Actually IPv6 is disabled.

all other adapters are disabled too. No WiFi, no virtual adapters (Bonjour, etc.)

compare the default gateway setting and default routes on Win7 and compare to XP.

logon to the pix and see if this command works

show asp drops

Windows XP Route Print

-------------------------------------------------------------------------------------------

H:\>route print

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 1a a0 6e 7f 14 ...... Intel(R) 82566DM-2 Gigabit Network Connection -

Packet Scheduler Miniport

===========================================================================

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      10.0.0.253       10.0.0.98        20

        10.0.0.0     255.255.255.0       10.0.0.98       10.0.0.98        20

       10.0.0.98   255.255.255.255        127.0.0.1       127.0.0.1       20

   10.255.255.255  255.255.255.255       10.0.0.98       10.0.0.98        20

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

        224.0.0.0        240.0.0.0       10.0.0.98       10.0.0.98        20

  255.255.255.255  255.255.255.255       10.0.0.98       10.0.0.98        1

Default Gateway:       10.0.0.253

===========================================================================

Persistent Routes:

  None

-------------------------------------------------------------------------------------------

Windows 7 Route Print

-------------------------------------------------------------------------------------------

===========================================================================

Interface List

17...08 11 96 37 ef 5c ......Intel(R) Centrino(R) Advanced-N 6205

14...5c 26 0a 80 3e 4a ......Intel(R) 82579LM Gigabit Network Connection

  1...........................Software Loopback Interface 1

13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0       10.0.0.253       10.0.0.55     276

        10.0.0.0     255.255.255.0         On-link        10.0.0.55     276

       10.0.0.55   255.255.255.255         On-link        10.0.0.55     276

      10.0.0.255   255.255.255.255         On-link        10.0.0.55     276

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link        10.0.0.55     276

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link        10.0.0.55     276

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0      10.0.0.253   Default

===========================================================================

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

  1    306 ::1/128                  On-link

  1    306 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

-------------------------------------------------------------------------------------------

Also "show asp drops" does not work. The PIX is:

Firewall

-------------------------------------------------------------------------------------------

pixf# sh ver

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixf up 2 days 21 hours

Hardware:   PIX-506, 32 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 8MB

BIOS Flash AT29C257 @ 0xhhhhhhhh, 32KB

0: ethernet0: address is xxxx.xxxx.xxxx, irq 11

1: ethernet1: address is xxxx.xxxx.xxxx, irq 10

Licensed Features:

Failover:                    Disabled

VPN-DES:                     Enabled

VPN-3DES-AES:                Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces:          4

Cut-through Proxy:           Enabled

Guards:                      Enabled

URL-filtering:               Enabled

Inside Hosts:                Unlimited

Throughput:                  Limited

IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: nnnnnnnnn (0xhhhhhhhh)

Running Activation Key: 0xhhhhhhhh 0xhhhhhhhh 0xhhhhhhhh 0xhhhhhhhh

Configuration has not been modified since last system restart.

-------------------------------------------------------------------------------------------

these are all the same

originating inside networks

default route/gateway

dns server

ip protocol

So there's no difference between Win7 clients and XP clients, but the problem states there is a difference. Hmm.

can you ping 8.8.8.8 from XP? Win7?

WindowsXP

ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 8.8.8.8:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

-------------------------------------------------------------------------------------------

tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]

over a maximum of 30 hops:

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8     *        *        *     Request timed out.

  9     *        *        *     Request timed out.

10     *        *        *     Request timed out.

11     *        *        *     Request timed out.

12     *        *        *     Request timed out.

13     *        *        *     Request timed out.

14     *        *        *     Request timed out.

15     *        *        *     Request timed out.

16     *        *        *     Request timed out.

17     *        *        *     Request timed out.

18     *        *        *     Request timed out.

19     *        *        *     Request timed out.

20     *        *        *     Request timed out.

21     *        *        *     Request timed out.

22     *        *        *     Request timed out.

23     *        *        *     Request timed out.

24     *        *        *     Request timed out.

25     *        *        *     Request timed out.

26     *        *        *     Request timed out.

27     *        *        *     Request timed out.

28     *        *        *     Request timed out.

29     *        *        *     Request timed out.

30     *        *        *     Request timed out.

Trace complete.

-------------------------------------------------------------------------------------------

Windows 7

ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 10.0.0.55: Destination host unreachable.

Reply from 10.0.0.55: Destination host unreachable.

Reply from 10.0.0.55: Destination host unreachable.

Reply from 10.0.0.55: Destination host unreachable.

Ping statistics for 8.8.8.8:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

-------------------------------------------------------------------------------------------

tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]

over a maximum of 30 hops:

  1  testlaptop.contoso.com [10.0.0.55]  reports: Destination host unreachable.

Trace complete.

-------------------------------------------------------------------------------------------

From Windows 2003 Server

-------------------------------------------------------------------------------------------

ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 8.8.8.8: bytes=32 time=219ms TTL=45

Reply from 8.8.8.8: bytes=32 time=228ms TTL=45

Reply from 8.8.8.8: bytes=32 time=250ms TTL=45

Reply from 8.8.8.8: bytes=32 time=184ms TTL=45

Ping statistics for 8.8.8.8:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 184ms, Maximum = 250ms, Average = 220ms

tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]

over a maximum of 30 hops:

  1     2 ms     1 ms     3 ms  xxx.xxx.xxx.xxx

  2   216 ms   215 ms    72 ms  yyy.yyy.yyy.yyy

  3   174 ms   176 ms   167 ms  12.81.40.48

  4   163 ms   160 ms   168 ms  axr01clt-so-1-0-0.bellsouth.net [65.83.239.62]

  5   126 ms   128 ms   136 ms  12.81.104.173

  6   158 ms   176 ms   184 ms  12.81.46.5

  7    16 ms    15 ms   198 ms  12.81.56.8

  8    14 ms    14 ms    14 ms  12.81.56.11

  9   186 ms   200 ms   191 ms  65.83.238.190

10    43 ms    44 ms    43 ms  cr2.rlgnc.ip.att.net [12.123.152.110]

11   185 ms   112 ms   175 ms  cr1.wswdc.ip.att.net [12.122.3.170]

12   229 ms   223 ms   157 ms  12.122.113.49

13    61 ms    54 ms    38 ms  12.94.87.18

14   227 ms   224 ms   148 ms  216.239.46.250

15    40 ms    40 ms    40 ms  64.233.175.219

16   203 ms    85 ms    48 ms  72.14.232.25

17    40 ms    40 ms    39 ms  google-public-dns-a.google.com [8.8.8.8]

Trace complete.

-------------------------------------------------------------------------------------------

Strange, XP can't get there, Win7 can't get there, but Win2K3 can.

Hi,

When you do the pings and traceroute can you also post sh xlate and sh conn from the pix as well sh route.

What is puzling is the persistent route on Win7, can you also do a route delete * on the windows 7 and ipconfig/release and ipconfig/renew and test again to see if there is a difference.

Regards.

Alain.

Well the XP machine and W2K3 server did add an entry to the xlate table as they should.

     sh xlate

     Global xxx.xxx.xxx.xxx Local 10.0.0.98

but sh conn did not show any entries for any machine

I executed a "clear" on the pix before running the commands.

The route delete * is a no go. I am diagnosing this remotely and that will sever my access to that machine.

Hi,

Could you try clearing the arp cache on Windows 7 with arp -d  * and try a ping again.

Then verify the arp cache if it doesn't work with arp -a

Regards.

Alain.

I guess the way to go would be to take packet captures on the PIX itself and on the host testing connection to confirm what is happening.

Also monitoring the logs of the PIX firewall should tell something if connections are try not getting through the firewall completely.

We only have a few customers that still use this PIX model but we havent run into any such problem.

- Jouni

Thanks for the response.  I don't have the exact same model.  Running PIX-535 with 6.2(2) code.

Cisco PIX Firewall Version 6.2(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

FW-O1 up 5 days 15 hours

Hardware:   PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB

0: gb-ethernet0: address is 0003.470d.6376, irq 255
1: gb-ethernet1: address is 0003.470d.635e, irq 255
2: gb-ethernet2: address is 0003.470d.6360, irq 255
3: gb-ethernet3: address is 0003.470d.6347, irq 12
4: gb-ethernet4: address is 0003.470d.637a, irq 12
5: gb-ethernet5: address is 0003.470d.636f, irq 255
6: gb-ethernet6: address is 0003.47de.6f5e, irq 255
7: gb-ethernet7: address is 0003.47de.7182, irq 12
8: ethernet0: address is 0002.b31b.908f, irq 12
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Disabled
Maximum Interfaces: 10
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

I don't think I have enough flash to upgraade to 7.0.  We are in the process of migrating the PIX to another new firewall but it may be a bit before we do so, so I was looking for options. 

The funny thing is, it is only for certain sites.  facebook.com and firefox.com are two that everyone complains about.  I went to another site today and ran into the same issue.  But others such as yahoo.com, cnn.com, etc. works perfectly fine.  ICMP works for all sites (unless the site blocks it).

Hello Brian,

As Jounni said the way to go is with captures and logs,

My advice: Open a new treath explaining your issue on detail so we can focus on a clean discussion,

Regards

No answer ever found for the PIX 506e. We just determined it was time to upgrade the firewall anyway. Went with a ASA 5505. As soon as we changed that the systems worked as we expected. I believe it was related to IPv6 but we did have that turned off for the clients.

Basically the time to troubleshoot was going to exceed the price of the ASA. Sometimes a problem is not worth the finding a solution if the solution cannot be afforded for by the client.