PIX 515 inside interface errors

[lorrscan]

Hello,

For the past few days we have been having problems with the connection between out PIX 515e firewall and 3Com switch but are not sure where the problem lies. We suspect that its probably the switch as it has caused problems in the past. All of a sudden the link just seems to freeze so we change the firewall to a different port on the switch and all seems to be ok until it happens again. It happened twice yesterday. I haven't changed the cable, not sure if that would cause the errors below?

Below are the results from the show interface command:

interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 001c.58b5.72a6
IP address 10.0.0.254, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
163694 packets input, 3636678143 bytes, 0 no buffer
Received 3472517 broadcasts, 53 runts, 0 giants
277 input errors, 224 CRC, 0 frame, 0 overrun, 224 ignored, 0 abort
194667 packets output, 2665798037 bytes, 0 underruns
0 output errors, 0 collisions, 947 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/31)
output queue (curr/max blocks): hardware (3/128) software (0/395)

Appreciate any help/advice on this,

Thanks,

 

[ADB100]

Looks like a duplex mismatch. The PIX shows the interface as 100Mb Full-Duplex, is this hard-coded on the PIX? If it is have you hard-coded the 3Com switch end? If you haven't it will be a duplex mismatch.

HTH

Andy

 

[lorrscan]

Hi Andy,

Thanks for your reply, I thought it was a duplex mismatch myself and yesterday set the switch port to 100FD also. The connection hung again last night and my boss told me to set the switch port back to auto and leave the pix settings as they were. I did question this but he told me that he's worked in IT for 15 years and seen this on network cards before and to just make the change. So I did the connection hasn't hung yet but these errors can't be good. Do you know of anything else that might cause the pix - switch connection to hang when duplex settings are the same on both ends..

Thanks Again,

 

[lorrscan]

Sorry correction to my reply above, the switch port is set to 100HD as opposed to auto,

Thanks

 

[ADB100]

What is the PIX interface set to? If one end is Auto and the other hard-coded to Full-Duplex you WILL have a problem. Either hard-code both ends the same or leave them both at Auto, NEVER leave it in-between.

I can't comment on your boss's ability but duplex mismatches are still a common fault in networks, simply stating that the PIX interface should be hard-coded to 100/Full is not enough. BOTH ends of a link must be hard-coded for this to work correctly.

Personally I would leave them both at Auto, whichever way you do it you need to verify on both the 3Com switch and the PIC that the interfaces are operating at 100/Full.

Andy

 

[cknipe]

not a virus issue is it? I have had 3 sites that I have visited in the past 2 weeks with the same scenairo. THe link is up for a while, then down, then up, then down......it wasnt until I checked connection monitors that I realized one machine on my lan was seizing almost all availible connections to call back to its virus home. I would disconnect the link for a little bit and then plug it back in and it would be fine for a few hours.

 

[lorrscan]

Hi Andy, cknipe

Thanks for your posts, I have reset both ends of the link to auto. The same thing happened again last night, the link was down when we came in this morning. The only thing that seems to bring it back is to change it to a different port on the switch.

cknipe, how do I check the connection monitors that you mention above.

Thanks Again,

 

[NetworkGhost]

In my opinion you should always have your critical links hard coded to a speed/duplex.

So the other issue here may not necessarily be physical connections. Many times this type of issue could be a layer 2 problem such as another device with he same IP address. This would also explain why you randomly lose a connection and then by unplugging the cable and plugging it back in you get a connection.

Check your arp entries for the ASA on either the workstation r the switch. Do you have a mac address listed for you ASAs IP address? If yes make sure it matches up with the ASAs MAC address. What is the switch reporting when this happens? 3Com used to come with some good GUI based management tools.


Besides all that. Is it really a 3com switch or a Hub?

http://www.wr-mem.com

 

[lorrscan]

Hi All,

Thanks for your help. The mac address of the PIX is listed on the switch and my workstation.

We did look at some of the monitors on the pix and it showed traffic was higher on this link during the night when nobody is here. We shut down all pc's on Friday and this morning the link was still up so it looks like we have a problem PC. We have Sophos anti virus on all machines but it hasn't picked up anything.

Is there anyway to determine which ip or mac addresses are responsible?

Thanks Again,

 

[NetworkGhost]

Post a scrubbed config. Also turn logging on if it isnt.

logging buffered 6
logging on

If it happens during the day try to get a "sh log" when the problem occurs. Since this is happening at night you may want to enable a syslog server and see if you can get something in the logs. You should see some connection limit entries logged.

http://www.wr-mem.com

http://www.wr-mem.com

 

[lorrscan]

Does anyone have a link for cisco's syslog server PFSS? I can't seem to find a link for it...

Thanks.

 

[NetworkGhost]

I would use kiwi.

http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/

Not even sure you can download PFSS anymore.

http://www.wr-mem.com

 

[lorrscan]

Thats great thanks, I have that installed and running now. What level of logging would you recomend I use?

Thanks,

 

[NetworkGhost]

Logging level 6 at least for this purpose. Usually 4 and below is good for monitoring events.

http://www.wr-mem.com