Slow initiating connections

[TrevorRiley]

I have a PIX 501 with a draytek 2600 adsl router and a mix of 2000/XP & 2003 machines behind it.

I use 3 fixed NATs for mail/dns servers, the rest use PAT of the external interface on the PIX.

The problem is that when opening a browser on either NATd or PATd machines the first few attempts to connect just time out, if I open a DOS prompt while it's trying to connect and do a tracert anywhere outside it suddenly wakes up, though this may just be a coincidence I spose.

Has anyone else noticed anything like this? If I use the draytek as the default gateway it works fine.

T.I.A.

 

[themut]

Try to hardcode the speed on the interfaces and see if it helps. You don't provide us with enough information such as network layout, configurations, etc.

 

[TrevorRiley]

OK, default gateway is the 3640, pix config attached

[tt]
|---------|
|_________|Cisco3640 (192.168.100.254/24)
|
|
|---------|
|_________|Cisco2950 Switch
| |
| |
|--| |
Desktop|__| |
|--------|
|________|Pix501 (192.168.100.253/24)
|
|--------|
|________|Draytek (1.1.1.230/29)

[/tt]
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Gatekeeper
domain-name qualisys.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.100.3 PC3
name 192.168.100.2 SRV2
name 192.168.100.1 SRV1
name 192.168.100.101 SRV101
name 192.168.100.4 PC4
name 1.1.1.226 SRV1-Valid
name 1.1.1.229 SRV101-Valid
name 192.168.100.5 PC5
name 192.168.100.6 PC6
name 192.168.100.102 PC102
name 192.168.100.103 PC103
name 192.168.100.105 PC105
name 192.168.100.106 PC106
name 1.1.1.227 SRV2-Valid
name 1.1.1.230 Draytek2600
name 192.168.100.104 PC104
name 1.1.1.228 PC3-Valid
object-group network Qualisys
network-object SRV1 255.255.255.255
network-object SRV2 255.255.255.255
network-object PC3 255.255.255.255
network-object PC4 255.255.255.255
network-object PC5 255.255.255.255
network-object PC6 255.255.255.255
object-group network Xcalibur
network-object SRV101 255.255.255.255
network-object PC102 255.255.255.255
network-object PC103 255.255.255.255
network-object PC104 255.255.255.255
network-object PC105 255.255.255.255
network-object PC106 255.255.255.255
object-group network Home
network-object 192.168.100.0 255.255.255.0
object-group service SRV1-AllowedTCP-UDP tcp-udp
port-object eq domain
port-object eq echo
object-group service SRV1-TCP tcp
port-object eq domain
port-object eq smtp
object-group service SRV1-UDP udp
port-object eq echo
port-object eq domain
object-group network DNSServers
network-object SRV1 255.255.255.255
network-object SRV2 255.255.255.255
object-group network DNSServers_ref
network-object SRV1-Valid 255.255.255.255
network-object SRV2-Valid 255.255.255.255
access-list inside_access_in permit ip any any
access-list smtp permit tcp any object-group DNSServers_ref object-group SRV1-TCP
access-list smtp permit udp any object-group DNSServers_ref object-group SRV1-UDP
access-list smtp permit tcp any host SRV101-Valid eq smtp
access-list smtp permit icmp any any
pager lines 24
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.225 255.255.255.248
ip address inside 192.168.100.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SRV1-Valid SRV1 dns netmask 255.255.255.255 0 0
static (inside,outside) SRV2-Valid SRV2 dns netmask 255.255.255.255 0 0
static (inside,outside) PC3-Valid PC3 netmask 255.255.255.255 0 0
static (inside,outside) SRV101-Valid SRV101 dns netmask 255.255.255.255 0 0
static (outside,inside) SRV1 SRV1-Valid dns netmask 255.255.255.255 0 0
static (outside,inside) SRV2 SRV2-Valid dns netmask 255.255.255.255 0 0
static (outside,inside) PC3 PC3-Valid netmask 255.255.255.255 0 0
static (outside,inside) SRV101 SRV101-Valid dns netmask 255.255.255.255 0 0
access-group smtp in interface outside
access-group inside_access_in in interface inside
routing interface outside
routing interface inside
route outside 0.0.0.0 0.0.0.0 Draytek2600 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.100.1 x timeout 5
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication enable console TACACS+
aaa authentication http console TACACS+
aaa authentication serial console TACACS+
aaa authentication ssh console TACACS+
aaa authorization command TACACS+
ntp authenticate
ntp server 158.152.1.76 source outside prefer
http server enable
http 192.168.100.0 255.255.255.0 inside
floodguard enable
sysopt connection timewait
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80

 

[themut]

Your layout and config look fine although I could not go into it very detailed. Do a show interface on the PIX and try to determine if there are deffered packets or anything suspicious. I would hardcode the speed on the interfaces, auto doesn't work very well with some devices.

 

[TrevorRiley]

Show int
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000d.ed64.7f73
IP address x.x.x.225, subnet mask 255.255.255.248
MTU 1500 bytes, BW 100000 Kbit full duplex
46913677 packets input, 3824838582 bytes, 0 no buffer
Received 1118419 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
26707283 packets output, 1827556189 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
1438 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/44)
output queue (curr/max blocks): hardware (0/33) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000d.ed64.7f74
IP address 192.168.100.253, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
27922856 packets input, 1917598519 bytes, 0 no buffer
Received 1097315 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
45849610 packets output, 3754067958 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/33)
output queue (curr/max blocks): hardware (0/45) software (0/1)

No errors, been up for days. I'll try forcing the speed on the interfaces and see if that helps

 

[themut]

Try to go through this links they may help you solve the problem:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml

 

[TrevorRiley]

Can't see why but it would seem to be cased by ident being dropped, added 'service resetinbound' and it all now seems happy as per:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml

Many thanks all