cant ping within the DMZ

Unanswered Question
Jan 15th, 2008

i have a DMZ with a www server and a ftp server - i cant ping between the two. if i issue a ping i get one reply then 3 failures - if i wait about three minutes i can issue the ping again get one reply the the rest fail. i can ping the switch from the servers and i can ping from the switch to the servers. i have also tried to browse from one server to the other by \\10.10.5.x\c$ and i get "no network provider accepted the given network path".

i can access the inside network and outside network no problem. i have connected the two servers via a crossover and the ping worked great.

im stumped.

thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pjhenriqs Wed, 01/16/2008 - 02:41

Hi Jerry,

I can't tell you what the problem is because I'm not seeing it but... if you ping from one server to the other, do you see the traffic going through the firewall? You shouldn't be seeing this because both servers are on the same network.

So if you are not seeing this, it means that the problem is not the firewall. If you are seeing the traffic then I would advise you to review your subnets because this should not be happening.

Please post here when you find a solution to your problem. I'm curious :).

Thanks,

Paulo

pjhenriqs Wed, 01/16/2008 - 08:48

Hi,

There are two ways. Either you check the logs or you configure a packet capture on the firewall.

To check the logs, go into ASDM, under the Monitoring tab and click on Logging. Choose Debugging just to make sure you see everything. You should be able to filter the output by IP address/string.

To configure a capture, in the CLI do:

capture interface

And then do show capture

There are more twists to this, but that should be enough for you to see if the traffic is going to the firewall.

Regards,

Paulo

jerry.mcrae Thu, 01/17/2008 - 18:39

i ran a logging buffered debug on the PIX - i am ping from 10.10.5.7 to 10.10.5.6.

Jan 17 2008 19:22:05 : %PIX-6-609001: Built local-host inside:10.10.5.6

Jan 17 2008 19:22:05 : %PIX-6-302020: Built ICMP connection for faddr 10.10.5.7/

512 gaddr 10.10.5.6/0 laddr 10.10.5.6/0

Jan 17 2008 19:22:05 : %PIX-6-110001: No route to 10.10.5.6 from 10.10.5.7

Jan 17 2008 19:22:08 : %PIX-6-302021: Teardown ICMP connection for faddr 10.10.5

.7/512 gaddr 10.10.5.6/0 laddr 10.10.5.6/0

Jan 17 2008 19:22:08 : %PIX-6-609002: Teardown local-host inside:10.10.5.6 durat

ion 0:00:02

from a debug icmp trace i get this - on the same pix. i didnt get the replys on the 10.10.5.7 server but this says i did.

ICMP echo reply (len 32 id 512 seq 22785) 10.10.5.6 > 10.10.5.7

ICMP echo reply (len 32 id 512 seq 23041) 10.10.5.6 > 10.10.5.7

ICMP echo reply (len 32 id 512 seq 23297) 10.10.5.6 > 10.10.5.7

could this be related to NAT?

jerry.mcrae Thu, 01/17/2008 - 20:08

hopefully this will help - i did a debug arp on the PIX.

arp-in: request at DMZ1 from 10.10.5.7 0006.5b3c.8901 for 10.10.5.6 0000.0000.00

00

arp-in: rqst for me from 10.10.5.7 for 10.10.5.6, on DMZ1

arp-set: added arp DMZ1 10.10.5.7 0006.5b3c.8901 and updating NPs at -772732892

arp-in: generating reply from 10.10.5.6 0005.5d18.fffb to 10.10.5.7 0006.5b3c.89

01

pjhenriqs Fri, 01/18/2008 - 01:11

Hi Jerry,

This is definitely not a problem with the firewall. These two IP addresses are both on the same subnet so the traffic should not be going through the firewall!

Check your switch/VLAN configuration and review why the traffic is going to the firewall and not directly to the host.

HTH,

Paulo

jerry.mcrae Fri, 01/18/2008 - 08:48

i plan to do a write erase on that switch Monday night. i attached the switch config.

i just ran this on the dmz switch.

the first ping is my laptop to dmz switch - the second is one on the servers in the dmz to the switch.

NOC-DMZ1-2950# debug ip icmp

ICMP packet debugging is on

NOC-DMZ1-2950#term mon

NOC-DMZ1-2950#undebug all

000302: *May 31 00:15:38.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000303: *May 31 00:15:39.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000304: *May 31 00:15:40.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000305: *May 31 00:15:41.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

All possible debugging has been turned off

NOC-DMZ1-2950#term mon

NOC-DMZ1-2950# debug ip icmp

ICMP packet debugging is on

NOC-DMZ1-2950#

000306: *May 31 00:17:28.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

000307: *May 31 00:17:29.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

000308: *May 31 00:17:30.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

NOC-DMZ1-2950#undebug all

All possible debugging has been turned off

NOC-DMZ1-2950#

thanks.

jerry.mcrae Mon, 01/21/2008 - 16:01

i got the two servers to ping each other by entering static arp entrys in each of the dmz servers.

does this mean the switch isnt procesing the arp request properly?

jerry.mcrae Mon, 01/21/2008 - 17:29

if i look at the arp table on one of the servers it shows all other servers have the dmz interface MAC as there MAC also.

jerry.mcrae Mon, 01/21/2008 - 17:43

i had to disable proxy arp on the DMZ interface to make it work.

PIX(config)# sysopt noproxyarp DMZ1

thanks for every ones input to help resolve this issue!!!!!!!!!

Actions

This Discussion