05-14-2006 11:26 PM - edited 02-21-2020 12:53 AM
I have a web server in a DMZ and sometimes (once a week), the web server stops responding, all the services through the pix are working except access to this web server. I have to reload the pix to have access again. I have tried with a clear xlate or clear host-pc, but its not enough, I need to reload the pix to recover the connexion.
Does anybody know what can be happening?
05-14-2006 11:43 PM
Hi,
When your web server stop responding, is it for the www services or no network connectivity at all to the server? Can you ping the gateway (either router or PIX DMZ interface as your GW), and can other servers in DMZ ping the web server?
Maybe you need to disable the proxyarp in your Firewall-DMZ interface:
sysopt noproxyarp dmz
Before you do this, check your proxyarp status (sh sysopt) and verify if it was already disabled. Proxyaro is on of you don't see the above status (sysopt noproxyarp dmz).
Try this and see whether it helps you.
Rgds,
AK
05-14-2006 11:58 PM
Hi,
I know i can access other servers in the dmz, but i don't have tried in the web server (I try the next time it happens)
I have NAT in the DMZ, so i think it could be very dangerous disabling proxy arp, or not?
05-14-2006 11:57 PM
Hi ... if you configured the static NAT for this box WITHOUT the optional paramenters [max_conns [emb_limit]] then it could be that there are too many simultaneous connections to the web server which could be overloading its response. Similar thing if you are not using emb_limit your Web server could be experincing a syn flood type of attack resulting on DoS for your web server. I suggest you to configure these optional options on the static NAT .
static (DMZ1,outside) x.x.x.x y.y.y.y.y netmask 255.255.255.255
I hope it helps ... please rate it if it does.
05-16-2006 12:48 AM
OK, thanks i will try it
I have seen there is another setting that can be affecting that: timeout connection and timeout half-connection.
Do you thnik can be good modify these parameters?
05-15-2006 12:39 AM
Hi,
Proxyarp function in PIX more or less similar to router proxyarp - in this case, the firewall "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.
Since you have static mapping in DMZ for your web server, and as mentioned by Fernando, you should enforce max conn and embryonic limit. When you clear xlate, all those active sessions and embryonics will be cleared, and subsequently re-open/allows fresh connection to the server. This does not necessarily requires you to reboot the PIX.
Anyway, before/when the problem occured again, try to monitor/check the current connections to the web server (if any) using 'sh conn | i
You can also use 'sh access-list
Rgds,
AK
Rgds,
AK
05-16-2006 07:26 AM
Hi,
Do you managed to solve the problem? Hopefully it does.
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide