• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1176
  • Last Modified:

Cisco PIX 515E dropping connection with gateway, on outside interface


we have a cisco Pix 515E , version 8.0(3). running for the past 4 years. pretty simple config i might say....   1 IpSec VPN tunnel, 2 NAT port forwards, 1 external IP, and about 50 Pcs accessing the internet using it as a gateway.

During the last 3 months it started disconnecting from the gateway (no configuration changes were applied before).Basically the users would complain that they have no internet connection.i would then proceed to access the router via SSH or ASDM where it showed everything working normally, the logs were ok, number of connections pretty low. I would then proceed to ping my default gateway and there was no reply. Clear xlate wouldnt do anything either. the only thing i could do to fix it would be to reload the router..and then everything was ok.untill the same happens every 2-3 hours...every day for the last 3 months..pretty annoying.

Its been driving me insane. Is this an attack from the inside? is it a hardware problem with the cisco? if it was hardware why does it fix it self after the reload?

this is why i need your help to do 2 things:

1. fix the problem.
2. see if theres a way for the cisco to reload when the gateway is unreachable (many routers support this)..atleast it would save me the trouble of having to login to the router and reload it every time this happens !!

PIX Version 8.0(3) 
hostname cisco
interface Ethernet0
 nameif inside
 security-level 100
 ip address 
interface Ethernet1
 nameif outside
 security-level 0
 ip address wan 
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server xxx.xxx.xxx.xxx
 name-server xxx.xxx.xxx.xxx
 domain-name XXX
object-group service rdp tcp
 port-object eq 3389
access-list LAN_Access_IN extended permit ip lan_net any log 
access-list LAN_Access_IN extended permit ip lan_net lan_netvpn log 
access-list WAN_access_IN extended permit tcp any host wan eq smtp log 
access-list WAN_access_IN extended permit tcp any host wan eq www log debugging 
access-list WAN_access_IN extended permit udp host vpn_tunnel host wan eq isakmp 
access-list WAN_access_IN extended permit icmp host vpn_tunnel host wan 
access-list WAN_access_IN extended permit esp host vpn_tunnel host wan 
access-list WAN_access_IN extended permit ip host vpn_tunnel host wan 
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging trap debugging
logging asdm debugging
logging facility 16
logging host inside
mtu inside 1500
mtu outside 1500
ip local pool vpnpool mask
ip verify reverse-path interface outside
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list NONAT
nat (inside) 10 lan_net
static (inside,outside) tcp interface smtp mailsrv smtp netmask 
static (inside,outside) tcp interface 3389 terminalsrv 3389 netmask 
static (inside,outside) tcp interface www websrv www netmask 
access-group LAN_Access_IN in interface inside
access-group WAN_access_IN in interface outside
route outside wan_gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
http server enable
http lan_net inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set vpn1 esp-des esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set vpn1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer vpn_tunnel 
crypto map outside_map 10 set transform-set vpn1
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet lan_net inside
telnet timeout 5
ssh lan_net inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd dns
dhcpd wins
dhcpd domain com.local
dhcpd address inside
dhcpd dns interface inside
dhcpd wins interface inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address mailsrv
threat-detection scanning-threat shun except ip-address websrv
threat-detection statistics
ntp server prefer
group-policy comremoteaccess internal
group-policy comremoteaccess attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value comLanTunnel
 default-domain value com.com.cy
 address-pools value vpnpool
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 4
 vpn-idle-timeout none
 password-storage enable
 ipsec-udp enable
 address-pools value vpnpool
username administrator password xxxxxxxxxxxxxxx encrypted privilege 15
 vpn-group-policy comremoteaccess
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 service-type remote-access
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) vpnpool
 authentication-server-group (inside) LOCAL
 authorization-server-group LOCAL
 authorization-server-group (inside) LOCAL
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group comvpn type remote-access
tunnel-group comvpn general-attributes
 address-pool vpnpool
 authentication-server-group (outside) LOCAL
 default-group-policy comremoteaccess
tunnel-group comvpn ipsec-attributes
 pre-shared-key *
tunnel-group xxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
class-map global-class
class-map tcp_syn
 match port udp range 1000 60000
class-map global-class1
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 description SMTP_out
prompt hostname context 
: end
asdm image flash:/asdm-603.bin
asdm location ciscosrv inside
asdm history enable

Open in new window

  • 6
  • 2
  • 2
1 Solution

Cisco PIX is not a router, it has routing capabilities but it is primary designed as firewall.
Problem with loosing connectivity to uplink router could be some memory leak in 8.0.3 software. Try to upgrade to 8.0.4 as it is last SW version for PIX.

Also try to temporary remove threat-detection part of configuration to eliminate it as source of problem if you have problem with inside attack.

pekkerAuthor Commented:
i upgraded to 8.0.4 and it still crashed this morning.
i also disabled the thread detection beforehand and still the same result.

what do you think i should monitor in the debug logs to figure out what is causing the problem?

note that when employees are away from the office , after office hours, the router never goes down...

pekkerAuthor Commented:
Here is what is happening on the ASDM dashboard at the time the connection is lost!!

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Svet PaperovIT ManagerCommented:
Could be just a DOS attack? There are sparks in cons and xlates. Not huge but still…

Another cause could be a hardware failure. I had to replace my 5-year old ASA 5510 recently because of similar behaviour.  
If it is DOS attack, at this scale showed in graphs, it wouldn't stop all communication between PIX and router just slow everything down a bit. Also immediately after reboot of PIX it attack will resume, but in original post is stated that it is repeated every 2-3 hours.

How is memory consumption on PIX during failure of passing traffic? Can you post that graph also?

As it seems now, my guess is corrupted memory or some other HW issue, as software upgrade didn't help.
On the other hand if it is a memory leakage or other SW issue, there is no fix as 8.0.4 is last available SW for PIX and there will be no newer SW for PIX.

In any case (SW or HW failure) you will need to replace PIX with ASA, as there is no SW upgrade for PIX anymore.

pekkerAuthor Commented:
Guys we replaced the PIX today with a Cisco/Linksys RVL-200 Firewall , configured it with the usual parameters for internet access/syslog server/ipsec tunnel....

well it lasted 6 hours and it crashed. brand new router , out of the box. now somebody needs to go there and power it off and on.

i checked the syslogs and the last entries i can see are connections of the  e-mail server downloading  emails from the godaddy pop3 server... nothing unusual...it was 19:29 and all the employees left the building...and all the PCs were off...only the servers were online and the only traffic was coming from the exchange server and the pop3 downloader....

so to sum it up, replacing the firewall doesnt do the job!. the cisco pix515 drops the connection to the gateway and hence no internet access...its still accessible from the inside interface and very much alive.....but traffic aint routed to the gateway.
and then the brand new cisco RVL-200 router dies completely..not pingable even!after about 6 hours.

All the PCs in the network have Symantec Entpoint protection RU11 latest version, with Network threat detection, auto protect and firewall...no threats no attacks no viruses.i had an attack from a rootkit.td4l last month but  i cleaned it completely with kasperskys tdsskiller. the servers were never infected.

whats is causing my firewalls to crash?  is it coming from the inside or the outside? why cant i see anything on the syslogs? what am i gonna do!! im desperate and the managers have started complaing at a level i cannot accept for much longer !!

Svet PaperovIT ManagerCommented:
Don’t want to be mean but you have replaced an enterprise class firewall device as PIX by a SOHO class router. Are you sure that it is able to support the Internet flow? The functional replacement of PIX 515 is ASA 5510.  
pekkerAuthor Commented:
if you see what we are using it for (basic internet, 2 NAT ports, 1 ipsec ), a soho router does the job just fine believe me...and at 19:30pm there were only 10 server online and all the 50 pcs were off..and it handled all 60 of them ok for the whole afternoon. if what you said is true it would crash 30 minutes after i installed it.

pekkerAuthor Commented:
installed a packet sniffer only to realise the vast amount of attacks that were coming from random IPs from the internet.

i contacted our ISP immediately and asked them to provide a new set of IPs for the router.

Right after we switched the IPs everything went back to normal. any router works now...

so to sum up the routers were crashing because of attacks from random attacks from infected PCs . the reason i didnt realise this with the cisco, was because i couldnt really LOG the implicit rule of the outside interface (access list outside deny ip all) and i couldnt really see the attacks...

pekkerAuthor Commented:
have solved the problem by changing IPs

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 6
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now