Website on the DMZ webserver goes down once or Twice a day and clear xlate fixes temorary, Please HELP.. Urgent

Hi All,
i have PIX 515 which been fine and  but for lat couple of months we have problem .  the websites on the DMZ ( hosted on IIs 6 server ) works fine for some time and then just cannot browse them, then i have to do clear xlate on pix and they start working . this  happens at least once a day. Please help and it is quite urgent to resolve

Thanks in Advance

Ibrahim

here is my Run  config  and  sh  xlate
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 dmz2 security40
nameif ethernet4 dmz3 security60
nameif ethernet5 intf5 security10
enable password c33/ReydnxbjCR/c encrypted
passwd 8nVXX8wCPMGs52kY encrypted
hostname PAS001
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.33 intsql
name 213.**9.**9.*10 dmzsqlalias
access-list internal_net permit icmp any any echo-reply
access-list internal_net permit tcp any host 213.**9.1**.109 eq www
access-list internal_net permit tcp any host 213.**9.1**.109  eq https
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq ftp
access-list internal_net permit tcp any host 213.**9.1**.109  eq ftp
access-list internal_net permit tcp any host dmzsqlalias eq www
access-list internal_net permit tcp any host dmzsqlalias eq https
access-list internal_net permit tcp any host dmzsqlalias eq ftp
access-list internal_net permit tcp any host 192.168.1.0 eq telnet
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq smtp
access-list internal_net permit tcp any host 213.**9.1**.1*4 eq www
access-list internal_net permit tcp any host 213.**9.1**.1*4 eq ftp
access-list internal_net permit tcp any host 213.**9.1**.1*4 eq https
access-list internal_net permit tcp any host 213.**.1**.1*5 eq smtp
access-list internal_net permit tcp any host 213.**.1**.1*5 eq www
access-list internal_net permit tcp any host 213.**.1**.1*5 eq https
access-list internal_net permit tcp any host 213.**.1**.1*5 eq telnet
access-list internal_net permit tcp any host 213.**.1**.1*5 eq ftp
access-list internal_net permit tcp any host 213.**.1**.1*5 eq pop3
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq www
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq https
access-list internal_net permit tcp any host 213.**9.1**.1*6 eq www
access-list internal_net permit tcp any host 213.**9.1**.1*6 eq https
access-list internal_net permit tcp any host 213.**9.1**.1*6 eq ftp
access-list internal_net permit tcp any host 213.**9.1**.1*7 eq www
access-list internal_net permit tcp any host 213.**9.1**.1*7 eq https
access-list internal_net permit tcp any host 213.**9.1**.1*7 eq ftp
access-list internal_net permit tcp any host dmzsqlalias eq 990
access-list internal_net permit tcp any host 8*.10*.1**.**4 eq pptp
access-list internal_net permit gre any host 8*.10*.1**.**4
access-list internal_net permit tcp any host 8*.10*.1**.**5 eq www
access-list internal_net permit tcp any host 8*.10*.1**.**5 eq https
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq pop3
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq 995
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq 993
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq 587
access-list internal_net permit tcp any host 213.**9.1**.1*8 eq imap4
access-list internal_net permit tcp any host 213.**.1**.1*5  eq domain
access-list internal_net permit udp any host 213.**.1**.1*5 eq domain
access-list internal_net permit tcp any host 8*.10*.1**.**6 eq www
access-list internal_net permit tcp any host 8*.10*.1**.**6 eq https
access-list internal_net permit tcp any host 8*.10*.1**.**6 eq ftp
access-list internal_net permit tcp any host 8*.10*.1**.**7 eq www
access-list internal_net permit tcp any host 8*.10*.1**.**7 eq https
access-list internal_net permit tcp any host 8*.10*.1**.**7 eq ftp
access-list dmz_access_in permit ip host 192.168.2.2 any
access-list dmz_access_in permit ip host 192.168.2.3 any
access-list dmz_access_in permit icmp any any
access-list dmz_access_in permit tcp host 192.168.2.3 host 192.168.3.2 eq 2282
access-list dmz_access_in permit tcp host dmzsqlalias host 192.168.3.2 eq 2282
access-list dmz_access_in permit tcp host 192.168.2.2 host 192.168.4.3 eq 31438
access-list dmz_access_in permit ip host 192.168.2.4 any
access-list dmz_access_in permit ip host 192.168.2.5 any
access-list dmz_access_in permit tcp host 192.168.2.5 host 192.168.3.4 eq 2289
access-list dmz_access_in permit tcp host 213.**.1**.1*6 host 192.168.3.4 eq 22
89
access-list dmz_access_in permit ip host 192.168.2.6 any
access-list dmz_access_in permit tcp host 192.168.2.2 host 192.168.3.5 eq 3050
access-list dmz_access_in permit tcp host 192.168.2.2 host 192.168.3.5 eq 3051
access-list dmz_access_in permit ip host 192.168.2.7 any
access-list dmz_access_in permit ip host 192.168.2.8 any
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list dmz2_access_in permit ip host 192.168.3.2 host 192.168.2.3
access-list dmz2_access_in permit icmp any any
access-list dmz2_access_in permit ip host 192.168.3.2 192.168.7.0 255.255.255.0
access-list dmz2_access_in permit ip host 192.168.3.2 192.168.1.0 255.255.255.0
access-list dmz2_access_in permit ip host 192.168.3.4 any
access-list dmz2_access_in permit ip host 192.168.3.5 any
access-list dmz2_access_in permit ip host 192.168.3.6 any
access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list vpnacl permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list vpnacl permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat_dmz permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.25
5.0
access-list nonat_dmz2 permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.2
55.0
access-list dmz3_access_in permit icmp any any
access-list dmz3_access_in permit ip host 192.168.4.3 any
pager lines 24
logging on
logging console alerts
logging monitor warnings
logging buffered warnings
logging trap errors
logging history warnings
logging host inside 192.168.1.*
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dmz2 1500
mtu dmz3 1500
mtu intf5 1500
ip address outside 213.**.1**.1*6 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip address dmz2 192.168.3.1 255.255.255.0
ip address dmz3 192.168.4.1 255.255.255.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclients 192.168.7.1-192.168.7.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address dmz2
no failover ip address dmz3
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 213.**.1**.1*7 netmask 255.255.255.248
global (outside) 2 213.**.1**.1*8 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.1.15 255.255.255.255 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 0 access-list nonat_dmz
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 0 access-list nonat_dmz2
nat (dmz2) 0 0.0.0.0 0.0.0.0 0 0
alias (inside) dmzsqlalias 192.168.2.3 255.255.255.255
alias (inside) 213.**.1**.1*9 192.168.2.4 255.255.255.255
alias (inside) 213.**.1**.1*6 192.168.2.5 255.255.255.255
alias (inside) 213.**.1**.1*7 192.168.3.4 255.255.255.255
alias (inside) 213.**.1**.1*4 192.168.2.2 255.255.255.255
alias (inside) 8*.10*.1**.**6 192.168.2.7 255.255.255.255
alias (inside) 8*.10*.1**.**7 192.168.2.8 255.255.255.255
static (inside,outside) tcp 213.**.1**.1*8 smtp 192.168.1.16 smtp netmask 255.2
55.255.255 0 0
static (inside,outside) tcp 213.**.1**.1*8 www 192.168.1.15 www netmask 255.255
.255.255 0 0
static (inside,outside) tcp 213.**.1**.1*8 https 192.168.1.15 https netmask 255
.255.255.255 0 0
static (inside,outside) tcp 213.**.1**.1*8 pop3 192.168.1.15 pop3 netmask 255.2
55.255.255 0 0
static (inside,outside) tcp 213.**.1**.1*8 imap4 192.168.1.15 imap4 netmask 255
.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) dmzsqlalias 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz,dmz2) 192.168.2.3 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz,outside) 213.**.1**.1*9 192.168.2.4 netmask 255.255.255.255 0 0
static (dmz3,outside) 213.**.1**.1*5 192.168.4.3 netmask 255.255.255.255 0 0
static (dmz,outside) 213.**.1**.1*6 192.168.2.5 netmask 255.255.255.255 0 0
static (dmz2,outside) 213.**.1**.1*7 192.168.3.4 netmask 255.255.255.255 0 0
static (dmz,outside) 213.**.1**.1*4 192.168.2.2 netmask 255.255.255.255 0 0
static (dmz,outside) 213.**.1**.1*15 192.168.2.6 netmask 255.255.255.255 0 0
static (dmz,outside) 8*.10*.1**.**6 192.168.2.7 netmask 255.255.255.255 0 0
static (dmz,outside) 8*.10*.1**.**7 192.168.2.8 netmask 255.255.255.255 0 0
access-group internal_net in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group dmz2_access_in in interface dmz2
timeout xlate 3:00:00
timeout conn 5:00:00 half-closed 1193:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.1.23 cisco123 timeout 10
aaa-server tacacs+ protocol tacacs+
aaa-server radius protocol radius
url-server (inside) vendor websense host 192.168.1.27 timeout 15 protocol TCP ve
rsion 1
filter url except 0.0.0.0 0.0.0.0 192.168.2.9 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 192.168.2.8 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 192.168.2.7 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 8*.10*.1**.**7 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 213.**.1**.1*9  255.255.255.255
filter url except 0.0.0.0 0.0.0.0 192.168.2.2 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 dmzsqlalias 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 192.168.2.3 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 192.168.2.4 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 213.**.1**.1*4 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 192.168.2.5 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 192.168.2.6 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate
snmp-server host inside 192.168.1.*
snmp-server location Personal-Group
snmp-server contact network Security
snmp-server community raj-515-comms
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt nodnsalias inbound
crypto ipsec transform-set tripledes esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set tripledes
crypto dynamic-map dynmap 10 set transform-set myset
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp client configuration address-pool local vpnclients outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNgrp1 address-pool vpnclients
vpngroup VPNgrp1 dns-server 192.168.1.22
vpngroup VPNgrp1 wins-server 192.168.1.22
vpngroup VPNgrp1 default-domain *******.com
vpngroup VPNgrp1 split-tunnel vpnacl
vpngroup VPNgrp1 idle-time 1800
vpngroup VPNgrp1 password ********
vpngroup vpngrp1 default-domain **********.com
vpngroup vpngrp1 idle-time 1800
vpngroup vpngrp1 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
banner motd Warning:
Cryptochecksum:8bc5b503bcb446598dc055c3a3a5854a
: end
PAS001#
 

SHOW  XLATE

PAT Global 213.**9.1**.1*7 (43261) Local 192.168.1.16(42493)
PAT Global 213.**9.1**.1*7 (43260) Local 192.168.1.16(42492)

PAT Global 213.**9.1**.1*7 (43331) Local 192.168.1.16(42699)
PAT Global 213.**9.1**.1*7 (10600) Local 192.168.1.54(2752)
PAT Global 213.**9.1**.1*7 (10598) Local 192.168.1.54(2750)
PAT Global 213.**9.1**.1*7 (10597) Local 192.168.1.54(2749)

Global 8*.10*.1**.**7 Local 192.168.2.8
Global 8*.10*.1**.**7 Local 192.168.2.8

PAT Global 213.**9.1**.1*7 (671) Local 192.168.1.171(4627)
PAT Global 213.**9.1**.1*7 (43700) Local 192.168.1.16(43778)
PAT Global 213.**9.1**.1*7 (11262) Local 192.168.1.16(41538)
PAT Global 213.**9.1**.1*7 (42404) Local 192.168.1.16(40226)
PAT Global 213.**9.1**.1*7 (9575) Local 192.168.1.57(2631)
PAT Global 213.**9.1**.1*7 (47281) Local 192.168.1.194(1314)
PAT Global 213.**9.1**.1*7 (14506) Local 192.168.1.16(49789)
PAT Global 213.**9.1**.1*7 (48658) Local 192.168.1.16(34283)

PAT Global 213.**9.1**.1*8(143) Local 192.168.1.15(143)
PAT Global 213.**9.1**.1* 8 (25) Local 192.168.1.16(25)

PAT Global 213.**9.1**.1*8 (443) Local 192.168.1.15(443)

PAT Global 213.**9.1**.1*7 (14506) Local 192.168.1.16(49789)
PAT Global 213.**9.1**.1*7 (16123) Local 192.168.1.194(1966)
PAT Global 213.**9.1**.1*7 (16107) Local 192.168.1.16(53371)
PAT Global 213.**9.1**.1*7 (48759) Local 192.168.1.16(56993)
PAT Global 213.**9.1**.1*7 (48658) Local 192.168.1.16(34283)

PAT Global 213.**9.1**.1*8(143) Local 192.168.1.15(143)
PAT Global 213.**9.1**.1*8(25) Local 192.168.1.16(25)
PAT Global 213.**9.1**.1*8(443) Local 192.168.1.15(443)

Global 213.**9.1**.1*4 Local 192.168.2.2
Global 213.**9.1**.1*4 Local 192.168.2.2

Global 8*.10*.1**.**5  Local 192.168.2.6

PAT Global 213.**9.1**.1*7 (35265) Local 192.168.1.16(49374)
PAT Global 213.**9.1**.1*7 (2552) Local 192.168.1.16(55449)
PAT Global 213.**9.1**.1*7 (2487) Local 192.168.1.16(35210)
PAT Global 213.**9.1**.1*7 (2472) Local 192.168.1.16(41973)
IbrahimkhanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
First thing I would do is upgrade the PIX. 6.3(1) is quite old and you shoudl upgrade to 6.3(4) or later if it is available.

What does 'show xlate' display when things stop working?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IbrahimkhanAuthor Commented:
i can try upgrading  to new version, but it been working fine  , it is just last few weeks  it started this problem.
xlate shows same whihc  i  copied there
0
grbladesCommented:
My initial thoughts were that it could be rogue traffic causing lots of entries in the xlate table causing it to overload. However as you say the 'show xlate' looks like it then it oviously doesnt have lots of entries.

There is no normal situation where it should stop working like that. The first step is really to upgrade to a later version which fixes some known issues which it is possible is the cause of your problems.
0
IbrahimkhanAuthor Commented:
i am going to do  the following , lets see  if this resolves
1. upgrade   pix  from  32MB  to 64 MB  and see if this resolves the issue
2.if above doesnt work then i will try  upgrade IOS  to  7

i have ordered the extar memory and it is taking time to deliver, it might take a ocuple of days more.
thanks
0
IbrahimkhanAuthor Commented:
i upgraded PIX ios  from  6.3(1)  to  6.3(5)  and it fixed the problem,

thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.