Weird Cisco ASA Firewall and IIS interaction -- Server not responding through firewall after reboot
Hey Everyone,
I've finally got one that after almost 2 weeks of work on the issue, I'm turning to you all for help.
My situation is that, after recently rebooting a particular Win2003/IIS6 farm, I noticed that the servers stopped responding to HTTP requests. Of course, there is 4 servers in the load balancer, so I stopped after rebooting 2. I investigating the issue, and have not been able to get these two servers back up except by changing the NAT entry on the firewall to a different internal and external IP. Then it works again until I reset IIS, or reboot the server.
These servers have a considerable amount of small sites on them, 400+ I would say. Of course the MaxEndPoints Registry key has been tweaked, nothing has really changed.
The ASA's are 5540's in a high availabilty pair, running 8.0(2)k18 (I also tried 8.0(3))
We've reloaded the firewalls, the routers, etc, with no luck to this point, and we have several other IIS6 farms that were not affected at all, only this farm of 4 servers.
NMAP reveals this when hitting the servers that do not work:
Not shown: 1714 closed ports
PORT STATE SERVICE VERSION
80/tcp filtered http
Can anyone think of any reason at all on the firewall, that would cause it to stop responding, or show filtered on port 80? The other servers show 80/tcp OPEN http..
Thanks for any help, I've even hit Cisco TAC and Microsoft on this one with no results thus far. :(
I've finally got one that after almost 2 weeks of work on the issue, I'm turning to you all for help.
My situation is that, after recently rebooting a particular Win2003/IIS6 farm, I noticed that the servers stopped responding to HTTP requests. Of course, there is 4 servers in the load balancer, so I stopped after rebooting 2. I investigating the issue, and have not been able to get these two servers back up except by changing the NAT entry on the firewall to a different internal and external IP. Then it works again until I reset IIS, or reboot the server.
These servers have a considerable amount of small sites on them, 400+ I would say. Of course the MaxEndPoints Registry key has been tweaked, nothing has really changed.
The ASA's are 5540's in a high availabilty pair, running 8.0(2)k18 (I also tried 8.0(3))
We've reloaded the firewalls, the routers, etc, with no luck to this point, and we have several other IIS6 farms that were not affected at all, only this farm of 4 servers.
NMAP reveals this when hitting the servers that do not work:
Not shown: 1714 closed ports
PORT STATE SERVICE VERSION
80/tcp filtered http
Can anyone think of any reason at all on the firewall, that would cause it to stop responding, or show filtered on port 80? The other servers show 80/tcp OPEN http..
Thanks for any help, I've even hit Cisco TAC and Microsoft on this one with no results thus far. :(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Then it sounds like proxy ARP gone bad on the LB's. What are you using for the LB?
Have you tried disabling proxyarp on the ASA interface (that the LB's are attached to, not the outside interface)
Highly recommend ASA OS 8.0(3)19 and ASDM 6.11, but I can't see the ASA or router as being the problem...
Have you tried disabling proxyarp on the ASA interface (that the LB's are attached to, not the outside interface)
Highly recommend ASA OS 8.0(3)19 and ASDM 6.11, but I can't see the ASA or router as being the problem...
ASKER
The LB's are Citrix Netscaler 9000 series..
ProxyArp is actually disabled for the inside interface already.. Thanks for the quick responses...
I actually have been testing, eliminating the load balancer altogether, and going directly to the ASA's from the server. We have it setup so you can reach the individual servers themselves, bypassing the LB for internal testing. When browsing to those pages, I am also getting no response, which should eliminate the LB's, right?
Keep in mind if I move these servers in front of the firewall and assign them a static, they work perfectly.. It keeps leading me back to the ASA's. :(
ProxyArp is actually disabled for the inside interface already.. Thanks for the quick responses...
I actually have been testing, eliminating the load balancer altogether, and going directly to the ASA's from the server. We have it setup so you can reach the individual servers themselves, bypassing the LB for internal testing. When browsing to those pages, I am also getting no response, which should eliminate the LB's, right?
Keep in mind if I move these servers in front of the firewall and assign them a static, they work perfectly.. It keeps leading me back to the ASA's. :(
Do you have inspect esmtp enabled on the ASA? There were some bugs early on that enabling this (by default) caused some really wierd issues....
If you can post the config here, or up on http://www.ee-stuff.com then I can take a look at it..
If you can post the config here, or up on http://www.ee-stuff.com then I can take a look at it..
I certainly don't see anything that jumps out at me that could possibly cause this.
You might try removing the ATTACKPOLICY from the inside interface
no ip audit interface inside ATTACKPOLICY
Q: Does ASDM work even with all the Alias commands?
You might try removing the ATTACKPOLICY from the inside interface
no ip audit interface inside ATTACKPOLICY
Q: Does ASDM work even with all the Alias commands?
ASKER
Never figured it out, but thanks for the help!
ASKER
It actually isn't incorrect.. all is pointed to the correct locations, we don't have any VLAN's in our network to complicate things, either. :(
The LB's are pointed to the ASA Firewalls, the Servers are pointed to the LB's, the ASA Firewalls are pointed to the Cisco Routers (7201's)