Last month when our PIX 515E was running into the memory leak problem (CSCsi53936)with PIX code 7.2(1) we were told to upgrade to the cisco interim code 7.2(2)22. So slowly we have been migrating our PIX 515E boxes to that code release in order to prevent the memory leak problem.
However, yesterday after we have successfully upgraded the code from 7.2(1) to 7.2(2)22 interim release we ran into this strange phenomenon. The ACL between different interfaces on the same firewall suddenly supposed working. For instance, the hosts behind E2 (security level 10) suddenly failed to communicate with the hosts behind E1 (security level 100). However, the hosts behind E3 (security level 10) has no problems in reaching to the hosts behind E1. All the ACLs have been working and in place for years. I wonder if anyone has encountered this issue after they upgrade to the interim code and how they go about to fix it. Or should I upgrade the code to the latest release of 8.0(2) ?
Remove the access-list (after bussiness hours) and start putting them back in one by one(from management interface).
Look at the count of packet (sh access-list) and that will tell you where you problem lies. Sometimes the device just needs to reboot with clean config.With out seeing your list, I can not tel you where lies the problem.IOS versions do not change the ways of access-list are check.Host behind lower security interface will not be able to reach higher unless you allow it with access list.
Thanks for the suggestion but at this point the solution that we have put in place is to change the security level of all the interface except for E0 to be 10 and used the same-security traffic inter interface command. I share your thought on cleaning up the config and putting in back in after a wr e but if this is a bug with the interim OS the problem will bound to happen again.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...