06-10-2006 03:29 PM - edited 03-09-2019 03:12 PM
Hello!
I have a PIX 515 (ver 6.3) that seems to be dropping packets that it should not, and I am not sure how to figure out why.
Specifically, when I use a client on the private side of the PIX to connect to a server on the public side (FTP, SMTP, etc.) I start seeing retransmissions/duplicate acks after the connection is succefully established. Using ethereal, I everything hitting the public side of the PIX, but for some reason it does not get through.
I have checked the usual things: WAN link congestion, LAN interface errors, CPU utilization, ACL violations, etc. I have not been able to determine the reason.
Does anyone have some advice on other things to check?
I am only running 32mb of RAM (and I think the reccommended for 6.3 is 64MB)... could this be a possible cause?
Thanks for your help!
-->Chris
06-11-2006 07:24 AM
Hi Chris,
I don't thing that memory is the problem.
You need to do many tests like...
- Check from the private subnet from a PC connecting to an FTP,SMTP server at the interface other than public. i.e. Try to configure an FTP server and place it in that new subnet (DMZ), and start testing from a private PC.
- OR place that PC in this new subnet (DMZ) and start connecting to the Public FTP,SMTP server that you mention above.
I think these tests will help you troubleshoot your case.
Plz. update me about your results.
Thank you
Abd Alqader
06-12-2006 03:16 AM
Abd -
Thanks for your input. Here is basically what I have done:
- I placed a test PC on the outside of the PIX, and ran FTP/SMTP to multiple hosts through my Internet link with no issues.
- When I use the same PC (on the private side of the PIX) to perform large FTP/SMTP transfers, I start getting drops and retranismissions.
I don't have any additional interfaces to use for creating a new DMZ for testing on my PIX... I suppose I could make the private interface a trunk and try to build a DMZ that way. Will that help narrow down the problem?
It seems by using the Test PC to remove the PIX from the scenario (and testing successfully), it is safe to say the PIX is the problem. I just don't know why it is the problem....
.. I have attached a diagram to help make the explanation of what I have done to troubleshoot so far a little clearer.
--->Chris
06-12-2006 04:08 AM
Chris
Your issues might be related to IDENT on the public side servers, take look here to see if this helps:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml
Let me know how you get on.
Jay
06-14-2006 09:24 AM
Thanks to everyone for your responses to my problem!
I installed additional memory to bring the friewall up to 128MB and my problem seems has dissappeared.
-->Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide