- Posts: 1390
- Thank you received: 0
Pix - Argh, Please Help
18 years 1 month ago #16136
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Pix - Argh, Please Help was created by Smurf
Hi everyone,
So, i have just installed a new Pix 535 into our core network. Two Gig Cards in it as i have plugged it into the Gig Backbone to segment the network (chose the 535 as it can handle the 1.7 Gig throughput).
Anyhow, everything seemed to be going well apart from the one slight snag. I have noticed that Internet Traffic has slowed right down. The Traffic goes throught he core firewall and then through a ISA 2004 Firewall (and then a Pix 525 on the edge). The 535 is only doing routing as its only there to segment our internal network segments.
So, it only appeared to be isolated to the one segment where the Internet traffic was just so slow you couldn't use it. I put this down to other issues on that WAN. Anyhow, today we have been upgrading websense on a segment that seemed fine and the database download keeps failing. Argh....stupid thing, lol.
I have done a packet capture and noticed that there are a load of TCP Retransmissions and also in the syslog i am getting "Deny TCP (no connection) from x.x.x.x/1286 to x.x.x.x/80 flags PSH ACK on interface Blah.
Anyone get on suggestions on this one before i do pull my hair out :lol:
Cheers in advance
So, i have just installed a new Pix 535 into our core network. Two Gig Cards in it as i have plugged it into the Gig Backbone to segment the network (chose the 535 as it can handle the 1.7 Gig throughput).
Anyhow, everything seemed to be going well apart from the one slight snag. I have noticed that Internet Traffic has slowed right down. The Traffic goes throught he core firewall and then through a ISA 2004 Firewall (and then a Pix 525 on the edge). The 535 is only doing routing as its only there to segment our internal network segments.
So, it only appeared to be isolated to the one segment where the Internet traffic was just so slow you couldn't use it. I put this down to other issues on that WAN. Anyhow, today we have been upgrading websense on a segment that seemed fine and the database download keeps failing. Argh....stupid thing, lol.
I have done a packet capture and noticed that there are a load of TCP Retransmissions and also in the syslog i am getting "Deny TCP (no connection) from x.x.x.x/1286 to x.x.x.x/80 flags PSH ACK on interface Blah.
Anyone get on suggestions on this one before i do pull my hair out :lol:
Cheers in advance
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
18 years 3 weeks ago #16511
by duds4all
Replied by duds4all on topic Re: Pix - Argh, Please Help
can u try the show tech command and look at the interface and tell how many crc and any other errors are there if any also if possible can u provide me the show interface command output..
regards
duds!!!
regards
duds!!!
18 years 3 weeks ago #16512
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Pix - Argh, Please Help
Hi Duds,
Thanks for replying but i have taken the pix out and the issues with Re-Transmissions, Out-of-Order Packets, DUP Acks are still going on along the backbone VLAN.
I have decided to get this issue resolved before putting the Pix back in as i feel that this is causing some issues with the pix (FragGuard apparently drops Out-of-Order packets).
Cheers
Wayne
Thanks for replying but i have taken the pix out and the issues with Re-Transmissions, Out-of-Order Packets, DUP Acks are still going on along the backbone VLAN.
I have decided to get this issue resolved before putting the Pix back in as i feel that this is causing some issues with the pix (FragGuard apparently drops Out-of-Order packets).
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.125 seconds