Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
8
Helpful
6
Replies

PIX problem with web server

jmprats
Level 4
Level 4

‎05-14-2006 11:26 PM - edited ‎02-21-2020 12:53 AM

I have a web server in a DMZ and sometimes (once a week), the web server stops responding, all the services through the pix are working except access to this web server. I have to reload the pix to have access again. I have tried with a clear xlate or clear host-pc, but it’s not enough, I need to reload the pix to recover the connexion.

Does anybody know what can be happening?

0 Helpful
6 Replies 6

a.kiprawih
Level 7
Level 7

‎05-14-2006 11:43 PM

Hi,

When your web server stop responding, is it for the www services or no network connectivity at all to the server? Can you ping the gateway (either router or PIX DMZ interface as your GW), and can other servers in DMZ ping the web server?

Maybe you need to disable the proxyarp in your Firewall-DMZ interface:

sysopt noproxyarp dmz

Before you do this, check your proxyarp status (sh sysopt) and verify if it was already disabled. Proxyaro is on of you don't see the above status (sysopt noproxyarp dmz).

Try this and see whether it helps you.

Rgds,

AK

0 Helpful

jmprats
Level 4
Level 4
In response to a.kiprawih

‎05-14-2006 11:58 PM

Hi,

I know i can access other servers in the dmz, but i don't have tried in the web server (I try the next time it happens)

I have NAT in the DMZ, so i think it could be very dangerous disabling proxy arp, or not?

0 Helpful

Fernando_Meza
Level 7
Level 7

‎05-14-2006 11:57 PM

Hi ... if you configured the static NAT for this box WITHOUT the optional paramenters [max_conns [emb_limit]] then it could be that there are too many simultaneous connections to the web server which could be overloading its response. Similar thing if you are not using emb_limit your Web server could be experincing a syn flood type of attack resulting on DoS for your web server. I suggest you to configure these optional options on the static NAT .

static (DMZ1,outside) x.x.x.x y.y.y.y.y netmask 255.255.255.255

I hope it helps ... please rate it if it does.

jmprats
Level 4
Level 4
In response to Fernando_Meza

‎05-16-2006 12:48 AM

OK, thanks i will try it

I have seen there is another setting that can be affecting that: timeout connection and timeout half-connection.

Do you thnik can be good modify these parameters?

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-15-2006 12:39 AM

Hi,

Proxyarp function in PIX more or less similar to router proxyarp - in this case, the firewall "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

Since you have static mapping in DMZ for your web server, and as mentioned by Fernando, you should enforce max conn and embryonic limit. When you clear xlate, all those active sessions and embryonics will be cleared, and subsequently re-open/allows fresh connection to the server. This does not necessarily requires you to reboot the PIX.

Anyway, before/when the problem occured again, try to monitor/check the current connections to the web server (if any) using 'sh conn | i ', as see how many active connections it has.

You can also use 'sh access-list ', which refers to outside interface ACL, and check the hitcount to the ACL line permitting external/outside access to your web server.

Rgds,

AK

Rgds,

AK

a.kiprawih
Level 7
Level 7
In response to a.kiprawih

‎05-16-2006 07:26 AM

Hi,

Do you managed to solve the problem? Hopefully it does.

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card