Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
5
Helpful
6
Replies

PIX 515 web traffic problem

prafuljaded
Level 3
Level 3

‎07-19-2005 02:44 PM - edited ‎02-21-2020 12:16 AM

Hi All,

My proxy setup is as below.

Proxy-->L3 switch GW-->PIX inside

Sometimes suddenly the web internet access stops from inside. I have PAT configured on the PIX for outbound.I am able to ping/resolve internet addresses from inside routers/PCs with no problem when this is happening.The web traffic stops working with or without proxy server settings in the Internet Explorer.Sometimes 'clear xlate' fixes the problem.I am running 6.3(4)

Thanx,

Praful

0 Helpful
6 Replies 6

vasthorvak
Level 1
Level 1

‎07-20-2005 05:32 AM

check dns requests in your translation table when this is occuring and now that are initiated from your proxy. If you see alot of embryonic connections from this host for dns request then you will need to increase your dns fixup max size to something like 1024 from the default 512.

0 Helpful

prafuljaded
Level 3
Level 3
In response to vasthorvak

‎07-20-2005 10:54 AM

Hi Kevin,

I have changed the command to 'fixup protocol dns maximum-length 1024'. Is that what you meant ? But that allows DNS packets more than default 512 bytes

Thanx,

Praful

0 Helpful

vasthorvak
Level 1
Level 1
In response to prafuljaded

‎07-20-2005 01:22 PM

Yes that is correct. You want to do this if you are seeing in your syslogs (if you are logging to at least level 5 notifications) dropped dns packets due to the packet size being to large. You will also see alot of half open connections because the dns query went out and the packet was dropped by the pix but it did not tear down the session until it times out. Then the server will send out another request and the same thing happens so over time the connections will get eaten up and then the pix chokes. You might want to temporarily change it back and take a close look at your connection table and syslogs for any suspicious traffic. Once you find the culprit then you can clear the xlate or conn for just that IP and then reset the fixup back to 1024 or more. Even if you do keep the fixup at a higher level I would still recommend that you watch it closely for any suspicious traffic. Also watch the cpu and memory usage.

jackko
Level 7
Level 7

‎07-20-2005 10:33 PM

please advise the pix model

0 Helpful

prafuljaded
Level 3
Level 3
In response to jackko

‎07-21-2005 05:33 AM

Its PIX 515 as mentioned in the subject field.

Thanx Kevin..I was seeing some DNS reply reject messages on the PIX when the default of 512 Bytes was configured. Now its 1024 and CPU and memory usages are looking OK.I will keep a closer look on them.

Praful

0 Helpful

prafuljaded
Level 3
Level 3
In response to prafuljaded

‎07-21-2005 08:12 AM

Hi All,

I guess I figured out the problem. We have an internet router infront of the PIX and we have denied some TCP ports in the range (for reverse tenet) 2001 to 7099 as below.

deny tcp any any range 2001 2999

deny tcp any any range 3001 3099

deny tcp any any range 6001 6999

deny tcp any any range 7001 7099

This router was blocking ports in these range and we had intermittent problems.So PIX is not the culprit.

All http requests back which fell in this port range were getting dropped.

Thanx All,

Praful

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card