Pix is Dropping SQL Connections

[afrugone]

Dear Friends,

We have a PIX515 (6.2(2)32MB Ram 16 MB Flash) that connects a branch office to central site, were we have an SQL server database, if users a branch office don't use the sistem for about 5 minutes the PIX drops the SQL connection, besides we have about 150 users in the branch office, and normally 3 or 4 users connot get connection trough the PIX, if we do a clear xlate this users can pass trough the PIX but probably other will have the same problem soon.

We replace the PIX for 3640 Router and then we don't have any problem.

Any help is wellcome, thanks

 

[dopehead]

Probably due to your SQL connection not sending keepalives, the firewall is supposed to close tcp session with no data sent or recieved after a specified interval, make your sql client/server use keepalives.

As for the not getting a connection, sounds like a NAT/PAT issue, the PIX 515 is certainly fast enough for what you are using it for.

Post your partial pix config here, and we will better be able to determine what might be wrong.

Jan

Network Systems Engineer
CCNA/CQS

 

[afrugone]

Thanks For your reply, here is part of the configuration:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 sonda security50
enable password wJqrqRGg/EBZW/vO encrypted
passwd wJqrqRGg/EBZW/vO encrypted
hostname TG
domain-name TECNOGLOBAL.CL
fixup protocol ftp 21
.....
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 20
logging timestamp
logging trap informational
logging history notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp deny any echo outside
icmp deny any echo inside
icmp deny any echo sonda
mtu outside 1500
mtu inside 1500
mtu sonda 1500
ip address outside 200.27.56.3 255.255.255.0
ip address inside 10.10.10.1 255.255.0.0
ip address sonda 172.27.110.2 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 1 200.27.56.10
global (sonda) 1 172.27.110.3-172.27.110.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (sonda) 1 0.0.0.0 0.0.0.0 0 0
static (inside,sonda) 172.27.110.150 10.10.30.150 netmask 255.255.255.255 0 0
static (inside,sonda) 172.27.110.100 10.10.30.100 netmask 255.255.255.255 0 0
......
static (inside,outside) 200.27.56.254 10.10.10.5 netmask 255.255.255.255 0 0
static (inside,outside) 200.27.56.6 10.10.10.22 netmask 255.255.255.255 0 0
conduit permit tcp host 200.27.56.254 eq domain any
conduit permit udp host 200.27.56.254 eq domain any
........
conduit permit tcp host 172.27.110.208 any
conduit permit tcp host 200.27.56.250 eq

http://www any

outbound 1 deny 0.0.0.0 0.0.0.0 6970 udp
outbound 1 deny 0.0.0.0 0.0.0.0 7170 udp
.......
outbound 2 deny 0.0.0.0 0.0.0.0 1755 tcp
outbound 11 deny 0.0.0.0 0.0.0.0 7071 tcp
apply (inside) 1 outgoing_src
apply (inside) 2 outgoing_src
route outside 0.0.0.0 0.0.0.0 200.27.56.1 1
route inside 10.10.11.0 255.255.255.0 10.10.11.1 1
........
route sonda 200.6.76.0 255.255.255.0 172.27.110.1 1
route outside 200.6.77.0 255.255.255.0 200.27.56.1 1
timeout xlate 10:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:35:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
ssh timeout 5

Best Regards

Alfredo