Cisco PIX 515E dropping connection with gateway, on outside interface

Posted on 2011-04-29
Last Modified: 2012-06-27

we have a cisco Pix 515E , version 8.0(3). running for the past 4 years. pretty simple config i might say....   1 IpSec VPN tunnel, 2 NAT port forwards, 1 external IP, and about 50 Pcs accessing the internet using it as a gateway.

During the last 3 months it started disconnecting from the gateway (no configuration changes were applied before).Basically the users would complain that they have no internet connection.i would then proceed to access the router via SSH or ASDM where it showed everything working normally, the logs were ok, number of connections pretty low. I would then proceed to ping my default gateway and there was no reply. Clear xlate wouldnt do anything either. the only thing i could do to fix it would be to reload the router..and then everything was ok.untill the same happens every 2-3 hours...every day for the last 3 months..pretty annoying.

Its been driving me insane. Is this an attack from the inside? is it a hardware problem with the cisco? if it was hardware why does it fix it self after the reload?

this is why i need your help to do 2 things:

1. fix the problem.
2. see if theres a way for the cisco to reload when the gateway is unreachable (many routers support this)..atleast it would save me the trouble of having to login to the router and reload it every time this happens !!

PIX Version 8.0(3) 
hostname cisco
interface Ethernet0
 nameif inside
 security-level 100
 ip address 
interface Ethernet1
 nameif outside
 security-level 0
 ip address wan 
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name XXX
object-group service rdp tcp
 port-object eq 3389
access-list LAN_Access_IN extended permit ip lan_net any log 
access-list LAN_Access_IN extended permit ip lan_net lan_netvpn log 
access-list WAN_access_IN extended permit tcp any host wan eq smtp log 
access-list WAN_access_IN extended permit tcp any host wan eq www log debugging 
access-list WAN_access_IN extended permit udp host vpn_tunnel host wan eq isakmp 
access-list WAN_access_IN extended permit icmp host vpn_tunnel host wan 
access-list WAN_access_IN extended permit esp host vpn_tunnel host wan 
access-list WAN_access_IN extended permit ip host vpn_tunnel host wan 
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging trap debugging
logging asdm debugging
logging facility 16
logging host inside
mtu inside 1500
mtu outside 1500
ip local pool vpnpool mask
ip verify reverse-path interface outside
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list NONAT
nat (inside) 10 lan_net
static (inside,outside) tcp interface smtp mailsrv smtp netmask 
static (inside,outside) tcp interface 3389 terminalsrv 3389 netmask 
static (inside,outside) tcp interface www websrv www netmask 
access-group LAN_Access_IN in interface inside
access-group WAN_access_IN in interface outside
route outside wan_gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
http server enable
http lan_net inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set vpn1 esp-des esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set vpn1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer vpn_tunnel 
crypto map outside_map 10 set transform-set vpn1
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet lan_net inside
telnet timeout 5
ssh lan_net inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd dns
dhcpd wins
dhcpd domain com.local
dhcpd address inside
dhcpd dns interface inside
dhcpd wins interface inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address mailsrv
threat-detection scanning-threat shun except ip-address websrv
threat-detection statistics
ntp server prefer
group-policy comremoteaccess internal
group-policy comremoteaccess attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value comLanTunnel
 default-domain value
 address-pools value vpnpool
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 4
 vpn-idle-timeout none
 password-storage enable
 ipsec-udp enable
 address-pools value vpnpool
username administrator password xxxxxxxxxxxxxxx encrypted privilege 15
 vpn-group-policy comremoteaccess
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 service-type remote-access
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) vpnpool
 authentication-server-group (inside) LOCAL
 authorization-server-group LOCAL
 authorization-server-group (inside) LOCAL
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group comvpn type remote-access
tunnel-group comvpn general-attributes
 address-pool vpnpool
 authentication-server-group (outside) LOCAL
 default-group-policy comremoteaccess
tunnel-group comvpn ipsec-attributes
 pre-shared-key *
tunnel-group xxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
class-map global-class
class-map tcp_syn
 match port udp range 1000 60000
class-map global-class1
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 description SMTP_out
prompt hostname context 
: end
asdm image flash:/asdm-603.bin
asdm location ciscosrv inside
asdm history enable

Open in new window

Question by:pekker
    LVL 12

    Expert Comment


    Cisco PIX is not a router, it has routing capabilities but it is primary designed as firewall.
    Problem with loosing connectivity to uplink router could be some memory leak in 8.0.3 software. Try to upgrade to 8.0.4 as it is last SW version for PIX.

    Also try to temporary remove threat-detection part of configuration to eliminate it as source of problem if you have problem with inside attack.


    Author Comment

    i upgraded to 8.0.4 and it still crashed this morning.
    i also disabled the thread detection beforehand and still the same result.

    what do you think i should monitor in the debug logs to figure out what is causing the problem?

    note that when employees are away from the office , after office hours, the router never goes down...


    Author Comment

    Here is what is happening on the ASDM dashboard at the time the connection is lost!!

    LVL 20

    Expert Comment

    by:Svet Paperov
    Could be just a DOS attack? There are sparks in cons and xlates. Not huge but still…

    Another cause could be a hardware failure. I had to replace my 5-year old ASA 5510 recently because of similar behaviour.  
    LVL 12

    Expert Comment

    If it is DOS attack, at this scale showed in graphs, it wouldn't stop all communication between PIX and router just slow everything down a bit. Also immediately after reboot of PIX it attack will resume, but in original post is stated that it is repeated every 2-3 hours.

    How is memory consumption on PIX during failure of passing traffic? Can you post that graph also?

    As it seems now, my guess is corrupted memory or some other HW issue, as software upgrade didn't help.
    On the other hand if it is a memory leakage or other SW issue, there is no fix as 8.0.4 is last available SW for PIX and there will be no newer SW for PIX.

    In any case (SW or HW failure) you will need to replace PIX with ASA, as there is no SW upgrade for PIX anymore.


    Author Comment

    Guys we replaced the PIX today with a Cisco/Linksys RVL-200 Firewall , configured it with the usual parameters for internet access/syslog server/ipsec tunnel....

    well it lasted 6 hours and it crashed. brand new router , out of the box. now somebody needs to go there and power it off and on.

    i checked the syslogs and the last entries i can see are connections of the  e-mail server downloading  emails from the godaddy pop3 server... nothing was 19:29 and all the employees left the building...and all the PCs were off...only the servers were online and the only traffic was coming from the exchange server and the pop3 downloader....

    so to sum it up, replacing the firewall doesnt do the job!. the cisco pix515 drops the connection to the gateway and hence no internet access...its still accessible from the inside interface and very much alive.....but traffic aint routed to the gateway.
    and then the brand new cisco RVL-200 router dies completely..not pingable even!after about 6 hours.

    All the PCs in the network have Symantec Entpoint protection RU11 latest version, with Network threat detection, auto protect and threats no attacks no viruses.i had an attack from a rootkit.td4l last month but  i cleaned it completely with kasperskys tdsskiller. the servers were never infected.

    whats is causing my firewalls to crash?  is it coming from the inside or the outside? why cant i see anything on the syslogs? what am i gonna do!! im desperate and the managers have started complaing at a level i cannot accept for much longer !!

    LVL 20

    Expert Comment

    by:Svet Paperov
    Don’t want to be mean but you have replaced an enterprise class firewall device as PIX by a SOHO class router. Are you sure that it is able to support the Internet flow? The functional replacement of PIX 515 is ASA 5510.  

    Author Comment

    if you see what we are using it for (basic internet, 2 NAT ports, 1 ipsec ), a soho router does the job just fine believe me...and at 19:30pm there were only 10 server online and all the 50 pcs were off..and it handled all 60 of them ok for the whole afternoon. if what you said is true it would crash 30 minutes after i installed it.


    Accepted Solution

    installed a packet sniffer only to realise the vast amount of attacks that were coming from random IPs from the internet.

    i contacted our ISP immediately and asked them to provide a new set of IPs for the router.

    Right after we switched the IPs everything went back to normal. any router works now...

    so to sum up the routers were crashing because of attacks from random attacks from infected PCs . the reason i didnt realise this with the cisco, was because i couldnt really LOG the implicit rule of the outside interface (access list outside deny ip all) and i couldnt really see the attacks...


    Author Closing Comment

    have solved the problem by changing IPs

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now