[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Lost Ping Packets and VPN connection goes down after a short while through a PIX 501 Firewall.

Posted on 2006-04-14
21
Medium Priority
?
1,215 Views
Last Modified: 2013-11-16
I have a PIX 501 Firewall 8MB flash and 16MB Ram.. I'm losing about 20% of ping packets and the VPN is working very poorlly any clue what the problem is? This is a 5 computers network.

 I've replaced a few things with -------- for security pourposes.

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ------------- encrypted
passwd ---------------- encrypted
hostname pix
domain-name --------------------
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list blablabla permit icmp any any
access-list blablabla permit tcp any host ----------out ip----------- eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside ----------out ip----------- 255.255.255.224
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.100.1-192.168.100.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 ---------out ip-----------
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ----------out ip------------ 192.168.0.1 netmask 255.255.255.255 0 0
access-group blablabla in interface outside
route outside 0.0.0.0 0.0.0.0 --------out ip------------- 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console -------
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 dns-server 192.168.0.1
vpngroup vpn3000 wins-server 192.168.0.1
vpngroup vpn3000 default-domain ----------------
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password --------------
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
vpdn username susumu password susumu
vpdn enable outside
terminal width 80



Thanks!
0
Comment
Question by:markps_1
  • 11
  • 7
  • 3
21 Comments
 
LVL 8

Author Comment

by:markps_1
ID: 16459074
"--------out ip-------------" is the outside IP address that I've removed..
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16459154
What are the interface settings on your Pix? Do they match the connected devices in respect to speed and duplex setting?

If you have a support/service agreement, it could be well worth upgrading to 6.3(5) for your IOS. there are a lot of improvements especially in the area of interface settings and VPN connectivity.

0
 
LVL 8

Author Comment

by:markps_1
ID: 16459164
Everything is running at 100 Mbps full duplex.  Do you know if the PIX 501 supports that?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16459246
certainly does on 6.3(5). Didn't see the config lines in your post above; Some of the earlier versions didn't support 100full on the outside. Doing a sh int confirms those settings does it (100full or auto)?
0
 
LVL 8

Author Comment

by:markps_1
ID: 16459290
oops, auto.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1200 total points
ID: 16459297
I think you may find that 100full is only an option on one of the interfaces (inside). Check the settings on the device that the outside PIX interface connects to. :)
0
 
LVL 8

Author Comment

by:markps_1
ID: 16459324
I've ran the SH Int... and it shows... interface ethernet0 (outside) is in Half Duplex, and Interface ethernet1 (inside)  is in Full duplex could that be the source of the problem?


interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is ---------------------------
  MTU 1500 bytes, BW 10000 Kbit half duplex
        976758 packets input, 381010658 bytes, 0 no buffer
        Received 498091 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        409459 packets output, 124329630 bytes, 0 underruns
        0 output errors, 583 collisions, 0 interface resets
        0 babbles, 0 late collisions, 2770 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/5)
        output queue (curr/max blocks): hardware (0/10) software (0/7)

interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is -----------------
  MTU 1500 bytes, BW 10000 Kbit full duplex
        416263 packets input, 115683764 bytes, 0 no buffer
        Received 8399 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        469278 packets output, 262596716 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/9)
        output queue (curr/max blocks): hardware (1/8) software (0/1)
0
 
LVL 8

Author Comment

by:markps_1
ID: 16459327
If it is... how do I fix it?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16459836
0 output errors, 583 collisions, 0 interface resets on the outside interface.

What is the outside interface of the PIX connected to? As mentioned above 6.3(5) allows full duplex 100Mb on both interfaces (yours are both at 10Mb).
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 16460601
Outside interface does show a small number of collisions, but the ratio of collisions to total packets is so minor that it should not be a factor at all. It does depend on what you are connecting the outside interface to. Hub= half duplex, switch=full duplex, x-over to cable modem=auto
Can you explain exactly how the outside interface connects to the world? DSL? Cable? Other?
 
If the VPN connection works at all it is typically not a configuration problem.
What version Cisco VPN client are you using? 4.6 has issues, latest is 4.8
What OS on the client? XP/SP2 has issues with many earlier versions of VPN client.

>access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
>nat (inside) 0 access-list 101
>vpngroup vpn3000 split-tunnel 101

You can see above that you have the same acl applied to two very distinct processes. We highly encourage using separate acls for separate processes. The acls can be identical, just with different names, numbers to make it more efficient.

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 101
vpngroup vpn3000 split-tunnel 102

>ip address inside 192.168.0.2 255.255.255.0
Your local LAN subnet is 192.168.0.0/24
What is the local LAN subnet of the client that is having problems? If it is also 192.168.0.0 then you have known issues and nothing you can do except change one subnet. Theirs might be easier unless they are using Microsoft ICS and then they are stuck with 192.168.0.0 and cannot change it. I strongly discourage anyone from using 192.168.0.0 or 192.168.1.0 for subnets inside any firewall or other device if they ever hope to have users connecting via VPN.

0
 
LVL 8

Author Comment

by:markps_1
ID: 16461369
I'm using Client 4.7 on XP/ SP2...
 what intrigues me is the number of ICMP packets getting lost, about 20% total. My client computer uses 192.168.1.0/24 so, no conflicts here.

  I don't have access to what the firewall is connected to. I simply get a cable to the office and thats where I've connected the firewall. I know that this cable is connected to a port on an internet router Router (probably one of those home routers, or maybe a cisco)
 
 So since I've discovered taht I'm only running at 10MB half duplex out and Full duplex in... Could that explain the lost ICMP packets and unstable VPN? Would you really recommend going through the trouble of upgrading the firmware?
0
 
LVL 8

Author Comment

by:markps_1
ID: 16461381
I'm connected using a verizon DSL.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16461404
lrmoore is likely the authority on Cisco in most of our eyes so I would definitely check out his suggestions first. The fact the configuration works means you might want to check the cables (including the link cable provided to your wall socket). You could also ask the people who control the verizon to see if they are seeing issues at their end as well.

The upgrade is certainly worthwhile to get the 100Mb full-duplex if nothing else but I would be hard-pressed to guarentee it will fix the packet-loss you are seeing.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16461500
>PIX Version 6.1(2)
This is very old code and you could indeed see many improvements if you upgrade. 6.3(5) is the latest/greatest. The PDM GUI is definately worth the upgrade by itself.
You have a very recent VPN client with 4.7 with very old PIX OS. It might be worth it to upgrade both the pix and the client.
since you are connected dsl you may have a MTU issue. Use the SetMTU utility that loads with the Cisco VPN client and set the MTU to 1300 if it isn't already.

Is there anything else on the network like another router or anything? I've seen proxyarp do some wierd stuff....
0
 
LVL 8

Author Comment

by:markps_1
ID: 16462276
Hi Irmoore,
  Yes there is a Shared Router for the building connected to the DSL line.. I think it was installed by Verison. We have no access to it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16462392
So what is the default gateway for the LAN inside the PIX? Is it the PIX or is it this shared router, or is the PIX behind the router?
Could be a MTU thing on the "shared router" if it is in front of the PIX
Could be proxyarp if it is on the same LAN as the pix inside.

0
 
LVL 8

Author Comment

by:markps_1
ID: 16462402
the pix is behind this router... The router is for the building and The pix is in my office.  I'll try to tweek the MTU and get back to you.. wow thanks a bunch!
0
 
LVL 8

Author Comment

by:markps_1
ID: 16462406
if the Router is running at lest say...  MTU = 1300 bytes... since the pix is set to MTU 1500 bytes if I lowering the MTU at the pix would be the correct approach?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16463244
The mtu can be set on each individual interface so you would have an mtu setting for inside and another for outside. As the attached devices on the outside interface will both sync to the lower value, setting it on the PIX is sufficient as the Verizon router should take on this value also.
0
 
LVL 8

Author Comment

by:markps_1
ID: 16517320
I don't have access to the rounter to test all those possibilities.. so I can't really confirm if it does work but it cerntainlly makes sence that it should be the right answer.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16517874
Thanks Mark.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question