Solved: Re: Pix 506E - clients http dont see some websites

hk47jr · ‎02-28-2012

Hello everyone,

I have a problem with PIX 506E that meets the version 6.1, and in an simple computer network equipment seems to behave in strange ways because some web sites do not open or very open slow thereby its operation impracticable. On the other hand other web sites open normally.

Querying the web site of the Cisco, I found several documents discussing the same problem but in a later version ( 7.0 ), not in this version 6.1.

I've tried removing the pix from the network , not the error occurred, again insert pix however tested only with a machine, without the rest of the network and the problem persists.

Can anyone help me find and solve this problem?

david.tran · ‎03-06-2012

Here is my 2c. on this:

Even if you confirm that this is a Pix issue, you don't have much of a choice because your next option is ASA.

Why not just bite the bullet now and get an ASA5505 and give it another try. If it does not work, you can open a case with TAC and get a fix.

There is no point of playing with a code that is no longer supported.

View solution in original post

Kimberly Adams · ‎02-28-2012

Can you please post your configuration, it may help us to see it and then be better armed to help you.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

hk47jr · ‎02-28-2012

Ok, follows the attached file for your review.

Thank You.

Jose

De: kadams@gbrx.com supportforums-donotreply@supportforums.cisco.com

Enviada em: terça-feira, 28 de fevereiro de 2012 15:32

Assunto: Re: Pix 506E - clients http dont see some websites - Re: Pix 506E - clients http dont see some websites Re: Pix 506E - clients http dont see some websites

Home<https://supportforums.cisco.com/index.jspa>

Re: Pix 506E - clients http dont see some websites

created by Kimberly Adams<https://supportforums.cisco.com/people/kadams%40gbrx.com> in Firewalling - View the full discussion<https://supportforums.cisco.com/message/3574389#3574389

hk47jr · ‎03-05-2012

Mr. Kimberly,

You have news about this issue ?

Thank You

Jose

Kimberly Adams · ‎03-05-2012

Jose,

I couldn't find your attached configuration. Can you just paste into the forum?

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

hk47jr · ‎03-06-2012

OK I Attached configuration again.

Thanks a lot.

Jose

De: kadams@gbrx.com supportforums-donotreply@supportforums.cisco.com

Enviada em: segunda-feira, 5 de março de 2012 17:46

Assunto: Re: Pix 506E - clients http dont see some websites - Re: Pix 506E - clients http dont see some websites Re: Pix 506E - clients http dont see some websites

Home<https://supportforums.cisco.com/index.jspa>

Re: Pix 506E - clients http dont see some websites

created by Kimberly Adams<https://supportforums.cisco.com/people/kadams%40gbrx.com> in Firewalling - View the full discussion<https://supportforums.cisco.com/message/3579291#3579291

david.tran · ‎03-06-2012

Please set the mtu on both inside and outside to 1500. I think that will solve your problem:

mtu outside 1500

mtu inside 1500

are there any reasons why you need it to be at 2000?

hk47jr · ‎03-06-2012

Hi David, thank for your help.

Interfaces in the value it was this, and had the same problem I changed the value to 2000, as a test, the chance to solve the problem. But unfortunately it still fails, and let the current value.

Regards,

Jose

De: david.tran@finra.org supportforums-donotreply@supportforums.cisco.com

Enviada em: terça-feira, 6 de março de 2012 09:07

Assunto: Re: Pix 506E - clients http dont see some websites - Re: Pix 506E - clients http dont see some websites Re: Pix 506E - clients http dont see some websites

Home<https://supportforums.cisco.com/index.jspa>

Re: Pix 506E - clients http dont see some websites

created by david.tran@finra.org<https://supportforums.cisco.com/people/david.tran%40finra.org> in Firewalling - View the full discussion<https://supportforums.cisco.com/message/3579789#3579789

david.tran · ‎03-06-2012

try this, remove "fixup protocol http 80", it is nothing but trouble:

no fixup protocol http 80

hk47jr · ‎03-06-2012

Hi David,

In another test before I realized, I had taken this command no fixup protocol http 80 ,but the problem persist. It is somenthing really unusual, never seen such a problem.

Jose

david.tran · ‎03-06-2012

then I am out of idea, unless you want to give it another try, I don't think it will work, but what the hell:

access-list external permit icmp any any log

access-list external permit ip any any log

access-group external in interface outside

access-list capture permit ip any any

capture external access-list capture interface outside

capture internal access-list capture interface inside

Not sure if version 6.1.(4) support capture. Then use wireshark to see why it fails for some sites

hk47jr · ‎03-06-2012

Well I think we have no chance, I will schedule and I will capture the packets from network to see what really happens, I respond with the results.

Thank you all up to date.

david.tran · ‎03-06-2012

Here is my 2c. on this:

Even if you confirm that this is a Pix issue, you don't have much of a choice because your next option is ASA.

Why not just bite the bullet now and get an ASA5505 and give it another try. If it does not work, you can open a case with TAC and get a fix.

There is no point of playing with a code that is no longer supported.

hk47jr · ‎04-26-2012

Anybody, the solutions is change PIX. thank you for all