PIX suddenly blocked some PC's from internet??! 3

[skhoury]

Hello everyone,

Ok here is my problem, any help would be much appreciated because I have no clue what is causing it!!

The first time, suddenly a small cluster of PC's were not able to get out to the internet. Just all of a sudden. The browser was able to resolve any particular domain to its ip, but it wouldnt go any further than that. It happened to be only the laptops (which are not plugged in all the time). First thing I did was check all the dns/dhcp settings on our active directory controller...everything check out. So I rebooted the firewall and it suddenly worked.

The second time, only two pc's (out of 78) lost the ability to get out to the internet. Again, they could resolve, but they couldnt go any further. I rebooted the firewall, and poof they could surf the net no problem.

Has anyone seen this before, or have any idea as to what may cause this?

I am by no means a PIX expert, but this is the second time we have experienced this so it is starting to freak me out.


Many thanks in advance,

Sam

 

[308win]

You can try clear xlate instead of a reboot.

What model PIX? If 501, they are limited to number of concurrent users accessing the internet based on your software license. Licenses are either 10, 50 or unlimited.

 

[skhoury]

I have no idea what license count we got, but I have a feeling we purchased unlimited. What does the 'clear xlate' command do?

Thanks!

 

[lgarner]

It clears the internal translation table in the Pix, which tracks which inside addresses/ports correlate to the outside addresses/ports. Worth a try.

If you have access to the Pix console you could also try "debug icmp trace" and then ping an internet IP address. You should see some activity on the Pix which might help narrow down the problem.

 

[skhoury]

Ok....so when you clear the internal translation table...is something dynamic? (i.e., does it blow away some config table, or is table built on the fly)?

Thanks for the great info!

 

[lgarner]

It's rebuilt as needed, like the arp cache that that sort of thing. Established connections would be broken, but it's really unlikely that anyone would even notice.

 

[skhoury]

Ah I see, ok cool. So I will go ahead and give that a shot, and keep this forum posted. Thanks for all the useful info!

Sam

 

[computerhighguy]

do a sh ver and it will tell you the model number and what you are licensed for. Remember that 3des and AES licenses are now free. E-mail your show ver to license@cisco.com to get a new activation key.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[skhoury]

Great! Thanks chg!

 

[spalazzo]

Hi Sam,

My name is Santiago , I am from Argentina.
I have the same problem with my Cisco PIX 501.

The Cisco vendor checked it , and upgrade the Firmware.
But nothing happened.
I tried so many things , that I can´t remember.

Now they will change the unit for a new one.

You can download for free the 3CDaemon program.
It is a syslog server to see problems in the Cisco Pix.
It logs all the traffic from the inside IP number and the outside also.

http://www.3com.com/products/en_US/result.jsp?selected=3&sku=3C16982-US&sort=effdt&order=desc

the file is = 3cdv2r10.zip

Please tell me if you can solve this problem, because I hace the same, and I am looking for to fix it

Cheers
Santiago

 

[chicocouk]

Just so you know, if you have a user who is downloading a large file from the internet, or transferring a large file across a vpn or similar, and you clear the xlate table, that download is gone. They'll have to start downloading it again. So if you do transfer gig+ files, as some people do, try not to clear xlate unless you're sure no'one's going to be affected. Otherwise you'll end up with some very annoyed users.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[spalazzo]

I have the same problem.

I will try to solve it , changing the timeout xlate to 5 minutes.

Regards
Santiago.

 

[sghezzi]

We may have experienced the same problem.
We had some remote devices connected via VPN to a central PIX (PIX to PIX VPN)and static NAT translation is applied on th remote PIX.
Suddenly most of these devices (Automatic Teller Machines) could not connect anymore to our central server.
The problem was temporarily solved by reconfiguring all ATMs to send traffic to the real destination (instead of using the static NAT) and rebooting , but still it is a mistery what happned.
It seems that PIX suddenly didn't apply the static translation anymore....is this possible????
Why?
We should have tried to run clear xlate?
Shall we expect this once again?
Is this a bug of a specific PIX version?
we have 6.3(3)

please help

thanks
Silvia

 

[PixieNoob]

I too have the same Problem, I've a Pix 501 6.3(3).

This happens to one of my machines around 3-5 times a week, very annoying, power cycling the pix always solves the problem.

I know very little about Pix's and routers, but I suspect a problem with PAT/NAT and/or xlate.

I was on the verge of throwing away my Pix and getting a cheapo Netgear thing, but someone pointed me to this thread so I'll delay that decision a bit longer!

I hope someone comes up with a solution