Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX losing responses from one particular DMZ website

We have a PIX 525 running 7.2(2). Recently, without any network changes, one particular webserver in the DMZ network became unreachable. Other webservers in that same network can be reached as normal. In doing packet captures both inside and in the dmz, it looks like the page request goes out and the page comes back and gets as far as the dmz interface. In packet captures on the inside network, an ACK is received from the server for the page request, and that's the last thing received on that session. Subsequent attempts seem normal until that point, too.

We have a standby PIX and we've tried doing a failover to that, and that device is showing the same behavior.


Re: PIX losing responses from one particular DMZ website

From your description sounds  like an issue with Webserver than a firewall issue,  provided your indication of other webservers in same DMZ network have no problems ,  have you look at app event logs etc..  from  the server itself to rule out any issues with it before moving onto looking other posibilities?


Community Member

Re: PIX losing responses from one particular DMZ website

That's what I thought at first, but packet captures show a normal response up until the dmz interface of the PIX. The inside interface captures (and I'm assuming the outside interface, too) show no response after the ACK to the page request.

Re: PIX losing responses from one particular DMZ website

When you say server unreachable what is the server suppost to be reponding on  port 80 ..   and what sources are  connecting to it  inside, outside ?

Can you post packet trace  accessing DMZ server from inside ?

packet-tracer input inside tcp      detailed


Also please ensure to rule out any physical issues , look at all physycal interfaces transmission , from the server side,  and DMZ interface as well  to make sure there is no packet drops.


CreatePlease to create content