Page 1 of 1

Problem with a Cisco PIX 501

Posted: Thu Aug 28, 2008 8:40 pm
by CGirardy
Hi,
I have a problem on my network at home.
I have a Cisco PIX 501 as a firewall and when my Dude server polls it, the interfaces keep showing and disappearing..
I cannot get any stat from them.
Of course, my SNMP community and all the rest is ok
My computer is directly connected to a gigabit switch which is connected to one port of the PIX.
Can you help me find out why it does this please ?
Thanks in advance for your help

Re: Problem with a Cisco PIX 501

Posted: Thu Aug 28, 2008 8:54 pm
by lebowski
I still can't think of any reason why they would be detected and then dropped... but here are a couple things you can try.

I doubt it but check the logs in the pix and find out if a rule is blocking access.
Make an allow all rule for the dude server address just to eliminate this possibility...

Is there a pix specific mib? Add the two mibs from my thread on cisco interfaces descriptions.
You can just drag them right from the desktop and drop them right in the list of mibs. That way it doesn't lock up the client.
Restart the server if you add a Mib.

Re: Problem with a Cisco PIX 501

Posted: Thu Aug 28, 2008 9:00 pm
by CGirardy
I still can't think of any reason why they would be detected and then dropped... but here are a couple things you can try.

I doubt it but check the logs in the pix and find out if a rule is blocking access.
Make an allow all rule for the dude server address just to eliminate this possibility...

Is there a pix specific mib? Add the two mibs from my thread on cisco interfaces descriptions.
You can just drag them right from the desktop and drop them right in the list of mibs. That way it doesn't lock up the client.
Restart the server if you add a Mib.
Thanks for your quick answer.
My Dude server has full access to the PIX. I'll check the logs and let you know.
I have added both mibs from your thread but it didn't solve the problem.
I doubt there's a specific mib as I'm able to use it in my company's network and poll 4 PIX 506 and 3 PIX 515 without adding any specific mib in my Dude server... I also have 3 PIX 501 in my office network but I cannot poll them as they are establishing permanent VPNs and cannot be pinged...
I'll check the PIX logs.
Thanks for your help

Re: Problem with a Cisco PIX 501

Posted: Thu Aug 28, 2008 9:23 pm
by lebowski
Unfortunatly I don't have any pix so I don't know but lets see what is in the logs and if you can put wireshark on your pc and watch the traffic you can get some information that way.

Re: Problem with a Cisco PIX 501

Posted: Fri Aug 29, 2008 10:37 am
by CGirardy
Unfortunatly I don't have any pix so I don't know but lets see what is in the logs and if you can put wireshark on your pc and watch the traffic you can get some information that way.
My PIX log indicates that it accepts the UDP snmp request.... that's all
No error message
Nothing abnormal.
Well, I'll wait for the new version and check if it does the same
Thanks again

Re: Problem with a Cisco PIX 501

Posted: Tue Sep 02, 2008 9:19 pm
by CGirardy
I have discovered that if I don't create any link on the map and observe my device settings, it's able to poll without any problem...
As soon as I create a link to my network, it freezes the polling and the interfaces disappear and reappear...
I still cannot find how to solve this problem.

Re: Problem with a Cisco PIX 501

Posted: Wed Sep 03, 2008 6:40 am
by lebowski
I still can't imagine why but here are 2 things to try.

So lets make sure that the connection doesn't disappear...
Start ping -t yourfirewall
Then let the polling happen see if ping fails.

And change the polling interval to say 2 minutes instead of the default.
What happens if you do that?

Maybe one of these will point to the trouble.

Re: Problem with a Cisco PIX 501

Posted: Thu Sep 04, 2008 12:27 am
by CGirardy
I still can't imagine why but here are 2 things to try.

So lets make sure that the connection doesn't disappear...
Start ping -t yourfirewall
Then let the polling happen see if ping fails.

And change the polling interval to say 2 minutes instead of the default.
What happens if you do that?

Maybe one of these will point to the trouble.
Well, of course my ping doesn't fail...
Changing the polling doesn't help also.
I think I'm gonna stop looking for a solution :(

Re: Problem with a Cisco PIX 501

Posted: Fri Sep 05, 2008 2:13 am
by lebowski
Well you know I had to ask the stupid question :)

Not that it will help but have you checked out RC1?

I have seen some weirdness with discovery. I found is best to get everything just right on the device settings like the device type and the device name... Then close the settings for the device and reopen it then click discover from the services tab. What services does it discover? Are you using any custom services?

If you are using custom services are they discovered even though they shouldn't be? My guess at this point is the services that are discovered keep changing flip flopping from detected to not.

Have you increased the SNMP timeout or retries? I know another one of them but hey I can't see your config from here :)

Well I hope I helped.
Sweet!

Re: Problem with a Cisco PIX 501

Posted: Sat Sep 06, 2008 10:14 am
by CGirardy
Hi,
Thanks again.
It only discovers Telnet and Ping...
I don't use any custom settings at all.
Funny thing is that it's able to display the SNMP traffic graph for each interface.
I want to attach a JPG but it says "Sorry, the board attachment quota has been reached.".
My jpeg is 47 kb ... What's the limit ?
I also just discovered that I cannot send private message...

Re: Problem with a Cisco PIX 501

Posted: Mon Sep 08, 2008 4:22 pm
by normis
try to attach again, i fixed it. PM is disabled on this forum

Re: Problem with a Cisco PIX 501

Posted: Mon Sep 08, 2008 9:51 pm
by CGirardy
OK thanks

Re: Problem with a Cisco PIX 501

Posted: Tue Sep 09, 2008 5:46 pm
by lebowski
I have seen some weirdness when using copies of things. When you added the 2 networks did you make a copy of the first one and paste it to create the 2nd one?

Either way it is easy enough to just delete both networks and recreate them...

GL
Dude!

Re: Problem with a Cisco PIX 501

Posted: Tue Sep 09, 2008 9:54 pm
by CGirardy
No, I created second network. I didn't copy anything.
I have seen that there are 2 other threads talking about this problem (I didn't search to be honest before opening this one) so it's not a new problem....
I'll forget about it and as it's working in the office on other models of PIX, I'm happy.
Thanks again for your help

Re: Problem with a Cisco PIX 501

Posted: Wed Sep 10, 2008 2:05 am
by lebowski
Yeah it is definatly one issue that makes me curious why it happens anyhow hope you find a solution some time...

SD

Re: Problem with a Cisco PIX 501

Posted: Thu Jul 23, 2009 12:14 pm
by bemen
Hi!

Have you found a solution to this problem? I'm about to monitor lots of pix 501s and would be nice to get the interface data! Someone mentioned that the pix cannot be monitored as it thinks it's under attack... :) Could this somehow be the case?

Cheers!
B

Re: Problem with a Cisco PIX 501

Posted: Thu Jul 23, 2009 11:50 pm
by lebowski
If that is the case that the PIX doesn't respond to requests there is some other rule that is build into the PIX that keeps it from being polled or polled too often?? You could set the polling interval to 300 for just that device...

I doubt it will matter. What happens when you SNMP walk a PIX? Can you walk it over and over?

Since the packet capture shows the packet getting to the PIX and the PIX doesn't respond that sounds like a problem in the PIX.

Re: Problem with a Cisco PIX 501

Posted: Tue Jul 28, 2009 12:31 pm
by CGirardy
Hi!

Have you found a solution to this problem? I'm about to monitor lots of pix 501s and would be nice to get the interface data! Someone mentioned that the pix cannot be monitored as it thinks it's under attack... :) Could this somehow be the case?

Cheers!
B
Hi,
I didn't think of that possibility.
I haven't been able to solve my problem at the moment... but all I can say is that I'm currently replacing my 501s and 506s with ASA 5505 and they work like a charm.
I'll check with the 506 I have left here in the office and let you know this later today.

EDIT : If I look at the syslog debug information on my 506, it doesn't drop anything regarding SNMP... I just think it's a bad implementation of SNMP in this IOS...
Changing poll to 30 sec doesn't change anything. The interfaces still appear and disappear. The odd thing is that you can get the graphics when you click on the link...

Re: Problem with a Cisco PIX 501

Posted: Mon Apr 26, 2010 11:10 am
by dstegner
New to the Dude. Seems like a great product.

I am having the issue stated in this thread.

The Dude finds my Netopia routers and other devices but, will not provide link stats for the Pix.

Any hope ??

Dave