URGENT! PIX 501, Timeout between outside server and inside server

Discussion in 'Cisco' started by Dave, Oct 12, 2005.

  1. Dave

    Dave Guest

    hi folks,

    Desc...my webservers login page keeps timing out when connecting to an
    Oracle DB behind a PIX 501 firewall.

    This seems to happen in the morning and at lunch.

    After the page times-out it then connects on the second try, and works
    until lunch time when it will timeout again.

    The webserver has an ip of 192.168.10.23, the db has an ip of
    192.168.0.30.
    The error on my syslog server is...%PIX-6-106015: Deny TCP (no
    connection) from 192.168.10.23/33734 to 192.168.0.30/1521 flags PSH ACK
    on interface outside

    I've read that this can be caused by no SYN Flag being in the packet,
    this SYN flag only occurs when a new connection is being made, now that
    doesn't appear so it look's like the web server still thinks it's
    connected to the database, and the database to the webserver. Now if
    that's correct it looks like the PIX is timing out the connection.
    Seems to make sense?

    If this is the case how do I get the connection to stay open without
    affecting timeout values, I've heard of conduits and established
    connections but I'm a bit of a newbie and don't want to jump in with
    both feet. I've changed "Connection" and "Translate" timeouts to 5
    minutes and it does indeed timeout now after 5 minutes, so it's
    definetly timing out.

    Here's my running config... (I've left out access rules and groups so
    there's not so much stuff)

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100


    domain-name vianet.co.uk
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    no fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    no fixup protocol sqlnet 1521

    access-list inside_access_in permit ip Internal-Network 255.255.255.0
    any
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit ip host CASTOR object-group
    AD-Access-Inside
    access-list outside_access_in permit ip VianetStaffPool 255.255.255.248
    Internal-Network 255.255.255.0
    access-list outside_access_in permit ip host Collaboration host
    EXTRANET
    access-list outside_access_in permit ip host Collaboration host MAIL
    access-list outside_access_in permit ip host db any
    access-list outside_access_in permit tcp host T1Server2 host Alcanet-db
    eq 1533
    access-list outside_access_in permit tcp host T1Server2 host QA eq
    sqlnet
    access-list outside_access_in permit ip host T1Server1 host QA log 7
    access-list inside_outbound_nat0_acl permit ip any VianetStaffPool
    255.255.255.248
    access-list inside_outbound_nat0_acl permit ip any host CASTOR
    access-list inside_outbound_nat0_acl permit ip any host Collaboration
    access-list inside_outbound_nat0_acl permit ip any Alcanet 255.255.0.0
    access-list inside_outbound_nat0_acl permit ip any host ARENA
    access-list inside_outbound_nat0_acl permit ip any host db
    access-list inside_outbound_nat0_acl permit ip any host T1Server1
    access-list inside_outbound_nat0_acl permit ip any host T1Server2
    pager lines 24
    logging on
    logging timestamp
    logging trap debugging
    logging history debugging
    logging facility 16
    logging host inside 192.168.0.56
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.10.1 255.255.255.0
    ip address inside 192.168.0.4 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm


    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    established udp 0 177 permitto tcp 6000 permitfrom tcp 1024-65535
    route outside 0.0.0.0 0.0.0.0 192.168.10.2 1
    route outside CASTOR 255.255.255.255 192.168.10.2 1
    timeout xlate 1:00:00
    timeout conn 0:05:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http Internal-Network 255.255.255.0 inside
    snmp-server host inside 192.168.0.6
    no snmp-server location
    no snmp-server contact
    snmp-server community vianetsnmp
    snmp-server enable traps
    tftp-server outside ARENA /pix1.vianet.co.uk
    floodguard enable
    sysopt connection tcpmss 0
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 80

    thanks
    Dave
    Dave, Oct 12, 2005
    #1
    1. Advertising

  2. In article <>,
    Dave <> wrote:
    :Desc...my webservers login page keeps timing out when connecting to an
    :Oracle DB behind a PIX 501 firewall.

    :timeout xlate 1:00:00
    :timeout conn 0:05:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225 1:00:00
    :timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    :timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity

    Those are the lines you have to look at. Those are in hours:minutes:seconds
    so your connection timeout is 5 minutes. That means that if 5 minutes
    goes by on a tcp connection with no data going over the connection,
    then the PIX will destroy the connection.

    With your mention of this happening over lunch, it sounds like your
    database is kept active through the day, but then when people go for
    lunch there -happens- to be a pause in activity that lasts more than
    5 minutes.

    The easiest solution is to push the conn timeout to be longer than
    the lunch break... e.g., timeout conn 1:00:00 for one hour.
    --
    The ordering of results sorted by date is approximate.
    Walter Roberson, Oct 12, 2005
    #2
    1. Advertising

  3. Dave

    Dave Guest

    Hi Walter,

    I thought the timeouts caused these issues. But the webserver doesn't
    get many hits and so doesn't generate that much traffic so setting it
    to 1 hour would still cause timeouts, all be it maybe not as many or as
    often.

    So that in mind I was thinking about setting it to 24 hours, but that
    means all other connections will be kept open for 24 hours!

    Can I set it up so only the connection from 192.168.10.23 has a timeout
    of 24 hours when connecting to 192.168.0.30?

    Are these timeouts for security or to help the performance of the PIX?

    thanks Walter,
    Dave
    Dave, Oct 12, 2005
    #3
  4. Dave

    Dave Guest

    Sory Walter, I meant to say also that they timeout values were changed
    back to their defaults, but I done that after I done the sh ru.

    Since I wrote the last reply I've also came across and article about
    the same config as mine. It sated that the webserver (Suse Linux 9) has
    a standard TCP Timeout of 2 hours, this could explain what were seeing
    as the PIX is set to 1 Hour, I'll change the linux box and see if that
    does anything. If it does I'll write back for the sake of anyone else
    reading this.

    cheers
    Dave
    Dave, Oct 12, 2005
    #4
  5. Dave

    Dave Guest

    looks like it still happens, even though I've changed the TCP timeout
    value on the webservers to 45 minutes, it also appears as if it's the
    xlate timeout, this is why the webserver doesn't know it's been timed
    out, is there any way to make the xlate timeout different for specific
    traffic ie. traffic from 192.168.10.23 to 192.168.0.30 has a 24 hour
    xlate timeout?

    cheers
    Dave
    Dave, Oct 14, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AJ
    Replies:
    2
    Views:
    3,456
    Johnny Bravo
    Oct 31, 2003
  2. Marc
    Replies:
    6
    Views:
    1,876
  3. Dan Rice
    Replies:
    9
    Views:
    903
    Dan Rice
    Feb 4, 2005
  4. Replies:
    0
    Views:
    621
  5. Jack
    Replies:
    0
    Views:
    647
Loading...

Share This Page