide a solution or reason.. and nothing is blinking .. helping hands please. techies I am waiting for you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JBDanford2002 Tue, 06/19/2007 - 15:42
User Badges:

Can you post a scrubbed config? Any possible conflicts in the config?

parveesm123 Tue, 06/19/2007 - 20:40
User Badges:

Dear,

c.c.c.c is the dmz ip address where server resides and a.a.a.a is outside ip address where it is natted

parveesm123 Tue, 06/19/2007 - 20:48
User Badges:

here is the config







interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address a.a.a.a 255.255.255.0

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address b.b.b.b 255.255.255.0

interface Ethernet2

speed 100

duplex full

nameif dmz

security-level 50

ip address c.c.c.c 255.255.255.0

access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 c.c.c.c 255.255.255.0

access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 x.x.x.x 255.255.255.0

access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 y.y.y.y 255.255.255.0

access-list acl-nat0 extended permit ip 192.168.1.0 255.255.255.0 b.b.b.b 255.255.255.0

access-list acl-nat0 extended permit ip b.b.b.b 255.255.255.0 192.168.1.0 255.255.255.0

access-list acl-dmz-nat0 extended permit ip c.c.c.c 255.255.255.0 x.x.x.x 255.255.255.0

access-list acl-dmz-nat0 extended permit ip c.c.c.c 255.255.255.0 y.y.y.y 255.255.255.0

access-list acl-dmz-nat0 extended permit ip c.c.c.c 255.255.255.0 192.168.1.0 255.255.255.0

access-list acl-dmz extended permit tcp host c.c.c10 y.y.y.y 255.255.255.0 eq smtp

access-list acl-dmz extended permit ip host c.c.c100 any

access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 x.x.x.x 255.255.255.0

access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 y.y.y.y 255.255.255.0

access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 b.b.b.b 255.255.255.0

access-list acl-dmz extended permit ip c.c.c.c 255.255.255.0 192.168.1.0 255.255.255.0

access-list acl-dmz extended permit tcp host c.c.c10 any eq smtp

access-list acl-dmz extended permit icmp any any

access-list acl-dmz extended permit tcp host c.c.c10 any eq 8443

access-list acl-dmz extended permit ip any any

access-list acl-outside extended permit tcp any host a.a.a.195 eq https

access-list acl-outside extended permit tcp any host a.a.a.195 eq www

access-list acl-outside extended permit tcp any host a.a.a.195 eq 8080

access-list acl-outside extended permit tcp any host a.a.a.195 eq smtp

access-list acl-outside extended permit tcp any host a.a.a.195 eq 8443

access-list acl-outside extended permit icmp any host a.a.a.195

access-list acl-outside extended permit tcp host a.a.a.195 any eq 8443

access-list acl-outside extended permit icmp any any

access-list acl-outside extended permit tcp host a.b.c.d host a.a.a.195 eq 9090

access-list acl-outside extended permit tcp host a.b.c.d host a.a.a.195 eq 3389

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list acl-nat0

nat (dmz) 0 access-list acl-dmz-nat0

nat (dmz) 1 c.c.c.c 255.255.255.0

static (inside,dmz) b.b.b.b b.b.b.b netmask 255.255.255.0

static (dmz,outside) a.a.a.195 c.c.c10 netmask 255.255.255.255 tcp 1000 1000

access-group acl-outside in interface outside

access-group acl-dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 a.a.a.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

service-policy global_policy global

swapnendum Sat, 06/23/2007 - 05:26
User Badges:

Swap here...


i have thought of a few more enhancements on the pix...we'll apply a TCP map for this server and fine tune the MSS options and TCP option 19...checksum etc.


we'll debug more on this...

JBDanford2002 Sat, 06/23/2007 - 07:35
User Badges:

I think the best action at this point would be to do a packet capture on the egress interface to determine if the packets are flowing in both directions.


access-list cap_https permit tcp host c.c.c10 eq 443 any

access-list cap_https permit ip any host c.c.c10 eq 443

cap cap_https access-list cap_https interface dmz



Generate the 443 traffic.


Do a "sh cap cap_https"


You should see the request going to the server. Also do the following to see if any logs are being generated.


logging on

logging buffered 6


Then do a "sh log" and see if the PIX is logging any info in regards to the traffic. Also do a "sh conn local c.c.c10" and post the results here.

Actions

This Discussion