Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

After changing STATIC command, CLEAR XLATE not persistent 1

Status
Not open for further replies.

A1Friend

IS-IT--Management
Feb 21, 2006
13
US
I am very new to the Cisco world so please don't be too harsh.

I have a PIX 515E in which I made what I thought was a simple change supporting our Exchange Web Mail.

There were two STATIC entries formatted like this:

static (inside,outside) tcp 64.64.64.64 https 10.32.10.32 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 64.64.64.64 255.255.255.255 0 0

which allowed ports 80 and 443 heading for 64.64.64.64 on to our exchange server at 10.32.10.32.

We built a newer exchange server that we want to be the main one now, and applied changed the STATIC entries as such:

static (inside,outside) tcp 64.64.64.64 https 10.2.0.32 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 64.64.64.64 255.255.255.255 0 0

But after doing so, we must continually enter the 'CLEAR XLATE' command in order for clients to hit the server. When we enter 'CLEAR XLATE' we have about 30 seconds of functionality before we lose the ability to hit the exchange server.

I have put a sniffer on the 10.2.0.32 server and see the traffic come thru to it for those 30 seconds, and then nothing, like the PIX is filtering it.

I'm at my wit's end now and am reaching out for assistance. Does anyone know why this is behaving like this? Have I missed something simple (very likely with me).

Thanks.

Dennis
 
Hi Dennis, did you remove the original static mappings, i.e.

static (inside,outside) tcp 64.64.64.64 https 10.32.10.32 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 64.64.64.64 255.255.255.255 0 0

If you're not sure, run the 'show static' cmd to verify from enable mode.
 
Thanks for the quick response. I did remove the two existing static maps before adding the new ones. A quick double-check confirms that the old two entries are no longer in the config.

Dennis
 
mmm maybe you have a NAT command that bypass your static.
make a
"sh nat" to see this ;)
 
Here are the results of the 'sh nat' command:

nat (inside) 0 access-list NO_NAT_INSIDE
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 0 access-list NO_NAT_DMZ

It doesn't look like there is anything there that would cause the current 'static' commands to not work while the old ones did, but again, I'm not really an expert.

Thanks,

Dennis.
 
Oops. I guess you'd want to see the access-lists as well... here are the two listed:

access-list NO_NAT_INSIDE; 4 elements
access-list NO_NAT_INSIDE line 1 permit ip 10.0.0.0 255.0.0.0 10.252.0.0 255.255.254.0 (hitcnt=40309)
access-list NO_NAT_INSIDE line 2 permit ip 10.32.248.0 255.255.252.0 host 10.254.0.3 (hitcnt=3613)
access-list NO_NAT_INSIDE line 3 permit ip 10.0.0.0 255.0.0.0 10.1.32.8 255.255.255.248 (hitcnt=624)
access-list NO_NAT_INSIDE line 4 permit ip 10.0.0.0 255.0.0.0 10.224.0.0 255.255.0.0 (hitcnt=12702)

access-list NO_NAT_DMZ; 1 elements
access-list NO_NAT_DMZ line 1 permit ip 10.252.0.0 255.255.0.0 10.224.0.0 255.255.0.0 (hitcnt=0)
 
Going out ona limb a little here but if you do 'show timeout', what is the value of "timeout xlate"?
 
Here are the results of the 'sh timeout' command:

timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

If I'm reading this correctly, it looks like a 1 hour timeout for the xlate tables?

Since I have to keep using the clear xlate command every 30 seconds or so, if I reduced this timeout value to 0:00:30, would that be a possible solution?

Thanks,

Dennis.
 
I dont think you can go that low but I think you can set it to 1 minute.

I wouldn't typically recommend setting this to a minute. IN fact I'dnormally recommend settingit higher than an hour.

That said however maybe you can try a combination of a low and high setting to see if itmakes a difference. I'm not sure it will but I'd like to wrong on this one.

Failing that, can you paste a copy of 'show running' and 'show ver'
 
Do you have logging enabled to the buffer? If not enable it to level 6. When the traffic stops do a sh log and you should see the reason why the connections are being dropped. You can also do the capture command to ensure the packets are flowing from the outside int to inside. Very similar output to tcpdump --no hex.


access-list 150 permit ip any host 10.32.10.32
access-list 150 permit ip host 10.32.10.32 any
capture captraff access-list 150 buffer 8000 interface inside circular-buffer

sh cap captraff detail


Do this command a few times until you start seeing traffic in the buffer. The 8000 will keep the buffer down to 8000 bytes. You can adjust if needed the curcular-buffer will overwrite the buffer when it fills. You can also tftp the capture to a server for ethereal.



 
Here's the full config:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 vpn security30
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password *************** encrypted
passwd ***************** encrypted
hostname firewall
domain-name is.ourdomain.com
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network dns_servers
description *** Internal DNS Servers ***
network-object host 10.2.0.15
network-object host 10.2.0.10
object-group service blocked_services tcp-udp
description *** Blocked Services ***
port-object range 135 139
port-object eq 445
port-object eq 4444
port-object eq 69
object-group service radius_services udp
port-object range 1812 1813
object-group service dns_services tcp-udp
port-object eq domain
object-group network dmz_servers
description *** DMZ Servers ***
network-object 10.252.0.0 255.255.254.0
object-group network webvpn_servers
description *** Web VPN Accessible Servers ***
network-object host 10.2.0.88
network-object host 10.32.248.12
network-object host 10.32.10.6
object-group service webvpn_services tcp
port-object eq www
port-object eq https
object-group network sql_servers
description *** SQL Servers ***
network-object 10.32.11.0 255.255.255.0
object-group service sql_services tcp-udp
port-object eq 3306
access-list OUTSIDE_IN permit icmp any any
access-list OUTSIDE_IN permit tcp host 209.68.1.29 host 63.228.182.133 eq 9054
access-list OUTSIDE_IN permit tcp host 10.254.0.3 host 10.32.248.8 eq tacacs
access-list OUTSIDE_IN permit udp host 10.254.0.3 host 10.32.248.12 eq syslog
access-list OUTSIDE_IN permit udp any host 65.121.128.222 object-group dns_services
access-list OUTSIDE_IN permit udp any host 63.228.182.142 object-group dns_services
access-list OUTSIDE_IN permit tcp any host 65.121.128.220 eq www
access-list OUTSIDE_IN permit tcp host 216.92.131.71 host 63.228.182.133 eq 9054
access-list OUTSIDE_IN permit tcp host 63.209.10.245 host 63.228.182.130 eq smtp
access-list OUTSIDE_IN permit tcp host 63.150.10.201 host 63.228.182.130 eq smtp
access-list OUTSIDE_IN permit tcp any host 65.121.128.219 object-group webvpn_services
access-list OUTSIDE_IN permit tcp any host 63.228.182.134 eq https
access-list OUTSIDE_IN permit ip any host 65.121.128.199
access-list OUTSIDE_IN permit tcp any host 63.228.182.135 eq www
access-list OUTSIDE_IN permit tcp any host 63.228.182.134 eq www
access-list OUTSIDE_IN compiled
access-list NO_NAT_INSIDE permit ip 10.0.0.0 255.0.0.0 10.252.0.0 255.255.254.0
access-list NO_NAT_INSIDE permit ip 10.32.248.0 255.255.252.0 host 10.254.0.3
access-list NO_NAT_INSIDE permit ip 10.0.0.0 255.0.0.0 10.1.32.8 255.255.255.248
access-list NO_NAT_INSIDE permit ip 10.0.0.0 255.0.0.0 10.224.0.0 255.255.0.0
access-list INSIDE_IN deny tcp any any object-group blocked_services
access-list INSIDE_IN deny udp any any object-group blocked_services
access-list INSIDE_IN permit icmp any any
access-list INSIDE_IN permit ip any any
access-list INSIDE_IN permit tcp any any eq https
access-list INSIDE_IN compiled
access-list DMZ_IN permit icmp any any
access-list DMZ_IN permit tcp object-group dmz_servers object-group dns_servers object-group dns_services
access-list DMZ_IN permit udp object-group dmz_servers object-group dns_servers object-group dns_services
access-list DMZ_IN permit tcp 10.252.0.0 255.255.254.0 any eq ftp-data
access-list DMZ_IN permit tcp 10.252.0.0 255.255.254.0 any eq ftp
access-list DMZ_IN permit tcp 10.252.0.0 255.255.254.0 any eq www
access-list DMZ_IN permit tcp host 10.252.0.8 any eq smtp
access-list DMZ_IN permit udp host 10.252.0.16 any eq domain
access-list DMZ_IN permit tcp host 10.252.0.33 host 10.2.0.88 eq smtp
access-list DMZ_IN permit tcp host 10.252.0.33 object-group sql_servers object-group sql_services
access-list DMZ_IN permit tcp host 10.252.0.33 host 10.32.248.8 eq 3306
access-list DMZ_IN permit tcp host 10.252.0.8 any eq 873
access-list DMZ_IN permit tcp host 10.252.0.35 host 10.32.11.19 eq 1433
access-list DMZ_IN permit tcp host 10.252.0.35 host 10.32.11.19 eq ftp
access-list DMZ_IN permit tcp host 10.252.0.35 host 10.32.11.19 eq smtp
access-list DMZ_IN permit tcp host 10.252.0.35 host 10.32.11.19 eq 135
access-list DMZ_IN permit tcp host 10.252.0.35 host 10.32.11.19 eq 1025
access-list DMZ_IN permit tcp host 10.252.0.35 host 10.32.11.19 eq 1027
access-list DMZ_IN permit ip host 10.252.0.199 any
access-list DMZ_IN permit icmp any any echo-reply
access-list DMZ_IN permit icmp any any unreachable
access-list DMZ_IN permit icmp any any time-exceeded
access-list DMZ_IN compiled
access-list VPN_IN remark *** ALLOW ICMP FOR TESTING ***
access-list VPN_IN permit icmp 10.224.0.0 255.255.0.0 any
access-list VPN_IN remark *** WEBVPN ACCESS ***
access-list VPN_IN permit icmp host 10.1.32.9 any
access-list VPN_IN permit tcp host 10.1.32.9 object-group dns_servers object-group dns_services
access-list VPN_IN permit udp host 10.1.32.9 object-group dns_servers object-group dns_services
access-list VPN_IN permit udp host 10.1.32.9 host 10.32.248.12 eq syslog
access-list VPN_IN permit tcp host 10.1.32.9 host 10.32.248.8 eq www
access-list VPN_IN permit udp host 10.1.32.9 host 10.32.248.8 object-group radius_services
access-list VPN_IN permit tcp host 10.1.32.9 host 10.32.248.8 eq tacacs
access-list VPN_IN permit tcp host 10.1.32.9 object-group webvpn_servers object-group webvpn_services
access-list VPN_IN permit tcp host 10.1.32.9 host 10.252.0.16 eq ssh
access-list VPN_IN remark *** DNS ACCESS FOR ALL VPN CLIENTS ***
access-list VPN_IN permit tcp 10.224.0.0 255.255.0.0 object-group dns_servers object-group dns_services
access-list VPN_IN permit udp 10.224.0.0 255.255.0.0 object-group dns_servers object-group dns_services
access-list VPN_IN remark *** NETADMIN/IS_Data VPN ACCESS ***
access-list VPN_IN permit icmp 10.224.0.0 255.255.254.0 any
access-list VPN_IN permit ip 10.224.0.0 255.255.254.0 any
access-list VPN_IN remark *** HD VPN ACCESS ***
access-list VPN_IN permit tcp 10.224.254.0 255.255.255.0 10.32.11.16 255.255.255.248 eq 3389
access-list VPN_IN permit tcp 10.224.254.0 255.255.255.0 host 10.2.0.31 eq 3389
access-list VPN_IN permit tcp 10.224.254.0 255.255.255.0 host 10.2.0.50 eq 3389
access-list VPN_IN permit tcp 10.224.254.0 255.255.255.0 host 10.2.0.51 eq 3389
access-list VPN_IN permit tcp 10.224.254.0 255.255.255.0 host 10.32.240.94 eq 3389
access-list VPN_IN remark *** JCG VPN ACCESS ***
access-list VPN_IN permit tcp 10.224.253.0 255.255.255.0 host 10.252.0.33 eq www
access-list VPN_IN permit tcp 10.224.253.0 255.255.255.0 host 10.252.0.33 eq https
access-list VPN_IN permit tcp 10.224.253.0 255.255.255.0 host 10.252.0.33 eq ftp-data
access-list VPN_IN permit tcp 10.224.253.0 255.255.255.0 host 10.252.0.33 eq ftp
access-list VPN_IN permit tcp 10.224.253.0 255.255.255.0 host 10.32.11.17 eq 3306
access-list VPN_IN compiled
access-list NO_NAT_DMZ permit ip 10.252.0.0 255.255.0.0 10.224.0.0 255.255.0.0
pager lines 60
logging on
logging timestamp
logging trap critical
logging history informational
logging host inside 10.32.248.12
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vpn 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 63.228.182.131 255.255.255.240
ip address inside 10.1.32.1 255.255.255.252
ip address dmz 10.252.0.1 255.255.254.0
ip address vpn 10.1.32.14 255.255.255.248
no ip address intf4
no ip address intf5
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface vpn
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address vpn
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 63.228.182.132 netmask 255.255.255.255
nat (inside) 0 access-list NO_NAT_INSIDE
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 0 access-list NO_NAT_DMZ
static (inside,outside) tcp 63.228.182.134 https 10.32.10.6 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 63.228.182.134 255.255.255.255 0 0
static (inside,outside) 63.228.182.133 10.14.5.21 netmask 255.255.255.255 0 0
static (dmz,outside) 65.121.128.222 10.252.0.16 netmask 255.255.255.255 0 0
static (dmz,outside) 63.228.182.142 10.252.0.24 netmask 255.255.255.255 0 0
static (dmz,outside) 65.121.128.220 10.252.0.33 netmask 255.255.255.255 0 0
static (inside,outside) 63.228.182.135 10.2.0.88 netmask 255.255.255.255 0 0
static (inside,outside) 63.228.182.130 10.2.0.88 netmask 255.255.255.255 0 0
static (dmz,outside) 65.121.128.219 10.252.0.35 netmask 255.255.255.255 0 0
static (dmz,outside) 65.121.128.199 10.252.0.199 netmask 255.255.255.255 0 0
access-group OUTSIDE_IN in interface outside
access-group INSIDE_IN in interface inside
access-group DMZ_IN in interface dmz
access-group VPN_IN in interface vpn
routing interface inside
ospf priority 10
ospf message-digest-key 1 md5 r0ut3m3b@by
ospf authentication message-digest
routing interface vpn
ospf priority 10
ospf message-digest-key 1 md5 r0ut3m3b@by
ospf authentication message-digest
router ospf 5481
network 10.1.32.0 255.255.255.252 area 0
network 10.1.32.8 255.255.255.248 area 0
network 10.252.0.0 255.255.254.0 area 0
area 0 authentication message-digest
router-id 10.1.32.1
log-adj-changes
default-information originate
route outside 0.0.0.0 0.0.0.0 63.228.182.129 1
route inside 10.0.0.0 255.0.0.0 10.1.32.2 200
route vpn 10.224.0.0 255.255.0.0 10.1.32.9 200
route outside 10.254.0.3 255.255.255.255 63.228.182.129 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:01:00 absolute
timeout xlate 0:01:00
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 10.32.248.8 (removed) timeout 10
aaa-server LOCAL protocol local
aaa-server NETADMIN protocol tacacs+
aaa-server NETADMIN max-failed-attempts 3
aaa-server NETADMIN deadtime 10
aaa-server NETADMIN (inside) host 10.32.248.8 (removed) timeout 10
aaa authentication ssh console RADIUS
aaa authentication telnet console RADIUS
aaa authentication enable console RADIUS
ntp server 131.107.1.10 source outside prefer
ntp server 140.142.16.43 source outside
no snmp-server location
no snmp-server contact
snmp-server community (removed)
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
service resetinbound
service resetoutside
crypto ipsec transform-set MGMT-SET-AES esp-aes-256 esp-sha-hmac
crypto dynamic-map MGMT-DYNMAP 10 set transform-set MGMT-SET-AES
crypto map IPSEC-MAP 10 ipsec-isakmp dynamic MGMT-DYNMAP
crypto map IPSEC-MAP client authentication NETADMIN
crypto map IPSEC-MAP interface outside
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup IS-GROUP dns-server 10.2.0.15
vpngroup IS-GROUP wins-server 10.2.0.15
vpngroup IS-GROUP default-domain is.ourdomain
vpngroup IS-GROUP idle-time 1800
vpngroup IS-GROUP authentication-server NETADMIN
vpngroup IS-GROUP user-authentication
vpngroup IS-GROUP password ********
vpngroup city dns-server 10.2.0.15
vpngroup city wins-server 10.2.0.15
vpngroup city default-domain is.ourdomain.com
vpngroup city idle-time 1800
vpngroup city authentication-server NETADMIN
vpngroup city user-authentication
vpngroup city password ********
ca identity CertAuth 10.32.248.8:/certsrv/mscep/mscep.dll
ca configure CertAuth ra 1 20 crloptional
telnet 10.32.248.0 255.255.255.0 inside
telnet 10.2.5.0 255.255.255.0 inside
telnet timeout 15
ssh 10.32.248.0 255.255.254.0 inside
ssh 10.34.248.0 255.255.254.0 inside
ssh 10.32.0.0 255.255.0.0 inside
ssh 10.1.32.1 255.255.255.255 inside
ssh 10.1.32.1 255.255.255.255 vpn
ssh timeout 15
console timeout 60
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration dns 10.2.0.10 10.2.0.15
vpdn group 1 client configuration wins 10.2.0.15 10.2.0.10
vpdn group 1 client authentication aaa RADIUS
vpdn group 1 pptp echo 60
vpdn username badusername password *********
vpdn enable outside
username badusername password ************ encrypted privilege 15
terminal width 80
: end
 
Note, the first two 'static' entries are the ones in question. (Sorry, on the earlier posts, I changed the IPs to try to be security-concious, but with the entire config here now, not much chance of that.

I did try setting the xlate timeout to 1min, but that didn't work, so I'll work on the logging and get the results posted later this evening.

Thanks again, very much.

Dennis.
 
OK... now we're getting somewhere. Thank you NetworkGhost for that capture setup. I think I see where the issue might be. Here's the output from the capture. I think the 'bad tcp cksum' is not what we should see... am I correct?

Thanks,

Dennis.

31 packets captured
17:08:06.204579 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1259 > 10.2.0.88.80: S [bad tcp cksum 400!] 1799487194:1799487194(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1854, bad cksum 8a76!)
17:08:06.704431 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1258 > 10.2.0.88.80: S [bad tcp cksum 400!] 1798846854:1798846854(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1855, bad cksum 8a75!)
17:08:08.804432 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1260 > 10.2.0.88.80: S [bad tcp cksum 400!] 1800152565:1800152565(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1856, bad cksum 8a74!)
17:08:09.146125 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1259 > 10.2.0.88.80: S [bad tcp cksum 400!] 1799487194:1799487194(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1857, bad cksum 8a73!)
17:08:11.228763 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1261 > 10.2.0.88.80: S [bad tcp cksum 400!] 1800818233:1800818233(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1858, bad cksum 8a72!)
17:08:11.624326 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1260 > 10.2.0.88.80: S [bad tcp cksum 400!] 1800152565:1800152565(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1859, bad cksum 8a71!)
17:08:12.897490 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1258 > 10.2.0.88.80: S [bad tcp cksum 400!] 1798846854:1798846854(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1860, bad cksum 8a70!)
17:08:13.682993 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1262 > 10.2.0.88.80: S [bad tcp cksum 400!] 1801486746:1801486746(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1861, bad cksum 8a6f!)
17:08:14.226352 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1261 > 10.2.0.88.80: S [bad tcp cksum 400!] 1800818233:1800818233(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1862, bad cksum 8a6e!)
17:08:15.070095 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1259 > 10.2.0.88.80: S [bad tcp cksum 400!] 1799487194:1799487194(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1863, bad cksum 8a6d!)
17:08:16.438072 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1263 > 10.2.0.88.80: S [bad tcp cksum 400!] 1802157075:1802157075(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1864, bad cksum 8a6c!)
17:08:16.462317 0030.8043.5700 000d.6558.803f 0x0800 62: 166.205.67.55.1410 > 10.2.0.88.80: S [bad tcp cksum 400!] 455424244:455424244(0) win 32768 <mss 1380,nop,nop,sackOK> (DF) (ttl 112, id 1479, bad cksum 109f!)
17:08:16.682932 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1262 > 10.2.0.88.80: S [bad tcp cksum 400!] 1801486746:1801486746(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1865, bad cksum 8a6b!)
17:08:17.628888 0030.8043.5700 000d.6558.803f 0x0800 66: 70.218.38.216.1260 > 10.2.0.88.80: S [bad tcp cksum 400!] 1800152565:1800152565(0) win 65535 <mss 1380,nop,wscale 1,nop,nop,sackOK> (DF) (ttl 113, id 1866, bad cksum 8a6a!)
17:08:18.105570 000d.6558.803f 000c.3001.1de7 0x0800 62: 10.2.0.88.27551 > 205.152.58.7.25: S [tcp sum ok] 114821514:114821514(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) (ttl 127, id 20390)
 
Here's a thought. When we built the new exchange server, we put the exact same certificate on it, that is/was on the old exchange server. Would that cause this type of behavior? If so, why does it work for a period of time after using the 'clear xlate' command?

Here's an output from the capture, done right after doing a 'clear xlate' command:

17:20:00.149085 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500382491:500383871(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21594)
17:20:00.149207 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500383871:500385251(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21595)
17:20:00.149314 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500385251:500386631(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21596)
17:20:00.164664 0030.8043.5700 000d.6558.803f 0x0800 54: 65.54.244.104.25 > 10.2.0.88.27791: . [tcp sum ok] 3460181915:3460181915(0) ack 500364551 win 65535 (DF) (ttl 116, id 7265)
17:20:00.165061 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500386631:500388011(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21597)
17:20:00.165183 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500388011:500389391(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21598)
17:20:00.165305 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500389391:500390771(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21599)
17:20:00.202641 0030.8043.5700 000d.6558.803f 0x0800 54: 65.54.244.104.25 > 10.2.0.88.27791: . [tcp sum ok] 3460181915:3460181915(0) ack 500367311 win 65535 (DF) (ttl 116, id 7324)
17:20:00.202778 0030.8043.5700 000d.6558.803f 0x0800 54: 65.54.244.104.25 > 10.2.0.88.27791: . [tcp sum ok] 3460181915:3460181915(0) ack 500370071 win 65535 (DF) (ttl 116, id 7370)
17:20:00.203038 0030.8043.5700 000d.6558.803f 0x0800 54: 65.54.244.104.25 > 10.2.0.88.27791: . [tcp sum ok] 3460181915:3460181915(0) ack 500372831 win 65535 (DF) (ttl 116, id 7490)
17:20:00.203740 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500390771:500392151(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21600)
17:20:00.203862 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: P 500392151:500393531(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21601)
17:20:00.203968 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500393531:500394911(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21602)
17:20:00.204091 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500394911:500396291(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21603)
17:20:00.204197 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500396291:500397671(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21604)
17:20:00.204319 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500397671:500399051(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21605)
17:20:00.204441 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500399051:500400431(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21606)
17:20:00.204548 000d.6558.803f 000c.3001.1de7 0x0800 1434: 10.2.0.88.27791 > 65.54.244.104.25: . 500400431:500401811(1380) ack 3460181915 win 64947 (DF) (ttl 127, id 21607)
17:20:00.204640 000d.6558.803f 000c.3001.1de7 0x0800 999: 10.2.0.88.27791 > 65.54.244.104.25: P 500401811:500402756(945) ack 3460181915 win 64947 (DF) (ttl 127, id 21608)
17:20:00.248629 0030.8043.5700 000d.6558.803f 0x0800 54: 65.54.244.104.25 > 10.2.0.88.27791: . [tcp sum ok] 3460181915:3460181915(0) ack 500375591 win 65535 (DF) (ttl 116, id 7600)
17:20:00.260103 0030.8043.5700 000d.6558.803f 0x0800 54: 65.54.244.104.25 > 10.2.0.88.27791: . [tcp sum ok] 3460181915:3460181915(0) ack 500376971 win 65535 (DF) (ttl 116, id 7614)
 
Podt your config. What is in fron of your Pix? Are you able to rule out line issues? Do a sh int on the eth0 interface. Any errors? The odd part is that it seems it is only port 80 traffic. The port 25 seems ok from the second capture. Definitly post a config. In 7.0 you can disable the verify tcp checksum feature. Not sure if this is an option in 6 and not sure that would fix your issue either way.
 
Forgot to add

When you are done with your cap do a "no capture capname" to stop it.
 
There is a 2620 Router, followed by a 2950 switch in front of the firewall, and that's all (that we own anyway) that is in front of the firewall.

The full config is already posted above. Do you need a new config?

Here's the output from the 'sh int eth0' command:

interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000c.3001.1de6
IP address 63.228.182.131, subnet mask 255.255.255.240
MTU 1500 bytes, BW 100000 Kbit full duplex
45286193 packets input, 3994087618 bytes, 0 no buffer
Received 122279 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
35837976 packets output, 2827546201 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/6)
output queue (curr/max blocks): hardware (0/22) software (0/1)

Thanks,

Dennis.
 
A quick sh int on the other interfaces show the same results; no errors on the interface.

I don't know for sure if there are line problems, but if we switch back and point the two 'static' commands toward the 'old' exchange server (10.32.10.6), then it works like a charm.

Last night I also tried the following:

clear xlate
clear local-host 10.2.0.88
clear arp

then I rebooted the 10.2.0.88 box (the new exchange server), but that didn't appear to resolve the issue either.
 
You have 2 statics for this one address

static (inside,outside) 63.228.182.135 10.2.0.88 netmask 255.255.255.255 0 0
static (inside,outside) 63.228.182.130 10.2.0.88 netmask 255.255.255.255 0 0

That can cause some odd behavior in connections/session tables. I would do a dump on the outside interface also to see if there may be issues. You can do 2 dumps at once just follow the same format change the capture name and put it on interface outside.

My advice would be if you need the same machine to have 2 external addresses you could always put a secondary IP on the machine also.

Try the capture on both interfaces at the same time and Post.
 
Also do a show local-host 10.2.0.88 -- mail server and post when the problem occurs

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top