I have a PIX 515 E,it is working fine all the ways,but suddenly the entire LAN users ar enot able to access the INTERNET,but the same time mails are going and coming without any problem.VPN tunnels are established but throgh the tunnels applications are not accessible.
That time if we switch OFF and ON the PIX 515E then everything is working fine,again after say 1 or 2 hours the same problem is repeating.
Please help me to resolve theissue.
Thanks and Regards,
Did ya see CPU spiking up ? Was the PIX hung ? Were you able to telnet to the appliance ? Also, did you notice the Xlate and the Connection table ?
I will get you th complete details tomorrow.
Actually when the problem occurs,I am able to telent to it,CPU utilizasion is 0% or 2 %,no input errors,no output errors,no collision,memory utilizasion is not at all much,sh XLATE commands shows only two entry,previously when it was working that time it used to display many XLATE entries,sh traffi display not much of traffic,
Tomorrow I will capture again and send it to you.
Thanks for your support.
which software are you using in PIX ? I hope there are no bugs or open caveats.. have a look at the release notes of that software to be sure.. If there is no CPU util, no errors, no problem with xlate or conn table, then it could be a problem with the hardware.. do you have smartnet for the product ?
Thank you very much for extending your support.
No these boxes are not covered under the samrtnet support.
The peculiar problem is,if I switch OFF and ON then sometimes it works for 3 to 4 days or sometims 2 to 3 hours.
Some times browsing and VPN are working but mails are not going and coming.
One more thing there are 2 PIX 515e are connected in Cable based Failover with the appropriate licenses.
Failover is not functioning.
It is necessary to have the PUBLIC IP Address for both the active and standby firewalls then only the VPN clients can communicate with the LAN servers,but I do not know how to configure the FailOver with the same Public IP address for both the firewall's OUTSIDE IP address.
The scenario is as follows.
1. Router is connected to Internet through Serial Intrface .
2. Routers Fast ethernet interface is connected to a Switch with the IP Address 22.214.171.124/29
3.Active firwall's OUTSIDE Interface is connected to the same switch with the PUBLIC IP Address 126.96.36.199/29 with the default route pointing to 188.8.131.52
4.Standby firewall's OUTSIDE interface is configured with the PUBLIC IP Address 184.108.40.206/29 with the default route pointing to 220.127.116.11
5. 48 branches are communicating to my SAP servers through IPSec VPN tunnels.
6.IPSec Tunnels are created to 18.104.22.168.
7.If suppose the active firewall is down,the Standby firewall will become active but the OUTIDE IP Address is 22.214.171.124 in this case teh VPN client can not establish a VPN tunnel.
Please help me to achieve this failovr with VPN .
Thanks and Regards,
Thank you for your support.
I am having UR license as a Primary PIX and Secondary is having teh FO license.
secondly this is not covered under cisco support,customer is not willing to go for SMARTNET now.
Now I have removed all teh FAILOVER configuration and removed the Failover cable also,now converted the primary as a Stand alone unrestriiced license.And it is working,but say after 2 or 3 hours,the LAN users are not able to access the net,mail and VPN clinets are not able to access teh SAP application.
Once I power OFF and ON then it works,sometime it works for 2 to 3 days then again the same problem comes.
Please guide me to resolve the issue.
Mean time how to convert teh FO license fire to a Stand alon UR license.Please send me the procedure.
Thanks and Regards,
1.Try disabling turbo ACL in pix.
2.Ensure that no High CPU in f/w
3.Check no multiple connections in "show conn"
4.Ensure that half open sessions are getting timedout..."show timeout" & "show conn | i ssA".
5. In serial Cable based f/o, failover will not happen pri f/w reboots.
When the primary firewall goes down, the standby firewall's outside IP will be swapped with the primary IP address 126.96.36.199.. It will not shift to 188.8.131.52. Thats how a PIX failover works.. When failover happens:
the units swap the IP address and MAC addresses they use in order to replace each other's presence on the network. This action is invisible to the network. The IP to MAC address relationships remain exactly the same. Therefore, no ARP tables in the network need to time out or be changed. No other piece of network equipment needs to know about the redundancy or that a switchover occurred.
Hence the VPN sessions will not reset, and remain to the same IP address 184.108.40.206, which was defined on the primary servers outside interface.. Got it ?
refer to the following document for failover configurations:
One question - do you have the failover licenses properly installed on the PIX firewall ? Can you post the show version and show run of the firewalls you have ? I hope you dont have a RESTRICTED license for PIX , since Failover does not work with REstricted license. You need a UR - Unrestricted license for the same..
Let me know
Best would be replace the pix and buy a cisco ASA.
Most of the pix are facing this problem and if you try to find information from traceback there is little you can do.