IMPORTANTE! Please help me, it's almost midnight...

[kfriend]

I have it working again, so this can wait until the morning, I just can't have this happening on a regular basis...not sure what is causing this particular problem. I suspect it has something to do with logging, but I cannot be sure.

Basically here is what I am experiencing:

Pix runs fine for undetermined period of time. Then, sometimes without cause(?) it failes(?) shut. It's interesting because my access-lists still show hits in some cases, however; the pix is not routing packets.

Say I have access-list that allows ping between DMZ and INSIDE

I can go to DMZ and ping InsideHost and get no response
I look at access-list count, and it has incremented.

I go to inside host and ping DMZ host, and get no response.
I look at access-list count, and it has NOT incremented.

I SUSPECT that this may be attributed to me having logging turned on, then my sys-log service was taken offline for a short period of time...is this possible? Is there a key configuration that I am missing.

I ran my pix for several months without problems, it's when I started logging packets and taking a close look at what was happening that I started having this problem.

This is the second time I have experienced it. It hit me when I terminal serviced to my administrative server into the PIX. I wanted to look at the logs, I went to launch the viewer and it said it was already running (via another terminal service session left opened). I killed the service and that's when the system got really slow and stopped responding. I quickly realized that all hosts behind the firewall were unreachable...I hopped in the car and frantically drove to my worksite...where I've been for about 3 hours now.

Any insight you can offer would be greatly appreciated. Sorry if I am rambling, it's late...and I am stressed.



MCSE/MCDBA
SANS GIAC + SANS FIREWALL

 

[dx1]

Are you doing tcp syslogging? If you are and your syslog server is offline, the PIX will not pass traffic.

 

[kfriend]

I love you man! Yes it is TCP logging! (turned off last night in an effort to get things running)

If I switch it to UDP will it make a difference...what do you recommend?

I can understand why it would do that...for security reasons, but I don't remember having read anything about that "FEATURE".

MCSE/MCDBA
SANS GIAC + SANS FIREWALL

 

[kfriend]

Oh yeah...Like I said, I currently have logging disabled, I'm wondering if I re-enable it on TCP...and I EVER encounter this problem again, how do I resolve it? Do I need to reset the Pix or just turn the logging server back on...or do I need to turn logging off on the Pix and turn it back on?

I think for the moment I am going to enjoy that the thing is working.

MCSE/MCDBA
SANS GIAC + SANS FIREWALL

 

[tbissett]

Setting the logging to UDP will allow your firewall to run, even if you logging server is down. UDP just sends messages out without the "3-way handshake" that TCP uses, UDP is affectionately referred to as "Spray-and-Pray."

The "pray" part comes from the fact that since UDP does not wait for an acknowledgement that the message was received, the packets may be dropped and will not be retransmitted. The end result is you may not receive as many syslog messages because of UDP as you would with TCP.

So, there's the trade-off...

 

[kfriend]

yeah I know UDP isn't as reliable as TCP. I just wasn't aware that the pix would "crap out" when it isn't connecting to the syslog server!!

I'm sure everyone can appreciate the humor in my silly-arse running around ripping my hair out because the firewall "Suddenly and Mysteriously Stopped Working".

Thanks a ton for your insight guys. If this was "The Wizard of Oz" I'd be the giant cool looking wizard, and the people on this board would be "The man behind the curtain".

lol

MCSE/MCDBA
SANS GIAC + SANS FIREWALL