I have a PIX 515 (ver 6.3) that seems to be dropping packets that it should not, and I am not sure how to figure out why.
Specifically, when I use a client on the private side of the PIX to connect to a server on the public side (FTP, SMTP, etc.) I start seeing retransmissions/duplicate acks after the connection is succefully established. Using ethereal, I everything hitting the public side of the PIX, but for some reason it does not get through.
I have checked the usual things: WAN link congestion, LAN interface errors, CPU utilization, ACL violations, etc. I have not been able to determine the reason.
Does anyone have some advice on other things to check?
I am only running 32mb of RAM (and I think the reccommended for 6.3 is 64MB)... could this be a possible cause?
- Check from the private subnet from a PC connecting to an FTP,SMTP server at the interface other than public. i.e. Try to configure an FTP server and place it in that new subnet (DMZ), and start testing from a private PC.
- OR place that PC in this new subnet (DMZ) and start connecting to the Public FTP,SMTP server that you mention above.
I think these tests will help you troubleshoot your case.
Thanks for your input. Here is basically what I have done:
- I placed a test PC on the outside of the PIX, and ran FTP/SMTP to multiple hosts through my Internet link with no issues.
- When I use the same PC (on the private side of the PIX) to perform large FTP/SMTP transfers, I start getting drops and retranismissions.
I don't have any additional interfaces to use for creating a new DMZ for testing on my PIX... I suppose I could make the private interface a trunk and try to build a DMZ that way. Will that help narrow down the problem?
It seems by using the Test PC to remove the PIX from the scenario (and testing successfully), it is safe to say the PIX is the problem. I just don't know why it is the problem....
.. I have attached a diagram to help make the explanation of what I have done to troubleshoot so far a little clearer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...