Problem with inside to inside traffic after upgrading PIX 515

Discussion in 'Cisco' started by Guest, Jun 14, 2004.

  1. Guest

    Guest Guest

    Hi all

    My setup is like this:

    Internet connection
    |
    | (outside)
    PIX 515
    | (inside)
    |
    3Com switch
    |
    |
    Server1 - Server2 - Server3 .......


    The servers have private IP on the inside segment and publice IP on the
    outside.

    After I have upgrade the PIX 515 from ver. 4.4.4. to 6.3.3 I have got
    myselft a strange problem.
    The servers lose connection between each others from time to time.

    I have tried to setup a ping between Server1 and Server2 and also from
    Server2 to Server1.
    Both pings loses the connection at the same time and are comming back at the
    same time.

    When the servers loses the connection between each others, I can still reach
    them from the outside.

    If the connection between Server1 and Server2 goes down, I can bring it back
    by start pinging Server1 from ex. Server3.
    I have also tried to get it back by doing an "arp -d" on Server1.

    I seems like it's some kind of connection that can renew itself.... but I
    don't know.... :eek:(

    Please help!

    /Romme
     
    Guest, Jun 14, 2004
    #1
    1. Advertisements

  2. Guest

    Rik Bain Guest


    Sounds like a possible proxy arp issue somewhere on the internal network.
    Cannot determine if it is the pix without looking at the
    nat/global/static commands.

    Rik Bain
     
    Rik Bain, Jun 14, 2004
    #2
    1. Advertisements

  3. Guest

    Romme Guest

    Hi

    I think you might bee right. Here is what I have found out.

    Before connection stop responding

    - ARP tabel on Server1 -
    GATEWAY XX-XX-XX-XX-XX-00
    SERVER2 XX-XX-XX-XX-XX-22

    - ARP tabel on Server2 -
    GATEWAY XX-XX-XX-XX-XX-00
    SERVER1 XX-XX-XX-XX-XX-11

    When the connection stops the ARP tabel on Server2 look like this:

    - ARP tabel on Server2 -
    GATEWAY XX-XX-XX-XX-XX-00
    SERVER1 XX-XX-XX-XX-XX-00

    Server2 think that Server1 has the same MAC as the gateway (PIX)

    /Romme
     
    Romme, Jun 14, 2004
    #3
  4. Guest

    Romme Guest

    Hi agin

    I come to think og something.
    Can it have somehing to do wiht us using the alias command ?

    /Romme
     
    Romme, Jun 14, 2004
    #4
  5. Guest

    Rik Bain Guest

    It absolutely can.

    From:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

    "Also note that, for DNS fixup to work properly, proxy-arp has to be
    disabled. If you are using the alias command for DNS fixup, disable
    proxy-arp with the following command after the alias command has been
    executed. sysopt noproxyarp internal_interface"


    Effectively, the pix begins to proxy-arp for the address in the alias.
    This is because alias can also be used for dnat.
     
    Rik Bain, Jun 15, 2004
    #5
  6. Guest

    Romme Guest

    Hi

    It looks like it's working... thanx alot!

    /Romme
     
    Romme, Jun 15, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.