2600 Routing Delay

dpandshe · ‎07-05-2006

I'm running a 2600 router that works great. Recently our Pix 501 firewall bought the farm and I purchased a new Pix 506 to replace it. In the interim, I built a Linux firewall using iptables that also is working fine.

Now the problem.. When I go to install my new Pix 506 firewall, the router initially doesn't route any packets to/from external addresses. Once I unsuccessfully try to telnet to the router, it magically starts routing the packets, but only to/from the internal address that I am initiating the connection telnet from. Subsequent telnets to the router work fine.

I have a number of NAT'd servers that reside behind the PIX, so I don't really want to login to each of those and try to telnet to the router to open up the packet routing. I haven't actually tried to do this to make sure it even would work.

Does anyone have any ideas of what I could try. I haven't tried rebooting the router, but I could as a last resort.

Thanks in advance!

jstoecker · ‎07-05-2006

David,

Just thinking out loud... try this on for size.

Do you have a static default route pointed at the firewall? Or was the old firewall running a routing protocol that the new one isn't? Or do the servers have manually added routes?

You may have to take a look at these things, and make sure there isn't a problem, e.g. the new firewall is a different IP as the old one so the static route is broken, or not NATted/PATted the same, etc.

It kinda sounds you're getting an ICMP redirect from the pix inside or the router when you telnet, which then causes the server(s) to work, but for whatever reason when you aren't going right to that device you don't get the redirect.

John