I have an odd problem on two PIX515 on two seperate customer sites.
The customers are able to access alll web sites OK through the PIX (http and https) with the exception of the personal banking pages of HSBC and FirstDirect.
Does anyone have an idea of how to resolve this issue.
When they are accessing the pages can you try checking the logging in debug mode. Check the real time logging and see what is getting blocked.
There's no messages showing any blocked traffic on the PIX.
The web page just show's as loading "waiting for http://www.banking.first-direct.com/1/2/logon/.."
I gave it a try with a "test user" and I had the following message:
"Your username has not been recognised. Please try again"
I can image 3 posible features the PIX might use to filter the access to such page:
1. FILTER URL
3. IP AUDIT
My recomendation is to see if you have enable any of those commands and focus on them and use the "DEBUG PACKET" tool to troubleshoot.
- Viquez -
It seems those pages has something in that PIX is filtering. My recomendation is to resolve the name of the site to obtaing the real ip address then read the LOGs from the PIX. Filter out temporaly several not important LOG messages to get focuce. To do this use following commands:
no logging message 109001
no logging message 109023
no logging message 113004
no logging message 210007
no logging message 302013
no logging message 302014
no logging message 302015
no logging message 302016
no logging message 302020
no logging message 302021
no logging message 304001
no logging message 305011
no logging message 305012
no logging message 609001
no logging message 609002
no logging message 710005
logg console 7
logg monitor 7
On the other hand you could use the command "debug packet inside src a.b.c.d" and "debug packet outside dst x.y.z.n" to monitor the traffic flowing thru the PIX.
These tips will give at least some idea of what is going on and if the traffic is been filter for the PIX.
Hope it helps....!
here's what i recommend :
fixup protocol dns maximum-length 1024
no fixup protocol http 80
thanks for your posting however it didnt help.
In the end I resolved the problem by upgrading from 7.0 to 7.2.(2). After I did this I still had the same problem however the logs showed dropped packets on the outside interface from the web server. They were dropped due to MSS Exceeded.
I implemented the suggested workaround in the Cisco documentment "PIX/ASA 7.0 Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Web Sites"
Thats great, but can you let me whether you are able to acces the below link now after applying the tcp mss commands.The below link is the driver site of HP.