Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Packet sniffing with PIX 515E

Hi. I am having an issue.

I have a PIX 515E w/FO. We run an ERP that has a VPN directing all ERP traffic to our hosted site. We have used this for over 5 years and the ERP vendor is upgrading the systems we use. TO do this, we are running Production and Test in parallel.

The sequence as I understand it is:

User connects to URL using http. This sends a request to the servers to present a page. The page contains a logon page for the client to access.

Simple. Right?

The problem is with the new Test system. We see the behavior normally upon the first boot of the day or shutting down and rebooting the system. The first time you click enter the URL and try to pull up the logon interface (basically the first page), it gives an error that the Page Cannot Be Displayed. After subsequent attempts of 2-3 three times it works and continues to work until shutdown. The ERP provider says the issue is on our end because when they ping our interface we drop about 4-5 packets per 1000 from their VPN. I say they are absurd for two reasons:

1. The Production sessions never have this issue and they are passing traffic through the same firewall to the same VPN.

2. There is no way that 4-5 packets being lost per 1000 should keep this negotition from happening. If so, it is news to me but I guess it's possible.

What I would need to do to solve this is perform some packet sniffing. To do so, I THINK I need to first, identify all Oracle traffic and sniff the "good" packet behavior and then isolate the new TEST traffic and catch it during the times it fails.

Can anyone shine the light on this for me? I am fairly able to issue commands on the device - just do not know what commands are needed and how to completely interpret the traffic.

Forgive me if I left anything out. THe Version of software is 6.3 and we have the memory in place to upgrade to 7.22 this week once I get this resolved.


Community Member

Re: Packet sniffing with PIX 515E

Below is a link for the capture command. You would be looking for TCP port 1521.

Do they see packet loss to the productions boc? Do you see packet loss if you send pings to the server? You said the server typically fails to serve a page until after 3 to 4 attempts.

Try this the next time you have to boot. Instead of opening a web browser, ping the server by name (If using DNS) also on the PIX after you open the web browser perform the following command:

"sh local ipaddressofserver"

Post the results of the capture, the ping and the sh local command

Another link to help troubleshoot connections:

Community Member

Re: Packet sniffing with PIX 515E

Ok. I will try this and get back to you.


Community Member

Re: Packet sniffing with PIX 515E

Please close this request. I just hired a Cisco Engineer to take care of this for us.

CreatePlease to create content