Lost Ping Packets and VPN connection goes down after a short while through a PIX 501 Firewall.

I have a PIX 501 Firewall 8MB flash and 16MB Ram.. I'm losing about 20% of ping packets and the VPN is working very poorlly any clue what the problem is? This is a 5 computers network.

 I've replaced a few things with -------- for security pourposes.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ------------- encrypted
passwd ---------------- encrypted
hostname pix
domain-name --------------------
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list blablabla permit icmp any any
access-list blablabla permit tcp any host ----------out ip----------- eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside ----------out ip----------- 255.255.255.224
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.100.1-192.168.100.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 ---------out ip-----------
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ----------out ip------------ 192.168.0.1 netmask 255.255.255.255 0 0
access-group blablabla in interface outside
route outside 0.0.0.0 0.0.0.0 --------out ip------------- 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console -------
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 dns-server 192.168.0.1
vpngroup vpn3000 wins-server 192.168.0.1
vpngroup vpn3000 default-domain ----------------
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password --------------
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
vpdn username susumu password susumu
vpdn enable outside
terminal width 80



Thanks!
LVL 8
markps_1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

markps_1Author Commented:
"--------out ip-------------" is the outside IP address that I've removed..
0
Keith AlabasterEnterprise ArchitectCommented:
What are the interface settings on your Pix? Do they match the connected devices in respect to speed and duplex setting?

If you have a support/service agreement, it could be well worth upgrading to 6.3(5) for your IOS. there are a lot of improvements especially in the area of interface settings and VPN connectivity.

0
markps_1Author Commented:
Everything is running at 100 Mbps full duplex.  Do you know if the PIX 501 supports that?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Keith AlabasterEnterprise ArchitectCommented:
certainly does on 6.3(5). Didn't see the config lines in your post above; Some of the earlier versions didn't support 100full on the outside. Doing a sh int confirms those settings does it (100full or auto)?
0
markps_1Author Commented:
oops, auto.
0
Keith AlabasterEnterprise ArchitectCommented:
I think you may find that 100full is only an option on one of the interfaces (inside). Check the settings on the device that the outside PIX interface connects to. :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
markps_1Author Commented:
I've ran the SH Int... and it shows... interface ethernet0 (outside) is in Half Duplex, and Interface ethernet1 (inside)  is in Full duplex could that be the source of the problem?


interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is ---------------------------
  MTU 1500 bytes, BW 10000 Kbit half duplex
        976758 packets input, 381010658 bytes, 0 no buffer
        Received 498091 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        409459 packets output, 124329630 bytes, 0 underruns
        0 output errors, 583 collisions, 0 interface resets
        0 babbles, 0 late collisions, 2770 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/5)
        output queue (curr/max blocks): hardware (0/10) software (0/7)

interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is -----------------
  MTU 1500 bytes, BW 10000 Kbit full duplex
        416263 packets input, 115683764 bytes, 0 no buffer
        Received 8399 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        469278 packets output, 262596716 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/9)
        output queue (curr/max blocks): hardware (1/8) software (0/1)
0
markps_1Author Commented:
If it is... how do I fix it?
0
Keith AlabasterEnterprise ArchitectCommented:
0 output errors, 583 collisions, 0 interface resets on the outside interface.

What is the outside interface of the PIX connected to? As mentioned above 6.3(5) allows full duplex 100Mb on both interfaces (yours are both at 10Mb).
0
lrmooreCommented:
Outside interface does show a small number of collisions, but the ratio of collisions to total packets is so minor that it should not be a factor at all. It does depend on what you are connecting the outside interface to. Hub= half duplex, switch=full duplex, x-over to cable modem=auto
Can you explain exactly how the outside interface connects to the world? DSL? Cable? Other?
 
If the VPN connection works at all it is typically not a configuration problem.
What version Cisco VPN client are you using? 4.6 has issues, latest is 4.8
What OS on the client? XP/SP2 has issues with many earlier versions of VPN client.

>access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
>nat (inside) 0 access-list 101
>vpngroup vpn3000 split-tunnel 101

You can see above that you have the same acl applied to two very distinct processes. We highly encourage using separate acls for separate processes. The acls can be identical, just with different names, numbers to make it more efficient.

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 101
vpngroup vpn3000 split-tunnel 102

>ip address inside 192.168.0.2 255.255.255.0
Your local LAN subnet is 192.168.0.0/24
What is the local LAN subnet of the client that is having problems? If it is also 192.168.0.0 then you have known issues and nothing you can do except change one subnet. Theirs might be easier unless they are using Microsoft ICS and then they are stuck with 192.168.0.0 and cannot change it. I strongly discourage anyone from using 192.168.0.0 or 192.168.1.0 for subnets inside any firewall or other device if they ever hope to have users connecting via VPN.

0
markps_1Author Commented:
I'm using Client 4.7 on XP/ SP2...
 what intrigues me is the number of ICMP packets getting lost, about 20% total. My client computer uses 192.168.1.0/24 so, no conflicts here.

  I don't have access to what the firewall is connected to. I simply get a cable to the office and thats where I've connected the firewall. I know that this cable is connected to a port on an internet router Router (probably one of those home routers, or maybe a cisco)
 
 So since I've discovered taht I'm only running at 10MB half duplex out and Full duplex in... Could that explain the lost ICMP packets and unstable VPN? Would you really recommend going through the trouble of upgrading the firmware?
0
markps_1Author Commented:
I'm connected using a verizon DSL.
0
Keith AlabasterEnterprise ArchitectCommented:
lrmoore is likely the authority on Cisco in most of our eyes so I would definitely check out his suggestions first. The fact the configuration works means you might want to check the cables (including the link cable provided to your wall socket). You could also ask the people who control the verizon to see if they are seeing issues at their end as well.

The upgrade is certainly worthwhile to get the 100Mb full-duplex if nothing else but I would be hard-pressed to guarentee it will fix the packet-loss you are seeing.
0
lrmooreCommented:
>PIX Version 6.1(2)
This is very old code and you could indeed see many improvements if you upgrade. 6.3(5) is the latest/greatest. The PDM GUI is definately worth the upgrade by itself.
You have a very recent VPN client with 4.7 with very old PIX OS. It might be worth it to upgrade both the pix and the client.
since you are connected dsl you may have a MTU issue. Use the SetMTU utility that loads with the Cisco VPN client and set the MTU to 1300 if it isn't already.

Is there anything else on the network like another router or anything? I've seen proxyarp do some wierd stuff....
0
markps_1Author Commented:
Hi Irmoore,
  Yes there is a Shared Router for the building connected to the DSL line.. I think it was installed by Verison. We have no access to it.
0
lrmooreCommented:
So what is the default gateway for the LAN inside the PIX? Is it the PIX or is it this shared router, or is the PIX behind the router?
Could be a MTU thing on the "shared router" if it is in front of the PIX
Could be proxyarp if it is on the same LAN as the pix inside.

0
markps_1Author Commented:
the pix is behind this router... The router is for the building and The pix is in my office.  I'll try to tweek the MTU and get back to you.. wow thanks a bunch!
0
markps_1Author Commented:
if the Router is running at lest say...  MTU = 1300 bytes... since the pix is set to MTU 1500 bytes if I lowering the MTU at the pix would be the correct approach?
0
Keith AlabasterEnterprise ArchitectCommented:
The mtu can be set on each individual interface so you would have an mtu setting for inside and another for outside. As the attached devices on the outside interface will both sync to the lower value, setting it on the PIX is sufficient as the Verizon router should take on this value also.
0
markps_1Author Commented:
I don't have access to the rounter to test all those possibilities.. so I can't really confirm if it does work but it cerntainlly makes sence that it should be the right answer.
0
Keith AlabasterEnterprise ArchitectCommented:
Thanks Mark.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.