Announcement

Collapse
No announcement yet.

Pix 501 dropping devices from network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pix 501 dropping devices from network

    Hi All.

    I'm having a quirky problem with a PIX 501 and was wondering if anyone had any ideas.

    Recently I've pulled a PIX 501 out of a closet (having never been used) and configured it for a VPN with my PIX 506e at an offsite location. This offsite location has a PC, Printer, Access Point, and remote VOIP phone. The VPN itself works great, but periodically the PIX just drops some network devices, specifically the Access Point and the Firewall. Both devices stay off until I reboot it (through an SSH connection) they then spring back to life.

    Before I go buy another firewall only to have the same thing happen I was wondering if it could be a config issue. Or is this most likely a hardware problem?

    Code:
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password W.42MAXXZHhUnW7N encrypted
    passwd tVCAzWYvj2lO5MWD encrypted
    hostname Firewall1
    domain-name domain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list nonat permit ip 192.168.111.0 255.255.255.0 192.168.112.0 255.255.255.0
    access-list nonat permit ip 192.168.111.0 255.255.255.0 192.168.114.0 255.255.255.0
    access-list RemoteVPN permit ip 192.168.111.0 255.255.255.0 192.168.100.0 255.255.255.0
    pager lines 24
    logging on
    logging console debugging
    logging buffered debugging
    logging trap debugging
    logging host inside 192.168.112.95
    mtu outside 1500
    mtu inside 1500
    ip address outside 111.111.111.111 255.255.255.248
    ip address inside 192.168.111.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 111.111.111.111 255
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP_3DES esp-3des esp-md5-hmac
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address RemoteVPN
    crypto map newmap 10 set peer 113.111.111.11
    crypto map newmap 10 set transform-set ESP_3DES
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address 113.111.111.11 netmask 255.255.255.248
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 20
    management-access inside
    console timeout 0
    dhcpd address 192.168.111.10-192.168.111.40 inside
    dhcpd dns 192.168.112.5 8.8.8.8
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    username cwcchicago password NcrNMAXXMuaQjZ.I encrypted privilege 15
    username CWCChicago password WZyMAXXX9wrptdcx encrypted privilege 2
    terminal width 80
    Cryptochecksum:e8b71b6091e2bc0b5dd854c7c37cde9f

  • #2
    Re: Pix 501 dropping devices from network

    I assume your using the switchports in the 501 for your clients? If so check the logs to see if the interfaces are bouncing. Could be an issue with internal switch. In reality the 501's (or any pix for that matter) are very old. I would look at replacing it with an ASA 5505 or something. You say both devices stay off? Do you mean they are just not reachable on the network until the pix is rebooted?
    Last edited by auglan; 19th November 2012, 18:23.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Pix 501 dropping devices from network

      Hi Auglan, thanks for the reply.

      Yeah.. I know these are pretty old. They've been EOL'd for a few years now. We just figured we'd try to get what we could out if it. Unfortunately it isn't very much =/.

      We're using the ports on the Pix and a 5 port linksys switch to connect all of these devices.

      The power is not cut to either device, so they're physically on. They're just cut off from the network. For instance if I unplug the Access Point from the network and plug it directly into a PC I can see it fine (after changing the PCs IP settings), I just can't see it while it's plugged into the network. The PIX doesn't even show the two devices in it's ARP table.

      I set up a syslog server and have watched the logs for events that happen around the time the devices get disconnected but unfortunately I don't see anything helpful logged at those times.

      Comment


      • #4
        Re: Pix 501 dropping devices from network

        Hmm could be an issue with the linksys switch or the cable from the pix to the switch. Have you tried plugging the devices into the switch ports directly on the pix?
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Pix 501 dropping devices from network

          The AP was originally plugged into the Pix and it was having this dropping-off-the-network problem. We moved it off thinking the Pix had developed a bad port but it didn't fix it in the long run.

          If it were the switch, I'm not sure why rebooting the Pix would fix the problem.

          Comment


          • #6
            Re: Pix 501 dropping devices from network

            I got a feeling its either a hardware issue or issues in the IOS. Unfortunately the 501 only supports up to 6.3 so there is no upgrade to a major release. Im leaning toward a hardware issue though. Best bet would be to replace it with a ASA 5505.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Pix 501 dropping devices from network

              Probably completely irrelevant but I had similar issues (although not always the same host each time) many years ago and it turned out to be the limit on the licenses. Is this a 10 user 501 license?

              Also

              Best not to post password hashes in general.

              This may need to be increased if used for browsing.
              fixup protocol dns maximum-length 512

              I would hard set this
              interface ethernet0 auto

              Do you really need this?
              ssh 0.0.0.0 0.0.0.0 outside

              Probably lock this down too
              ssh 0.0.0.0 0.0.0.0 inside

              I figure you've obscured an external DNS server here? Your internal
              DNS should forward rather than doing this.
              dhcpd dns 192.168.112.5 8.8.8.8
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: Pix 501 dropping devices from network

                Probably completely irrelevant but I had similar issues (although not always the same host each time) many years ago and it turned out to be the limit on the licenses. Is this a 10 user 501 license?

                Good catch. I forgot about licensing.


                sh local-host | i Curr (This may not work on the pix but works on the ASA to see how many seats are available)

                or


                sh ver

                sh activation-key


                I concur about the ssh access. I never allow it from the outside.(On an internet facing interface) Better to just vpn to an internal server and ssh from there
                Last edited by auglan; 20th November 2012, 14:09.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Pix 501 dropping devices from network

                  Thanks for your input both of you.

                  I thought at first that this was a licensing problem (as this is in fact a 10 user license), but to my understanding that would only affect traffic going inbound/outbound from the firewall. This affects all traffic. Local LAN traffic can't see the devices either and the Firewall can't ping the IPs of the devices dropped. I used the show local-host command when the devices went offline and didn't see any denied traffic and the connections were well below the 10 limit.

                  I really appreciate the feedback on the config. I'm pretty new to Cisco stuff.

                  I'm not familiar with the term "hard-setting" what did you mean when you said:
                  I would hard set this
                  interface ethernet0 auto
                  I did jumble the hashes before I posted, I guess it would have been easier to remove them. Thanks for the heads up.

                  Comment


                  • #10
                    Re: Pix 501 dropping devices from network

                    I'm not familiar with the term "hard-setting" what did you mean when you said:
                    He means to manual set the speed/duplex instead of using auto negotiation. Older devices sometimes had issues when using auto negotiation. These days though I almost never hard code and just use auto and rarely have a problem. Keep in mind if you do set it statically it needs to be done on both ends.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: Pix 501 dropping devices from network

                      yeah, I used to have problems with the auto but have to admit it was connecting to poor routers so probably more their end that the 501.
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment

                      Working...
                      X