Problem with inside to inside traffic after upgrading PIX 515

Discussion in 'Cisco' started by Guest, Jun 14, 2004.

  1. Guest

    Guest Guest

    Hi all

    My setup is like this:

    Internet connection
    | (outside)
    PIX 515
    | (inside)
    3Com switch
    Server1 - Server2 - Server3 .......

    The servers have private IP on the inside segment and publice IP on the

    After I have upgrade the PIX 515 from ver. 4.4.4. to 6.3.3 I have got
    myselft a strange problem.
    The servers lose connection between each others from time to time.

    I have tried to setup a ping between Server1 and Server2 and also from
    Server2 to Server1.
    Both pings loses the connection at the same time and are comming back at the
    same time.

    When the servers loses the connection between each others, I can still reach
    them from the outside.

    If the connection between Server1 and Server2 goes down, I can bring it back
    by start pinging Server1 from ex. Server3.
    I have also tried to get it back by doing an "arp -d" on Server1.

    I seems like it's some kind of connection that can renew itself.... but I
    don't know.... :eek:(

    Please help!

    Guest, Jun 14, 2004
  2. Guest

    Rik Bain Guest

    Sounds like a possible proxy arp issue somewhere on the internal network.
    Cannot determine if it is the pix without looking at the
    nat/global/static commands.

    Rik Bain
    Rik Bain, Jun 14, 2004
  3. Guest

    Romme Guest


    I think you might bee right. Here is what I have found out.

    Before connection stop responding

    - ARP tabel on Server1 -

    - ARP tabel on Server2 -

    When the connection stops the ARP tabel on Server2 look like this:

    - ARP tabel on Server2 -

    Server2 think that Server1 has the same MAC as the gateway (PIX)

    Romme, Jun 14, 2004
  4. Guest

    Romme Guest

    Hi agin

    I come to think og something.
    Can it have somehing to do wiht us using the alias command ?

    Romme, Jun 14, 2004
  5. Guest

    Rik Bain Guest

    It absolutely can.


    "Also note that, for DNS fixup to work properly, proxy-arp has to be
    disabled. If you are using the alias command for DNS fixup, disable
    proxy-arp with the following command after the alias command has been
    executed. sysopt noproxyarp internal_interface"

    Effectively, the pix begins to proxy-arp for the address in the alias.
    This is because alias can also be used for dnat.
    Rik Bain, Jun 15, 2004
  6. Guest

    Romme Guest


    It looks like it's working... thanx alot!

    Romme, Jun 15, 2004
