Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Random users can not access external hosts. Changes Daily.

I have this on-going issue where some of my users are unable to access external resources one day, then the next day they are able to.

I have tried the normal troubleshooting techniques to eliminate any PC side variables that I could think of.

These users can access 100% of the internal network resources but they can not access any ports external to the network, ie: (dns, ftp, www) - I have plugged them into different ports, switches, manually assigned IP's, checked routing tables, etc.

Currently my network has a 2500 (2514?) router and a pix520 series firewall both connected to a 5 port 10/100 hub. The firewall passes from the hub to one of the main switches on the LAN.

I thought perhaps I am out of connection licenses on the firewall but I can not find any such information on the 520. It is running an old software rev 4.2.2

I can take one of the 'afflicted' PCs and plug it into the hub and assign it an external address and it works. Internal address, doesn't work.

If I do a traceroute from the problem PC to an outside source, initially (before route is populated with outside host's route) the first hop will be my router, then the second hop will be the router also. then it times out. subsequent traceroutes from this PC will time out on ALL hops. I can clear the route and then we get 2 hops again. All other PC's on the network can traceroute outside.

Can anyone give me a tip or a decent way to troubleshoot this? I don't have any high-end sniffing equipment, just normal tools.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Random users can not access external hosts. Changes Daily.

Could yu be running out of addresses in your nat pool ?

6 REPLIES
New Member

Re: Random users can not access external hosts. Changes Daily.

Also some of the users are Macintosh and the others are Windows 2000/XP

Re: Random users can not access external hosts. Changes Daily.

Once you find that a PC is having a problem, log on to the PIX and clear the translation entries (clear xlate) Note that this would clear all active translations, I would recommend using this not during peak hours.

See if the problem clears up after you clear the translation entries.

You could also download some free sniffer tools such as Ethereal and see whats happening.

New Member

Re: Random users can not access external hosts. Changes Daily.

Hi and thanks for the reply. I have cleared the translation tables with no apparent results on the problem pcs.

Silver

Re: Random users can not access external hosts. Changes Daily.

Could yu be running out of addresses in your nat pool ?

New Member

Re: Random users can not access external hosts. Changes Daily.

This very well could be happening but I am not really familiar with this unit. Can you suggest a way to figure this?

I did put both a syslog server and a sniffer software package on SPAN'd port that connects to the problem PC (today its a Dell)

What I am seeing is that when a 'working' user access the internet I get Syslog records of it. But I have no Syslog records of the users that can not get to the internet. This leads me to believe that they are having connection issues to the firewall. But they can ping the inside firewall interface.

The port sniff shows that there is a DNS resolution for the HTTP pages that they are trying to access, and it shows a HTTP /SYN type of packet to the external site. But it does not show anything about the firewall.

I would think that if I am running out of POOLed IPs that I would see a Syslog message about it. Or not?

New Member

Re: Random users can not access external hosts. Changes Daily.

I went ahead and enabled PAT for the time being. I hope this clears up my particular issue.

I just wish that there was a quick way to tell or that Syslog would indicate this type of error.

123
Views
0
Helpful
6
Replies