Re: Repost: PIX 515E Connection Timeout Problem

edockweb1 · ‎11-02-2010

I think I posted this in the wrong section earlier and wanted to move it here:

Hi Everyone,

Ive been having a problem since Ive installed the pix at my office. Our internet is through AT&T Uverse which is VDSL. I read in a few posts that the MTU for DSL connections needs to be set to 1492 as this can cause a problem with the outside connection. I have done this and still no luck. I will post my config file for anyone to hopefully have an answer to why this might be happening to me. Also this happens every night after the office sits idle for Id say around 3 to 5 hours. The only fix so far is to manually power of the PIX and power it back on. Im out of options here and would really appreciate any help. Thanks in advance.

PIX Version 8.0(3)
!
hostname XXXXXXXX
enable password XXXXXXXXXXXXXX encrypted
names
!
interface Ethernet0
description outside interface
speed 100
duplex full
nameif outside
security-level 100
ip address dhcp setroute
!
interface Ethernet1
description inside interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd XXXXXXXXXXXX.XXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service RDP tcp
port-object eq 3389
object-group protocol PPTPgre
protocol-object gre
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list 110 extended permit gre any interface outside
access-list 110 extended permit tcp any interface outside eq 3389
access-list 110 extended permit tcp any interface outside eq pptp
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1492
mtu inside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pptp 192.168.254.5 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.254.252 3389 netmask 255.255.255.255
access-group 110 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
dns-server value 192.168.254.5
!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect pptp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2444b141647324ab91eb08bb962caedf
: end
asdm image flash:/asdm-603.bin
no asdm history enable

Maykol Rojas · ‎11-02-2010

Hello,

What kind of connections are having the timeout?

Mike

edockweb1 · ‎11-02-2010

The outside connection seems to be timing out. Internal network functions normally just loses internet connectivity. Also once

the connection times out I can no longer RDP through the firewall or connect to the internal vpn server. Im puzzled since the syslog doesn't show any abnormal messages other than the ACL blocking access such as this:

3|Nov 02 2010|16:43:24|710003|222.154.149.84|99.175.222.171|TCP access denied by ACL from 222.154.149.84/2173 to outside:99.175.222.171/23

Does my config look like it has anything out of the ordinary that could cause this?

Thanks for any help,

Andrew

Maykol Rojas · ‎11-02-2010

Hi Andrew...

Sorry for the first post, I was leaving the office. Good, so you Internet connectionis going down is that it? I understand that when you loose connectivity you cannot longer RDP to the servers on the inside.

When the problem is happening, can you ping anything on the internet from the Pix firewall? I see that you have and IP address assigned by DHCP, have you verified if you still have an IP address when the problem happens?

Let me know.

Mike

edockweb1 · ‎11-02-2010

Hi Mike,

The outside connection is set to dhcp because the router assigns "static" public ip to firewall by binding it to the mac address of the pix. When the outside connection drops no one behind the firewall can ping outside the firewall, but the internet connection is alive and working because the servers on the routers dmz still have connectivity. Its a funny set up but given the service that is how it has to be. Basiclly Uverse gives a gateway. PIX is designated in bridge mode and assigned public ip. Servers in router dmz are assigned public ip from block by being staticly assigned through dhcp through router. So I am able to verify internet connection is active since I can still access web servers. I did however notice that when the connection on the pix was down there was an N/A ? on the status of the outside link. Is there a keep alive setting or anything like that on the pix I would need to set?

Andrew

Maykol Rojas · ‎11-02-2010

Hello Andrew,

Well The fact that the DMZ server on the router's DMZ still works does not guarantee that the IP assigned to the firewall is alive. The most important test that you can do is to get into the firewall via command line and try to ping 4.2.2.2. So far this is what I think is the following.

1-Since the interface is shown as N/A (On the ASDM I assume), it means that the interface is down.

2-Once this problem happens Here is what you need to do.

Check the IP address that you have assigned via DHCP

Try to ping 4.2.2.2

Check the router for the binding regarding the ASA.

Please let me know how the test goes.

Cheers

Mike

edockweb1 · ‎11-03-2010

Hi Mike,

Sorry for the late response. I had to wait for the problem to occur again. Heres the result of the ping when the interface was down:

XXXXXXXXX> ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

I saw it wasn't able to complete the ping so I checked the router to see if the device was still active and it did not show up as being online anymore. Hence the connection between the router and pix was broken. I would assume the problem to be with the router but I have ruled this out since before I installed the PIX I was using a Sonicwall in the same configuration and did not have this problem. Although I believe I remember I told it to keep the connection active and not to time out. This is where I am led to believe the problem is. I think that the PIX hits its 3 hour timeout and shut the port down, but never restarts it, leaving the connection dead. Im not sure if this is exactly how it works but from reading a few other forums it seems that would be possible. Is there anyway to stop it from timing out? Or to set the timeout to 24 hours or something like that?

Andrew

yguelceIMA_2 · ‎12-03-2010

Andrew, I'm having the similar problem with UVerse and Cisco PIX setup. Please let me know if you found a resolution to this issue. As it's very frustrating. Thanks

yguelceIMA_2 · ‎12-08-2010

Andrew, I may have figured out a run-around for this issue. Added the DHCP/DMZone ip address as a Static IP on the Pix Outside Interface. It has been 4 days since making this change and haven't experienced the issue. Keeping the fingers crossed. Thanks