I have a web server in a DMZ and sometimes (once a week), the web server stops responding, all the services through the pix are working except access to this web server. I have to reload the pix to have access again. I have tried with a clear xlate or clear host-pc, but its not enough, I need to reload the pix to recover the connexion.
When your web server stop responding, is it for the www services or no network connectivity at all to the server? Can you ping the gateway (either router or PIX DMZ interface as your GW), and can other servers in DMZ ping the web server?
Maybe you need to disable the proxyarp in your Firewall-DMZ interface:
sysopt noproxyarp dmz
Before you do this, check your proxyarp status (sh sysopt) and verify if it was already disabled. Proxyaro is on of you don't see the above status (sysopt noproxyarp dmz).
Hi ... if you configured the static NAT for this box WITHOUT the optional paramenters [max_conns [emb_limit]] then it could be that there are too many simultaneous connections to the web server which could be overloading its response. Similar thing if you are not using emb_limit your Web server could be experincing a syn flood type of attack resulting on DoS for your web server. I suggest you to configure these optional options on the static NAT .
Proxyarp function in PIX more or less similar to router proxyarp - in this case, the firewall "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.
Since you have static mapping in DMZ for your web server, and as mentioned by Fernando, you should enforce max conn and embryonic limit. When you clear xlate, all those active sessions and embryonics will be cleared, and subsequently re-open/allows fresh connection to the server. This does not necessarily requires you to reboot the PIX.
Anyway, before/when the problem occured again, try to monitor/check the current connections to the web server (if any) using 'sh conn | i ', as see how many active connections it has.
You can also use 'sh access-list ', which refers to outside interface ACL, and check the hitcount to the ACL line permitting external/outside access to your web server.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :