Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
3
Replies

Packet sniffing with PIX 515E

iwadm
Level 1
Level 1

‎06-25-2007 02:37 PM - edited ‎03-11-2019 03:35 AM

Hi. I am having an issue.

I have a PIX 515E w/FO. We run an ERP that has a VPN directing all ERP traffic to our hosted site. We have used this for over 5 years and the ERP vendor is upgrading the systems we use. TO do this, we are running Production and Test in parallel.

The sequence as I understand it is:

User connects to URL using http. This sends a request to the servers to present a page. The page contains a logon page for the client to access.

Simple. Right?

The problem is with the new Test system. We see the behavior normally upon the first boot of the day or shutting down and rebooting the system. The first time you click enter the URL and try to pull up the logon interface (basically the first page), it gives an error that the Page Cannot Be Displayed. After subsequent attempts of 2-3 three times it works and continues to work until shutdown. The ERP provider says the issue is on our end because when they ping our interface we drop about 4-5 packets per 1000 from their VPN. I say they are absurd for two reasons:

1. The Production sessions never have this issue and they are passing traffic through the same firewall to the same VPN.

2. There is no way that 4-5 packets being lost per 1000 should keep this negotition from happening. If so, it is news to me but I guess it's possible.

What I would need to do to solve this is perform some packet sniffing. To do so, I THINK I need to first, identify all Oracle traffic and sniff the "good" packet behavior and then isolate the new TEST traffic and catch it during the times it fails.

Can anyone shine the light on this for me? I am fairly able to issue commands on the device - just do not know what commands are needed and how to completely interpret the traffic.

Forgive me if I left anything out. THe Version of software is 6.3 and we have the memory in place to upgrade to 7.22 this week once I get this resolved.

Thanks!!

Labels:
0 Helpful
3 Replies 3

JBDanford2002
Level 1
Level 1

‎06-25-2007 03:55 PM

Below is a link for the capture command. You would be looking for TCP port 1521.

http://firewalls.ath.cx/viewtopic.php?t=13

Do they see packet loss to the productions boc? Do you see packet loss if you send pings to the server? You said the server typically fails to serve a page until after 3 to 4 attempts.

Try this the next time you have to boot. Instead of opening a web browser, ping the server by name (If using DNS) also on the PIX after you open the web browser perform the following command:

"sh local ipaddressofserver"

Post the results of the capture, the ping and the sh local command

Another link to help troubleshoot connections:

http://firewalls.ath.cx/viewtopic.php?t=21

0 Helpful

iwadm
Level 1
Level 1
In response to JBDanford2002

‎06-26-2007 01:16 PM

Ok. I will try this and get back to you.

Thanks.

0 Helpful

iwadm
Level 1
Level 1
In response to iwadm

‎07-09-2007 07:53 AM

Please close this request. I just hired a Cisco Engineer to take care of this for us.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card