Firewall Wizards mailing list archives
Re: Strange Pix behavior.
From: LazloCarreidas () netscape net
Date: Fri, 10 Jun 2005 11:57:52 -0400
George, We met the same issue on our firewalls about one time ago, over 6.3.1 Reseller and Cisco TAC were not able to solve the case other than by answering: "upgrade to the latest version and try", which we finally did. Version 6.3.4 did solve the problem... so have a try. Kind regards Lazlò ===== We are using a pair of failover Pix 515s, and are consistently seeing denied return traffic that theoretically should have been allowed. Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For the allowed outbound protocols like http, we are seeing (on weekdays) anywhere between 25,000 and 45,000 denials originating from web server addresses on the Internet port 80 to the NAT'ed IP address of LAN users. This is the return traffic in response to requests that originated from the LAN. Sample log entry follows: ... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by access-group "WAN" The corresponding rule in the LAN access-group is: access-list LAN permit tcp host X.X.X.X gt 1023 any eq www Not all traffic is blocked, only part of it, seemingly at random, otherwise no one would have been able to surf the web, which is not the case. We are also seeing denials generated by the return traffic of other allowed outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem to be proportional to the overall number of requests for each protocol. On week-ends when the traffic is very low, we are still seeing denials, in numbers proportional to overall requests. We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10% and memory < 25%). The Cisco reseller has not come through with a credible explanation for this behavior or made suggestions on course of action for diagnosing the problem. Can anyone on this list help? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange Pix behavior. George J. Jahchan, Eng. (Jun 10)
- Re: Strange Pix behavior. Victor Williams (Jun 10)
- RE: Strange Pix behavior. Paul Melson (Jun 15)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)
- Re: Strange Pix behavior. Martin Mačok (Jun 18)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- <Possible follow-ups>
- Re: Strange Pix behavior. LazloCarreidas (Jun 13)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)