PIX losing ARP? - Tech Support

PIX losing ARP?: Posted by boosh on October 9th, 2007; Hello all,
I have a Cisco PIX 501 version 6.3(5). It is deployed in an office
with 10 PCs, all with web access. Every day (at different times) one
or two of the PCs will lose internet browsing connectivity. When they
are unable to browse I can still ping internet hosts i.e. yahoo.com.
If I reboot the PIX connectivity is restored. Has this got something
to do with the PIX losing it's ARP cache? I reloaded the software
(went from 6.3.(4) to 6.3(5)) and it still does this daily. The ARP
timeout is set to the 4 hour default. Please see config below and
thank you very much for any help you can give.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname PIX
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.5 Server
name xxx.xxx.xxx.xxx NOSPAM
name xxx.xxx.xxx.xxx REMOTESUPPORT
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx eq
pop3
access-list outside_access_in permit tcp NOSPAM 255.255.255.0 host
xxx.xxx.xxx.xxx eq smtp
access-list outside_access_in permit tcp host REMOTESUPPORT host
xxx.xxx.xxx.xxx eq 3389
access-list inside_access_out permit ip any any
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp host REMOTESUPPORT interface outside eq
3389
access-list 200 permit ip any any
pager lines 23
logging timestamp
logging host inside Server
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm location REMOTESUPPORT 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp Server smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 Server pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface www Server www netmask
255.255.255.255 0 0
access-group 100 in interface outside
access-group 200 in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt noproxyarp inside
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:2ec097def00342437621caa23cbc545b
: end; Posted by Chad Mahoney on October 9th, 2007; boosh wrote:
Can you do a show version on the PIX, what license feature does it have?

Is there any other devices in your network? Switches, printers, etc...
If there are do you see those devices in ARP?; Posted by boosh on October 9th, 2007; Chad,
here is the sh ver and the ARP table. The most recent entry to drop is
the "inside 192.168.1.74 001a.a018.9a4f" entry. There are two network
printers that do not show up in ARP, neither does the unmanaged
switch. Just the PCs and Windows server.

sh arp
outside 24.248.210.1 0050.5701.fc00
inside 192.168.1.78 0011.43a3.655e
inside Server 00c0.9f1e.2b24
inside 192.168.1.67 0011.43a3.73f9
inside 192.168.1.66 00c0.f074.00a1
inside 192.168.1.64 001a.a03a.8904
inside 192.168.1.82 0012.1784.247a
inside 192.168.1.76 0011.43a3.4d39
inside 192.168.1.75 000b.dbc2.cc16
inside 192.168.1.74 001a.a018.9a4f
inside 192.168.1.79 0011.43a3.75b9
inside 192.168.1.68 0011.43a3.68de
PIX# sh arp statistics
Dropped blocks in ARP: 6
Maximum Queued blocks: 4
Queued blocks: 0
Interface collision ARPs Received: 0
ARP-defense Gratuitous ARPS sent: 0
Total ARP retries: 28
Unresolved hosts: 0
Maximum Unresolved hosts: 3

Thanks!; Posted by boosh on October 9th, 2007; Chad,
here is the sh ver and the ARP table. The most recent entry to drop
is
the "inside 192.168.1.74 001a.a018.9a4f" entry. There are two network
printers that do not show up in ARP, neither does the unmanaged
switch. Just the PCs and Windows server.

sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

SChamberPIX up 1 hour 51 mins

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0013.80b7.4ac8, irq 9
1: ethernet1: address is 0013.80b7.4aca, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.

Serial Number: 809115275 (0x303a1e8b)
Running Activation Key: 0xedbcba40 0x58d16a67 0x76c33629 0x63886482
Configuration has not been modified since last system restart.

sh arp
outside 24.248.210.1 0050.5701.fc00
inside 192.168.1.78 0011.43a3.655e
inside Server 00c0.9f1e.2b24
inside 192.168.1.67 0011.43a3.73f9
inside 192.168.1.66 00c0.f074.00a1
inside 192.168.1.64 001a.a03a.8904
inside 192.168.1.82 0012.1784.247a
inside 192.168.1.76 0011.43a3.4d39
inside 192.168.1.75 000b.dbc2.cc16
inside 192.168.1.74 001a.a018.9a4f
inside 192.168.1.79 0011.43a3.75b9
inside 192.168.1.68 0011.43a3.68de
PIX# sh arp statistics
Dropped blocks in ARP: 6
Maximum Queued blocks: 4
Queued blocks: 0
Interface collision ARPs Received: 0
ARP-defense Gratuitous ARPS sent: 0
Total ARP retries: 28
Unresolved hosts: 0
Maximum Unresolved hosts: 3; Posted by Chad Mahoney on October 9th, 2007; boosh wrote:

Just by looking at the ARP table you have 11 hosts and only 10 licenses.
I would say your problems begin there.
Just from looking at the table, I would say there is your problem. Could
you perform a sh xlate command and look at the translations being performed.; Posted by Fred@anonymous.org on October 10th, 2007; I have had the same symptoms you descibed, it was the license count...
only short term fix was to shorten the xlate time... real solution is
a 50 user upgrade..

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----; Posted by boosh on October 10th, 2007; Thank you both very much for your help. I will upgrade.

Similar Posts

Losing Drives - Finding Drives - Losing Drives (Storage Devices) by Arno Wagner
Losing Ch4 & ITV etc (UK Specific MCE) by graham
The US is losing it! (Computers & Technology) by Beauregard Jackson Burnside
Re: The US is losing it! (Computers & Technology) by Beauregard Jackson Burnside
Re: The US is losing it! (Help and Support) by Starlord