Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

some connectivity issues after upgrading a PIX-515 from 7.0.4 to 7.1.2

I just upgraded my PIX-515 from 7.0.4 to 7.1.2 (with ASDM 5.0.4 to 5.1.2) and WITHOUT making any changes to my current basic working configuration I began noticing ...

• that MSN Messenger 7.5 stopped working competely (error 80048820, We were unable to sign you in),

• that I cannot access some sites which I use often such as the hotmail.com login page or www.cqcounter.com/whois/ (for example)

• that I cannot start OutLook Express (same issue as MSN Messenger)

• that I cannot even post a message on this forum !

I repeat, I did not make any changes to the running config from which I accessed these sites without any trouble an hour before.

MSN Messenger was up and running all day long but all of a sudden stopped working after the update

and when I checked the troubleshoot dialog it showed all net-related issues are green and there's no connectivity problems at all.

Upon accessing the sites or starting MSN ASDM showed the following:

• 106001:Inbound TCP connection denied from <source-address>/80 to <my-address>/1350 flags RST on interface outside

• 106001:Inbound TCP connection denied from <source-address>/80 to <my-address>/1350 flags FIN ACK on interface outside

• the reference guide lists 106001 event as an informational message only

and thus FireFox (or by the way IE which I do not use) showed the following:

The connection to the server was reset while the page was loading.

blah blah blah ...

After a while I noted that after the upgrade was made two lines were added to the POLICY-MAP GLOBAL_POLICY entry in my configuration:

• INSPECT HTTP

• INSPECT ILS

When I removed these two lines all started working again without a hitch -by the way the 7.1 reference says they are disabled by default and I never enabled them.

Well, now that I know what caused the problem and after reading what INSPECT HTTP command suppose to do the question is:

Does it work ?

Does it work and many many sites (including MS Passport / Hotmail and related) are using malformed/wrong HTTP parameters in the protocol or something like that ?

(and I don't want to tell you that I believe this last one a very unprobable one)

Anyone who moved from 7.0.4 to 7.1.2 experimenting something similar ?

an excerpt from my config:

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

INSPECT HTTP

INSPECT ILS

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

4 REPLIES
New Member

Re: some connectivity issues after upgrading a PIX-515 from 7.0.

This is a known bug in 7.1.2. It is the http policy inspection. I posted the same question a week or so ago, and there are plenty of other posts referencing the same issue.

no inspect http will fix everything. Also, you probably want to do an inspect dns maximum-length 2048 if you have Windows 2003 DNS servers. I also disabled the inspect esmtp as well b/c I was seeing some weird stuff going on with my exchange server mail delivery.

New Member

Re: some connectivity issues after upgrading a PIX-515 from 7.0.

We had some of the same issues, after about a day and a half HTTP browsing completely went down the toilet and we couldn't browse the web. We disabled the HTTP inspect however we are STILL seeing intermintent problems with internet browsing, there will be times browsing just stops working for about 5 minutes, then comes back... at the same time I can't telnet/ssh to my pix, it allows me to type in my username but it fails (we use aaa) this has happened about 4 times now.

New Member

Re: some connectivity issues after upgrading a PIX-515 from 7.0.

I've had the same problems after my upgrade to 7.1.2. Frustrating that a new feature like http inspection is enabled by default! Anyways, disbling helped me with http.

Now I have a strange problem with ftp. Doesn't seem to matter if I set the pix to force passive mode or not, I still get the same error. My clients get a generic error "425 Unable to build data connection: Connection refused". These clients worked fine before the upgrade. Anyone else see FTP problems with 7.1.2.? Waiting on a call-back from TAC on the issue.

New Member

Re: some connectivity issues after upgrading a PIX-515 from 7.0.

I had to downgrade to 7.1.1 because I wasn't able to fix the ?traffic inspection? issue -bug or not it does not seems to work and the feature is crucial to my installation.

133
Views
5
Helpful
4
Replies