02-13-2002 04:29 PM - edited 02-20-2020 09:58 PM
Feb 13, 2002, 2:40pm Pacific
I have a PIX 520 version 6.1.2 outside interface that is getting packet loss. I was wondering if that is by design or not. Is there a way for me to specify how the PIX responds to ping requests other than of course allowing it or not?
I have ICMP on and can ping to the inside and outside and from the outside in. I am just wondering if there is a problem with the pix.
To test the situation I put a laptop in place of the pix and there was no packet loss. Once I put the pix back I got packet loss.
I have a cabinet at XO and they did exhaustive tests to see if the packet loss is there problem and it really seems that it is not.
CPU usage is at 3% so it does seem overloaded.
Traffic is as follows:
outside:
received (in 8946.060 secs):
5000655 packets 582517334 bytes
78 pkts/sec 65114 bytes/sec
transmitted (in 8946.060 secs):
5450081 packets 4280507727 bytes
129 pkts/sec 478479 bytes/sec
inside:
received (in 8946.060 secs):
5476316 packets 4917120 bytes
132 pkts/sec 69 bytes/sec
transmitted (in 8946.060 secs):
4546533 packets 555782637 bytes
28 pkts/sec 62125 bytes/sec
Thanks in advance,
Bryan Reynolds
02-14-2002 03:25 AM
Does the pix have a conduit or ACL to permit the icmp echo traffic back. The pix treats the icmp protocol differently to the rest of the ip stack.
Even if there is a permission saying permit ip any any it still won't let icmp back in.
02-14-2002 09:51 AM
Here is the config.
Could it be that the pix is busted?
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 DMZ2 security20
nameif ethernet4 DMZ3 security30
nameif ethernet5 DMZ4 security40
hostname pix1
domain-name obsidian-tech.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 216.74.21.65 eq www
access-list acl_out permit tcp any host 216.74.21.66 eq www
access-list acl_out permit tcp any host 216.74.21.67 eq www
access-list acl_out permit tcp any host 216.74.21.68 eq www
access-list acl_out permit tcp any host 216.74.21.69 eq www
access-list acl_out permit tcp any host 216.74.21.70 eq www
access-list acl_out permit tcp any host 216.74.21.71 eq www
access-list acl_out permit tcp any host 216.74.21.72 eq www
access-list acl_out permit tcp any host 216.74.21.73 eq www
access-list acl_out permit tcp any host 216.74.21.100 eq ftp
access-list acl_out permit tcp any host 216.74.21.100 eq ftp-data
access-list acl_out permit tcp any host 216.74.21.100 eq 443
access-list acl_out permit tcp any host 216.74.21.101 eq www
access-list acl_out permit tcp any host 216.74.21.102 eq www
access-list acl_out permit tcp any host 216.74.21.101 eq 443
access-list acl_out permit tcp any host 216.74.21.102 eq 443
access-list acl_out permit tcp any host 216.74.21.100 eq www
access-list acl_out permit tcp any host 216.74.21.93 eq www
access-list acl_out permit tcp any host 216.74.21.100 eq 8080
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu DMZ3 1500
mtu DMZ4 1500
ip address outside 209.164.24.36 255.255.255.0
ip address inside 10.0.0.254 255.255.0.0
ip address DMZ1 10.1.0.254 255.255.0.0
ip address DMZ2 10.2.0.254 255.255.0.0
ip address DMZ3 10.3.0.254 255.255.0.0
ip address DMZ4 10.4.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address DMZ2 0.0.0.0
failover ip address DMZ3 0.0.0.0
failover ip address DMZ4 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 216.74.21.120-216.74.21.125 netmask 255.255.255.0
global (outside) 1 216.74.21.126 netmask 255.255.255.0
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
static (inside,outside) 216.74.21.65 10.0.1.65 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.66 10.0.1.66 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.67 10.0.1.67 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.68 10.0.1.68 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.69 10.0.1.69 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.70 10.0.1.70 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.71 10.0.1.71 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.72 10.0.1.72 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.73 10.0.1.73 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.74 10.0.1.74 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.75 10.0.1.75 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.76 10.0.1.76 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.77 10.0.1.77 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.78 10.0.1.78 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.79 10.0.1.79 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.80 10.0.1.80 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.81 10.0.1.81 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.82 10.0.1.82 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.83 10.0.1.83 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.84 10.0.1.84 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.85 10.0.1.85 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.86 10.0.1.86 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.87 10.0.1.87 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.88 10.0.1.88 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.89 10.0.1.89 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.90 10.0.1.90 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.91 10.0.1.91 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.92 10.0.1.92 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.93 10.0.1.93 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.94 10.0.1.94 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.95 10.0.1.95 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.96 10.0.1.96 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.97 10.0.1.97 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.98 10.0.1.98 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.99 10.0.1.99 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.100 10.0.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.101 10.0.1.101 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.102 10.0.1.102 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.103 10.0.1.103 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.104 10.0.1.104 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.105 10.0.1.105 netmask 255.255.255.255 0 0
static (inside,outside) 216.74.21.106 10.0.1.106 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 209.164.24.1 1
timeout xlate 3:00:00
timeout conn 1:00:10 half-closed 0:10:00 udp 0:02:00 rpc 0:08:00 h323 0:05:00 sip 0:30:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 60
ssh timeout 60
terminal width 120
Cryptochecksum:825e91a90713a61bea73904e1a894291
02-14-2002 01:30 PM
Their might be a duplex mode mismatch. Try to set the interface to either full or half duplex instead of auto
02-14-2002 02:27 PM
Well I think I have the answer.
You will like this one.
I opened a trouble ticket with my ISP where all of this is collocated (XO), and they finally said the problem was the pix.
That's when I started asking you guys. Well, it turns out that they put a 5 megabyte cap on all lines. I am doing, at least 10 megs at peak hours, which caused the problem.
So they are removing the cap. I will see if that solves the ping issue.
Again thanks for your help. Wish me luck with the removal of the cap. If that isn't it I might have to replace the cards on the pix.
Also, I did adjust the duplex to 100full and problem was still there. Thanks for the suggestion there, I also verified that the ISPs switch was outputting at 100full and they were.
Bryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide