Lost Ping Packets and VPN connection goes down after a short while through a PIX 501 Firewall.
I have a PIX 501 Firewall 8MB flash and 16MB Ram.. I'm losing about 20% of ping packets and the VPN is working very poorlly any clue what the problem is? This is a 5 computers network.
I've replaced a few things with -------- for security pourposes.
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ------------- encrypted
passwd ---------------- encrypted
hostname pix
domain-name --------------------
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list blablabla permit icmp any any
access-list blablabla permit tcp any host ----------out ip----------- eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside ----------out ip----------- 255.255.255.224
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.100.1-192.168.100.
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 ---------out ip-----------
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ----------out ip------------ 192.168.0.1 netmask 255.255.255.255 0 0
access-group blablabla in interface outside
route outside 0.0.0.0 0.0.0.0 --------out ip------------- 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console -------
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 dns-server 192.168.0.1
vpngroup vpn3000 wins-server 192.168.0.1
vpngroup vpn3000 default-domain ----------------
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password --------------
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
vpdn username susumu password susumu
vpdn enable outside
terminal width 80
Thanks!
I've replaced a few things with -------- for security pourposes.
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ------------- encrypted
passwd ---------------- encrypted
hostname pix
domain-name --------------------
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list blablabla permit icmp any any
access-list blablabla permit tcp any host ----------out ip----------- eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside ----------out ip----------- 255.255.255.224
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.100.1-192.168.100.
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 ---------out ip-----------
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ----------out ip------------ 192.168.0.1 netmask 255.255.255.255 0 0
access-group blablabla in interface outside
route outside 0.0.0.0 0.0.0.0 --------out ip------------- 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console -------
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 dns-server 192.168.0.1
vpngroup vpn3000 wins-server 192.168.0.1
vpngroup vpn3000 default-domain ----------------
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password --------------
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
vpdn username susumu password susumu
vpdn enable outside
terminal width 80
Thanks!
What are the interface settings on your Pix? Do they match the connected devices in respect to speed and duplex setting?
If you have a support/service agreement, it could be well worth upgrading to 6.3(5) for your IOS. there are a lot of improvements especially in the area of interface settings and VPN connectivity.
If you have a support/service agreement, it could be well worth upgrading to 6.3(5) for your IOS. there are a lot of improvements especially in the area of interface settings and VPN connectivity.
ASKER
Everything is running at 100 Mbps full duplex. Do you know if the PIX 501 supports that?
certainly does on 6.3(5). Didn't see the config lines in your post above; Some of the earlier versions didn't support 100full on the outside. Doing a sh int confirms those settings does it (100full or auto)?
ASKER
oops, auto.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've ran the SH Int... and it shows... interface ethernet0 (outside) is in Half Duplex, and Interface ethernet1 (inside) is in Full duplex could that be the source of the problem?
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is --------------------------
MTU 1500 bytes, BW 10000 Kbit half duplex
976758 packets input, 381010658 bytes, 0 no buffer
Received 498091 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
409459 packets output, 124329630 bytes, 0 underruns
0 output errors, 583 collisions, 0 interface resets
0 babbles, 0 late collisions, 2770 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/5)
output queue (curr/max blocks): hardware (0/10) software (0/7)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is -----------------
MTU 1500 bytes, BW 10000 Kbit full duplex
416263 packets input, 115683764 bytes, 0 no buffer
Received 8399 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
469278 packets output, 262596716 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/9)
output queue (curr/max blocks): hardware (1/8) software (0/1)
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is --------------------------
MTU 1500 bytes, BW 10000 Kbit half duplex
976758 packets input, 381010658 bytes, 0 no buffer
Received 498091 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
409459 packets output, 124329630 bytes, 0 underruns
0 output errors, 583 collisions, 0 interface resets
0 babbles, 0 late collisions, 2770 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/5)
output queue (curr/max blocks): hardware (0/10) software (0/7)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is -----------------
MTU 1500 bytes, BW 10000 Kbit full duplex
416263 packets input, 115683764 bytes, 0 no buffer
Received 8399 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
469278 packets output, 262596716 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/9)
output queue (curr/max blocks): hardware (1/8) software (0/1)
ASKER
If it is... how do I fix it?
0 output errors, 583 collisions, 0 interface resets on the outside interface.
What is the outside interface of the PIX connected to? As mentioned above 6.3(5) allows full duplex 100Mb on both interfaces (yours are both at 10Mb).
What is the outside interface of the PIX connected to? As mentioned above 6.3(5) allows full duplex 100Mb on both interfaces (yours are both at 10Mb).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm using Client 4.7 on XP/ SP2...
what intrigues me is the number of ICMP packets getting lost, about 20% total. My client computer uses 192.168.1.0/24 so, no conflicts here.
I don't have access to what the firewall is connected to. I simply get a cable to the office and thats where I've connected the firewall. I know that this cable is connected to a port on an internet router Router (probably one of those home routers, or maybe a cisco)
So since I've discovered taht I'm only running at 10MB half duplex out and Full duplex in... Could that explain the lost ICMP packets and unstable VPN? Would you really recommend going through the trouble of upgrading the firmware?
what intrigues me is the number of ICMP packets getting lost, about 20% total. My client computer uses 192.168.1.0/24 so, no conflicts here.
I don't have access to what the firewall is connected to. I simply get a cable to the office and thats where I've connected the firewall. I know that this cable is connected to a port on an internet router Router (probably one of those home routers, or maybe a cisco)
So since I've discovered taht I'm only running at 10MB half duplex out and Full duplex in... Could that explain the lost ICMP packets and unstable VPN? Would you really recommend going through the trouble of upgrading the firmware?
ASKER
I'm connected using a verizon DSL.
lrmoore is likely the authority on Cisco in most of our eyes so I would definitely check out his suggestions first. The fact the configuration works means you might want to check the cables (including the link cable provided to your wall socket). You could also ask the people who control the verizon to see if they are seeing issues at their end as well.
The upgrade is certainly worthwhile to get the 100Mb full-duplex if nothing else but I would be hard-pressed to guarentee it will fix the packet-loss you are seeing.
The upgrade is certainly worthwhile to get the 100Mb full-duplex if nothing else but I would be hard-pressed to guarentee it will fix the packet-loss you are seeing.
>PIX Version 6.1(2)
This is very old code and you could indeed see many improvements if you upgrade. 6.3(5) is the latest/greatest. The PDM GUI is definately worth the upgrade by itself.
You have a very recent VPN client with 4.7 with very old PIX OS. It might be worth it to upgrade both the pix and the client.
since you are connected dsl you may have a MTU issue. Use the SetMTU utility that loads with the Cisco VPN client and set the MTU to 1300 if it isn't already.
Is there anything else on the network like another router or anything? I've seen proxyarp do some wierd stuff....
This is very old code and you could indeed see many improvements if you upgrade. 6.3(5) is the latest/greatest. The PDM GUI is definately worth the upgrade by itself.
You have a very recent VPN client with 4.7 with very old PIX OS. It might be worth it to upgrade both the pix and the client.
since you are connected dsl you may have a MTU issue. Use the SetMTU utility that loads with the Cisco VPN client and set the MTU to 1300 if it isn't already.
Is there anything else on the network like another router or anything? I've seen proxyarp do some wierd stuff....
ASKER
Hi Irmoore,
Yes there is a Shared Router for the building connected to the DSL line.. I think it was installed by Verison. We have no access to it.
Yes there is a Shared Router for the building connected to the DSL line.. I think it was installed by Verison. We have no access to it.
So what is the default gateway for the LAN inside the PIX? Is it the PIX or is it this shared router, or is the PIX behind the router?
Could be a MTU thing on the "shared router" if it is in front of the PIX
Could be proxyarp if it is on the same LAN as the pix inside.
Could be a MTU thing on the "shared router" if it is in front of the PIX
Could be proxyarp if it is on the same LAN as the pix inside.
ASKER
the pix is behind this router... The router is for the building and The pix is in my office. I'll try to tweek the MTU and get back to you.. wow thanks a bunch!
ASKER
if the Router is running at lest say... MTU = 1300 bytes... since the pix is set to MTU 1500 bytes if I lowering the MTU at the pix would be the correct approach?
The mtu can be set on each individual interface so you would have an mtu setting for inside and another for outside. As the attached devices on the outside interface will both sync to the lower value, setting it on the PIX is sufficient as the Verizon router should take on this value also.
ASKER
I don't have access to the rounter to test all those possibilities.. so I can't really confirm if it does work but it cerntainlly makes sence that it should be the right answer.
Thanks Mark.
ASKER