Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX problem with web server

I have a web server in a DMZ and sometimes (once a week), the web server stops responding, all the services through the pix are working except access to this web server. I have to reload the pix to have access again. I have tried with a clear xlate or clear host-pc, but it’s not enough, I need to reload the pix to recover the connexion.

Does anybody know what can be happening?

6 REPLIES

Re: PIX problem with web server

Hi,

When your web server stop responding, is it for the www services or no network connectivity at all to the server? Can you ping the gateway (either router or PIX DMZ interface as your GW), and can other servers in DMZ ping the web server?

Maybe you need to disable the proxyarp in your Firewall-DMZ interface:

sysopt noproxyarp dmz

Before you do this, check your proxyarp status (sh sysopt) and verify if it was already disabled. Proxyaro is on of you don't see the above status (sysopt noproxyarp dmz).

Try this and see whether it helps you.

Rgds,

AK

New Member

Re: PIX problem with web server

Hi,

I know i can access other servers in the dmz, but i don't have tried in the web server (I try the next time it happens)

I have NAT in the DMZ, so i think it could be very dangerous disabling proxy arp, or not?

Re: PIX problem with web server

Hi ... if you configured the static NAT for this box WITHOUT the optional paramenters [max_conns [emb_limit]] then it could be that there are too many simultaneous connections to the web server which could be overloading its response. Similar thing if you are not using emb_limit your Web server could be experincing a syn flood type of attack resulting on DoS for your web server. I suggest you to configure these optional options on the static NAT .

static (DMZ1,outside) x.x.x.x y.y.y.y.y netmask 255.255.255.255

I hope it helps ... please rate it if it does.

New Member

Re: PIX problem with web server

OK, thanks i will try it

I have seen there is another setting that can be affecting that: timeout connection and timeout half-connection.

Do you thnik can be good modify these parameters?

Re: PIX problem with web server

Hi,

Proxyarp function in PIX more or less similar to router proxyarp - in this case, the firewall "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

Since you have static mapping in DMZ for your web server, and as mentioned by Fernando, you should enforce max conn and embryonic limit. When you clear xlate, all those active sessions and embryonics will be cleared, and subsequently re-open/allows fresh connection to the server. This does not necessarily requires you to reboot the PIX.

Anyway, before/when the problem occured again, try to monitor/check the current connections to the web server (if any) using 'sh conn | i ', as see how many active connections it has.

You can also use 'sh access-list ', which refers to outside interface ACL, and check the hitcount to the ACL line permitting external/outside access to your web server.

Rgds,

AK

Rgds,

AK

Re: PIX problem with web server

Hi,

Do you managed to solve the problem? Hopefully it does.

Rgds,

AK

114
Views
8
Helpful
6
Replies
CreatePlease login to create content