RE: PIX Firewall serie 535

From: Zhang, Anchi (AZhang@reliant.com)
Date: Tue Mar 26 2002 - 13:21:41 EST


I would replace the crossover cable first.
 
Having PIX send syslog messages to a syslog server takes a bit of
configuring. Please refer to
http://www.cisco.com/warp/public/110/pixsyslog.html.
 
If your PIX is configured to send syslog messages to a node but either
the node does not exist or is not properly configured, the messages just
get dropped.
 
Anchi
 
-----Original Message-----
From: Roberto Paoletti [mailto:roberto.paoletti@mail.wind.it]
Sent: Tuesday, March 26, 2002 2:40 AM
To: Zhang, Anchi; cisco-nsp@puck.nether.net
Subject: R: PIX Firewall serie 535

How you can see from syslog messages :
 
Mar 25 11:13:50 [pix] %PIX-4-106023: Deny udp src outside:A.B.C.D/52648
dst inside:A.B.C.D/514 by access
-group "CSM-acl-outside"
Mar 25 11:17:32 [pix] %PIX-1-105005: (Secondary) Lost Failover
communications with mate on interface 7
Mar 25 11:17:32 [pix] %PIX-1-105008: (Secondary) Testing Interface 7
Mar 25 11:18:13 [pix] %PIX-1-104004: (Secondary) Switching to OK.
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
7 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
6 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
5 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
4 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
3 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
2 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
0 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
1 waiting
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
7 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
4 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
3 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
6 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
2 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
5 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
0 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
1 normal
 
from 11:13:50 until 11:17:32 i've not the syslog messages , and after i
find this error msg "lost failover communications...."
 
What do you think?
Why the pix didn't write on the syslog?
Problem of connectivity network?
 
I ask me : when the pix can't write syslog msg on the syslog server ,
What does it happen?
 
Thanks for your collaboration.
 
Roberto P.
 
 -----Messaggio originale-----
Da: Zhang, Anchi [mailto:AZhang@reliant.com]
Inviato: luned́ 25 marzo 2002 20.30
A: Roberto Paoletti; cisco-nsp@puck.nether.net
Oggetto: RE: PIX Firewall serie 535

Are you saying that those syslog messages showed up only right after you
connected interface 7?
 
Would you have all the syslog messages from the secondary during that
time?
 
Anchi
 
-----Original Message-----
From: Roberto Paoletti [mailto:roberto.paoletti@mail.wind.it]
Sent: Monday, March 25, 2002 11:34 AM
To: Zhang, Anchi; cisco-nsp@puck.nether.net
Subject: R: PIX Firewall serie 535

Hi , yes the interface 7 is connected to the primary pix by crossover
cable.
 
This interface is connected only back-to-back without traffic internet.
 
No, i didn't reboot the primary, but this morning i riceived the alert
messages for " Lost Failover communications with mate on interface 7"
and after i connetced on the pix and i 've seen this mistake.
 
I attached the show failover and show interface :
 
 
 
-------------------------SHOW
FAILOVER----------------------------------------
 
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
        This host: Primary - Active
                Active time: 23160 (sec)
                Interface DMZ-slot:7 (192.168.10.9): Normal
                Interface DMZ-slot:6 (192.168.10.13): Normal
                Interface DMZ-slot:5 (192.168.10.17): Normal
                Interface DMZ-slot:4 (192.168.10.1): Normal
                Interface DMZ-slot:3 (192.168.10.5): Normal
                Interface inside (X.X.X.X): Normal
                Interface outside (X.X.X.X): Normal
                Interface DMZ-Slot:2 (X.X.X.X): Normal
        Other host: Secondary - Standby
                Active time: 0 (sec)
                Interface DMZ-slot:7 (192.168.10.10): Normal
                Interface DMZ-slot:6 (192.168.10.14): Normal
                Interface DMZ-slot:5 (192.168.10.18): Normal
                Interface DMZ-slot:4 (192.168.10.2): Normal
                Interface DMZ-slot:3 (192.168.10.6): Normal
                Interface inside (X.X.X.X): Normal
                Interface outside (X.X.X.X): Normal
                Interface DMZ-Slot:2 (X.X.X.X): Normal
              
Stateful Failover Logical Update Statistics
        Link : DMZ-slot:4
        Stateful Obj xmit xerr rcv rerr
        General 4728402 8463 36978 0
        sys cmd 3119 0 3114 0
        up time 2 0 2 0
        xlate 1045 0 351 0
        tcp conn 4724236 0 33511 71
        udp conn 0 0 0 0
        ARP tbl 0 0 0 0
        RIP Tbl 0 0 0 0
 
        Logical Update Queue Information
                        Cur Max Total
        Recv Q: 0 128 36978
        Xmit Q: 0 419 4738791
 
 
-----------------------------SHOW
INTERFACE-------------------------------
 
interface ethernet5 "DMZ-slot:7" is up, line protocol is up
  Hardware is i82558 ethernet, address is 00e0.b604.4866
  IP address 192.168.10.9, subnet mask 255.255.255.252
  MTU 1500 bytes, BW 100000 Kbit full duplex
        1498 packets input, 92852 bytes, 0 no buffer
        Received 2 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1538 packets output, 105116 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/2)
        output queue (curr/max blocks): hardware (0/10) software (0/9)
 
 
------------------------------------------------------------------------
--------------------------------
 
Is it possible an attack ?
 
THANKS FOR YOUR COLLABORATION.
 
CIAO
Roberto P.
 

-----Messaggio originale-----
Da: Zhang, Anchi [mailto:AZhang@reliant.com]
Inviato: luned́ 25 marzo 2002 16.47
A: Roberto Paoletti; cisco-nsp@puck.nether.net
Oggetto: RE: PIX Firewall serie 535

How is the interface 7 on your secondary connected to that of your
primary? Via a crossover cable, a switch, or a hub?
 
What is interface 7 for? Your outside interface?
 
Did the primary reboot?
 
"show failover" and "show interface" output would be helpful.
 
Anchi
 
-----Original Message-----
From: Roberto Paoletti [mailto:roberto.paoletti@mail.wind.it]
Sent: Monday, March 25, 2002 9:21 AM
To: cisco-nsp@puck.nether.net
Subject: PIX Firewall serie 535

Hi ,
        i' ve a problem with the pix 535.
 
Sometimes (2 times) the secondary pix (license failover) with status
Standby , losts comunication on interface X and goes in Testing.
The interface X is back -to-back with the primary pix with status Active
:
 
%PIX-1-105005: (Secondary) Lost Failover communications with mate on
interface 7
 
After the secondary monitoring the others interfaces :
 
%PIX-1-105003: (Secondary) Monitoring on interface 3 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 6 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 2 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 5 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 0 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 4 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 1 waiting
 
Why does the pix work so ?
Which is or are problem/s ?
 
I thought the connectivity (network), but the interface is back-to-back.
I thought the cable, it doesn't work.....but i change the cable.....
 
I've seen the logs and i didn't find nothing interesting .
Can anyone help me ?

Thanks in advance,

Roberto Paoletti
Operations Server Farm & Networking
Network Security & AAA
------------------------------------------------------------------
Wind Telecomunicazioni S.p.A. -
<file:///D:/Documents%20and%20Settings/Administrator.RPAOLETTI-NT/Dati%2
0applicazioni/Microsoft/Signatures/www.wind.it> www.wind.it
Internet & Multimedia - Fixed Portal
via Lorenteggio, 257
20152 Milano
Tel: +39-02-3011 4166
Cell:+39-3294206077
E-mail:roberto.paoletti@mail.wind.it

 



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:38 EDT