Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
0
Helpful
12
Replies

PIX Hanging Problem

Lavanholy
Level 1
Level 1

‎12-31-2008 06:28 AM - edited ‎03-11-2019 07:31 AM

Hi,

I have a PIX 515 E,it is working fine all the ways,but suddenly the entire LAN users ar enot able to access the INTERNET,but the same time mails are going and coming without any problem.VPN tunnels are established but throgh the tunnels applications are not accessible.

That time if we switch OFF and ON the PIX 515E then everything is working fine,again after say 1 or 2 hours the same problem is repeating.

Please help me to resolve theissue.

Thanks and Regards,

Lavanholy

Labels:
0 Helpful
12 Replies 12

sachinraja
Level 9
Level 9

‎01-02-2009 11:59 AM

Hello Lavanholy

Did ya see CPU spiking up ? Was the PIX hung ? Were you able to telnet to the appliance ? Also, did you notice the Xlate and the Connection table ?

Raj

0 Helpful

Lavanholy
Level 1
Level 1

‎01-05-2009 04:50 AM

Dear Mr.Raj,

I will get you th complete details tomorrow.

Actually when the problem occurs,I am able to telent to it,CPU utilizasion is 0% or 2 %,no input errors,no output errors,no collision,memory utilizasion is not at all much,sh XLATE commands shows only two entry,previously when it was working that time it used to display many XLATE entries,sh traffi display not much of traffic,

Tomorrow I will capture again and send it to you.

Thanks for your support.

Best Regards,

S.Venkatarman

0 Helpful

sachinraja
Level 9
Level 9
In response to Lavanholy

‎01-05-2009 07:47 AM

Hello Venkat

which software are you using in PIX ? I hope there are no bugs or open caveats.. have a look at the release notes of that software to be sure.. If there is no CPU util, no errors, no problem with xlate or conn table, then it could be a problem with the hardware.. do you have smartnet for the product ?

Raj

0 Helpful

Lavanholy
Level 1
Level 1
In response to sachinraja

‎01-05-2009 07:22 PM

Hello Mr.Raj,

Good morning.

IOS Version is 6.3(5)

Thanks for the help.

Best Regards,

S.Venkataraman

0 Helpful

sachinraja
Level 9
Level 9
In response to Lavanholy

‎01-05-2009 07:25 PM

did ya check for bugs in 6.3(5) ?

venkat.. have u opened a tac case for the same ? is your box in cisco smartnet ?

0 Helpful

Lavanholy
Level 1
Level 1
In response to sachinraja

‎01-07-2009 10:30 AM

Dear Mr.Sachinraja,

Thank you very much for extending your support.

No these boxes are not covered under the samrtnet support.

The peculiar problem is,if I switch OFF and ON then sometimes it works for 3 to 4 days or sometims 2 to 3 hours.

Some times browsing and VPN are working but mails are not going and coming.

One more thing there are 2 PIX 515e are connected in Cable based Failover with the appropriate licenses.

Failover is not functioning.

It is necessary to have the PUBLIC IP Address for both the active and standby firewalls then only the VPN clients can communicate with the LAN servers,but I do not know how to configure the FailOver with the same Public IP address for both the firewall's OUTSIDE IP address.

The scenario is as follows.

1. Router is connected to Internet through Serial Intrface .

2. Routers Fast ethernet interface is connected to a Switch with the IP Address 202.202.202.1/29

3.Active firwall's OUTSIDE Interface is connected to the same switch with the PUBLIC IP Address 202.202.202.2/29 with the default route pointing to 202.202.202.1

4.Standby firewall's OUTSIDE interface is configured with the PUBLIC IP Address 202.202.202.3/29 with the default route pointing to 202.202.202.1

5. 48 branches are communicating to my SAP servers through IPSec VPN tunnels.

6.IPSec Tunnels are created to 202.202.202.2.

7.If suppose the active firewall is down,the Standby firewall will become active but the OUTIDE IP Address is 202.202.202.3 in this case teh VPN client can not establish a VPN tunnel.

Please help me to achieve this failovr with VPN .

Thanks and Regards,

S.Venkataraman.

0 Helpful

Lavanholy
Level 1
Level 1
In response to Lavanholy

‎01-07-2009 10:52 AM

Hi,

Wen I see the " crashinfo"

it says "crashinfo file is corrupt"

What is the meaning?

Best Regards,

S.Venkataraman.

0 Helpful

Lavanholy
Level 1
Level 1
In response to Lavanholy

‎01-10-2009 09:55 AM

Hi Raj,

Thank you for your support.

FYI.

I am having UR license as a Primary PIX and Secondary is having teh FO license.

secondly this is not covered under cisco support,customer is not willing to go for SMARTNET now.

Now I have removed all teh FAILOVER configuration and removed the Failover cable also,now converted the primary as a Stand alone unrestriiced license.And it is working,but say after 2 or 3 hours,the LAN users are not able to access the net,mail and VPN clinets are not able to access teh SAP application.

Once I power OFF and ON then it works,sometime it works for 2 to 3 days then again the same problem comes.

Please guide me to resolve the issue.

Mean time how to convert teh FO license fire to a Stand alon UR license.Please send me the procedure.

Thanks and Regards,

Lavanholy

0 Helpful

john_peter
Level 1
Level 1
In response to Lavanholy

‎01-10-2009 10:48 AM

1.Try disabling turbo ACL in pix.

2.Ensure that no High CPU in f/w

3.Check no multiple connections in "show conn"

4.Ensure that half open sessions are getting timedout..."show timeout" & "show conn | i ssA".

5. In serial Cable based f/o, failover will not happen pri f/w reboots.

0 Helpful

john_peter
Level 1
Level 1
In response to Lavanholy

‎01-10-2009 10:49 AM

Try clearing the arp entires in switch, f/w, internet router etc..

0 Helpful

sachinraja
Level 9
Level 9
In response to Lavanholy

‎01-07-2009 11:02 AM

Venkat

When the primary firewall goes down, the standby firewall's outside IP will be swapped with the primary IP address 202.202.202.2.. It will not shift to 202.202.202.3. Thats how a PIX failover works.. When failover happens:

the units swap the IP address and MAC addresses they use in order to replace each other's presence on the network. This action is invisible to the network. The IP to MAC address relationships remain exactly the same. Therefore, no ARP tables in the network need to time out or be changed. No other piece of network equipment needs to know about the redundancy or that a switchover occurred.

Hence the VPN sessions will not reset, and remain to the same IP address 202.202.202.2, which was defined on the primary servers outside interface.. Got it ?

refer to the following document for failover configurations:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1055062

One question - do you have the failover licenses properly installed on the PIX firewall ? Can you post the show version and show run of the firewalls you have ? I hope you dont have a RESTRICTED license for PIX , since Failover does not work with REstricted license. You need a UR - Unrestricted license for the same..

Let me know

Raj

0 Helpful

Pravin Phadte
Level 5
Level 5
In response to sachinraja

‎01-12-2009 06:38 AM

Best would be replace the pix and buy a cisco ASA.

Most of the pix are facing this problem and if you try to find information from traceback there is little you can do.

best regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card