Upgrade to FOS 6.3 killed Internet connection

bfl1 · ‎01-03-2004

I upgraded from 6.2 to 6.3 - went without any problems. After rebooting the firewall, all internet connetivity is gone. I can not connect from inside out, but can connect from DMZ to the inside. I cleared the xl table, rebooted the servers, rebooted the firewall again... no luck. Any ideas on what could cause this? How to back rev and get out of this mess?

shannong · ‎01-04-2004

What hardware platform is the Pix?

Can you ping the external default gateway from the Pix?

Are there entries in the xlate table for traffic attempting to go out? [show xlate]

What do the logs say? Any errors or denies?

You can downgrade the firewall the same way you upgraded it. It's best if you backed up your config and restore it, but unless you're using some odd feature that was deprecated there shouldn't be any issue to just continue with the existing config that's on there.

Rather than downgrading, I suggest we just fix the problem with 6.3.

bfl1 · ‎01-04-2004

sh xl and sh connect shows many connections.

from the firewall, I can not ping the public switch, the perimeter router (default gateway), or anything "outside".

I can vpn from home... the public vpn connection comes in on a different network (different default gateway) and lands outside the firewall... the inside interface of the vpn resides in the DMZ... once I have the vpn connection, i can establish vnc connections to machines "inside" the firewall...

It is a PIX 525... I can't reach the logs from home... I am going in shortly and will check the logs...

bfl1 · ‎01-04-2004

I was able to access the logs... I have logging trap and logging history set to info...

I open a browser on ip address 10.10.10.1 and attempt to access msn.com... below is the only clip from the logs... th 12.12.12.12 address is the primary DNS server

<190>Jan 04 2004 11:15:07: %PIX-6-302015: Built outbound UDP connection 199588 for outside:222.222.222.222/53 (222.222.222.222/53) to inside:10.10.10.1/2145 (139.161.180.27/2145)

<190>Jan 04 2004 11:15:12: %PIX-6-302015: Built outbound UDP connection 199605 for outside:12.12.12.12/53 (12.12.12.12/53) to inside:10.10.10.1/2145 (10.10.10.1/2145)

bfl1 · ‎01-04-2004

Was able to restore... I was upgrading to 6.3(3)109. I finally back rev'd to 6.3(1). It removed the fixup dns command and fixup tftp command... after I did a wr mem and reloaded... it worked... Odd, when I was going through the config when it was at 6.3(3)109, I saw the fixup dns maximum-length 512 command and removed it... it still didn't fix it... when I originally reloaded after back rev'ing to 6.3(1), this is the error that appeared....

Configuration Compatibility Warning:

The version 6.3(3)109 configuration may contain syntax that is

not backward compatible with the 6.3(1) image that is loaded.

bad protocol dns

Config Error -- fixup protocol dns maximum-length 512

bad protocol tftp

Config Error -- fixup protocol tftp 69

..................Warning : IP and subnetmask form invalid pair indicating broad

cast address

......

Config Failed

It stripped the commands out, I saved it, reloaded and all is well...