Restart PIX
What could be the reasons for a device of PIX 535 to restart 2-3 times in 24 hours. Even tried with a spare pix and still the same. He used to work fine a month back. Any help on this?
Faiz,
There are a few bugs in 6.3 (3) causing the system to reload or crash. This includes running out of memory, setup VPN, authentication,... etc... I really advise you to upgrade your IOS to 6.3 (5) and as appropriate (to determine the memory requirements) upgrade to 7.0 (4) or 7.1 (1)...
If you want a troubleshooting step by step, thanks for posting the config file. Exclude public IP addresses and passwords
Concerning
Tags: Cisco Security
Similar Questions
-
PIX 515E failover restart problems
Thursday, November 23, we went from the PIX cluster to version 7.1 (2) 6.2 (2) with the default memory (64 MB) in each PIX. The Active PIX then suffered what appeared to be leaking memory (attributed to process ARP Thread). This continued for a few days? with the result that we force reloaded the Active PIX every 8 hours to ensure the continuity of the service. Monday 27 after a reload? It has been noticed that the Active PIX leaked is more memory per process threads ARP? the same day, we went from the cluster PIX to 128 MB of memory. Then, we have had failovers active / standby every 2 hours? that seems to be attributed to missed? Hello? in the e-mail of failover? We decided then to configure LAN failover on the PIX cluster. In the process of activation of this secondary feature PIX (which was the current asset) crashed
You have any explanation as to why these events took place.
Hi Carlton,
I can tell you that maybe the method you used to upgrade starts the chain of problems. I used for the migration of these products and I've never met before. In general I WINS configurations, program a service stop and I leave the unit of failover working alone while I do the upgrade of the unit the ex-active. After the upgrade, I had loaded the software configuration I saved before and made the customizations.
For the PIX without restrictions, is real memory of 128 MB required. For the restricted permission, you can use the default of 64 MB.
After that, you can place the active unit instead of the recovery. You improve the unit of failover so and connect again in active, already in production and restart the synchronization.
For all my clients, it worked.
It will be useful. If Yes, please rate.
Kind regards
Rafael Lanna
-
PIX 515E, 7.2 (1), restarts randomly several times per day
Hello
We have a PIX 515E race 7.2 (1) that reboots randomly. It has happened 4 times this morning and has been for several days.
There is no significant syslog messages prior to the restart of the box. Monitoring CPU and memory usage shows nothing ununusual.
No failover and without VPN. Pretty basic config, a flow low traffic.
I've attached the crashinfo file - I looked through and it is meaningless to me.
Someone at - it an idea?
see you soon
Chris
The inspect esmtp is causing your ASA crashing. See: CSCse41795
HTH pls note
-
FF 27 - my fonts are pixely and I can't understand why.
Hello friends,
About 4 weeks ago, fonts on all the pages I visit using Firefox became pixely (some letters appear in bold, the lines seem to be low resolution, etc.). I tried the following steps to fix without success:
-Update of FF 27
-Reset by default
-Turn off hardware accelerationHere is a link to a comparison of the FF27 vs Chrome vs IE screenshot: http://i.imgur.com/f8EBC6p.png
The only thing I can think of that may be the culprit, it is at the same time, I got a new monitor that requires a display installed on my laptop driver.
What other troubleshooting measures can I take to help address the display of police while I use my beloved Firefox?
Any help is appreciated.
Thank you.
Try to play with this:
=layers.acceleration.disabled: True
And make sure that firefox has the updated driver, you can check in "subject: support.
and try turning off hardware acceleration: try disabling graphics hardware acceleration. As this feature has been added to Firefox, it has gradually improved, but there are still some problems.
You will have to perhaps restart Firefox for it to take effect, so save any work first (e.g. you compose mail, documents online that you are editing, etc.).
Then perform the following steps:
- Click on the orange top left Firefox button, then select the 'Options' button, or, if there is no Firefox button at the top, go to tools > Options.
- In the Firefox options window, click the Advanced tab, and then select 'General '.
- You will find in the list of parameters, the checkbox use hardware acceleration when available . Clear this check box.
- Now restart Firefox and see if the problems persist.
In addition, please check the updates for your graphics driver by following the steps in the following knowledge base articles:
This solve your problems? Please report to us!
Thank you.
-
HP Slate 7 and freezing with a screen of pixely
I got the slate for more than 6 months, and every once in a while it crashes and the screen is all pixely.
I have not seen anyone another post about this, so I wonder if it's just my tablet. He also loses the Wi - Fi every time within a certain time and the only way to get it back must stop it and restart the tablet.
Called CS and they agree that there is something wrong with the slate. They'll send a refurbished.
-
We have two PIX 515 currently configured in a failover. We must remove the additional pix for a few days, is there something special we have to do, or should we just unplug it and let it do its normal failover. And since we're on the subject, which would need to be done when we put the pix in. Thanks in advance.
If you delete the previous day, just turn it off and remove it, the active PIX remains active.
If you remove the active PIX, do a "active failover" on the day before to make it active and then turn it off.
Remember however that if your secondary PIX is a failover only license, then it restarts every 24 hours or so if it detects that the primary is not connected. When it happens you will have to do an another "active failover" manually in this topic, that it will not automatically become the active unit. Make sure you leave the failover cable connected to this unit, otherwise it starts up at all.
-
This is perhaps a silly question, but I am at a loss to see what the problem is.
I have a 515 on my site and am trying to install a few small 501 office across the country.
Each office can connect and establish a tunnel when I configure use EZ and I a setting up split-tunnel to pass to the Internet or to me every time.
If for some reason, I have to restart my PIX or my T1 goes down, they lose the tunnel (of course), but they lose also any Internet connection they have. The only way to get them reconnected to the world must go and uncheck the box "use the EZVPN."
At the end of the day, I don't want to then lose all connectivity when / if I get off.
What I forget?
Thanks in advance.
Robert Crooks
Network systems administrator
Ivaco Rolling Mills
try to add no.-xauth-no-config-mode to your statement of isakmp key.
ISAKMP key YOURPASSWORD address 192.168.1.2 subnet 255.255.255.255 mask no.-xauth-config-mode no.
or try to run with this documentation
-
I need perform a recovery password on a PIX 506E for a new client. The old network on the left as well as the password administrator. I have documentation on how to perform the recovery, however, it tells you to download a .bin file that is based on what version (I guess of the IOS) uses the firewall. How can I determine that if I don't get in the box to make a version of 'show '?
You must connect a terminal to the console and restart the PIX. Look at the beginning of messages, it tells you what version of the code its operation.
Andy
-
PIX 515 - deleting static routes
We all have a few static routes that we change the IP addresses on. We emit static (inside, outside) order No., but seems we have to reboot the pix after the change is made so that it can use the new static IP route to the external interface. Y at - it a command that does it, so we do not have to restart the pix?
clear xlate
-
Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you
Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints
Cisco PIX Firewall Version 6.3 (3)
* Main Site Config *.
client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
NAT (inside) 0-list of access client_vpn
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 60 ipsec-isakmp crypto map
address for correspondence card crypto outside_map 60 VPN_to_Site2
crypto outside_map 60 peer 64.X.X.19 card game
card crypto outside_map 60 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Site 2 config
* only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.
Cisco PIX Firewall Version 6.3 (5) *.
permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0
NAT (inside) 0-list of access VPN_to_Main
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 10 ipsec-isakmp crypto map
outside_map card crypto 10 corresponds to the address VPN_to_Main
crypto outside_map 10 peer 207.X.X.13 card game
card crypto outside_map 10 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Errors
PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created
authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address
I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)
IPSec (sa_initiate): ACL = deny; No its created
I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.
I suggest the following solution:
-remove the external interface (the two pix) cryptographic card
-Cree claire isa his and trendy clear ipsec his (the two pix)
-Reapply the card encryption on external interfaces.
If this doesn't solve the problem, restart the equipment.
Kind regards
Ajit
-
I have a 506th pix that I couldn't connect this morning. I had a user restart it for me while I did a ping t on this subject, the ping of the ip address of the element has disappeared, and the ip address of the proxy server now rises. What would cause this
pings from the hosts or routers to the PIX firewall interfaces fail, check the debugging messages, which must be displayed on the console. Ping successful debugging messages appear as in this example.
ICMP echo reply (len 32 id seq 1 256) 209.165.201.1 > 209.165.201.2
Application of echo ICMP (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Statements of the request and the answer should appear, which shows that the PIX Firewall and the host responded. If none of these messages appeared while ping interfaces, then there is a routing problem between the host or router and the PIX firewall that caused ping (ICMP) packets to never get to the PIX firewall.
-
Hello
I'm without a firewall PIX 7.0 to 6.3 decommissioning. I faced the problem during the restart of the PIX.
The error given below,
Start the first image in flash
Image must be at least 7-0-0-0 error in the flash file: / pix635.bin
No bootable Flash image. Please download an image from a network server
in monitor mode
CISCO PIX FIREWALL SYSTEMS
BIOS version shipped 4.3.207 01/02/02 16:12:22.73
Compiled by Manu
128 MB OF RAM
Did you follow the exact downgrade procedure indicated on this link... you point the image as shown 6.3.x
downgrade tftp://tftpserverip/pix63x.bin
PIX downgrade procedure 7.x to 6.3.x
http://www.Cisco.com/en/us/docs/security/ASA/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1810347
in any case, you can always redownload the 6.3.5 new code in monitor mode.
Let us know how it works.
Rgds
Jorge
-
Card crypto controls lock-up PIX 525
Does anyone know why my PIX 525 crashes when I apply my a cryptomap both command line? I first apply the following ACL. But when I try to apply the first line of cryptomap my PIX locks and I have to restart... Any help would be greatly appreciated >
permit access ip xx.xx.0.0 255.192.0.0 list XXXXXtunnel xx.xx.18.0 255.255.255.0
access-list allowed sheep xx.xx.0.0 xx.xx.xx.0 255.255.255.0 xx.xx.0.0 ip
allowed to access-list acl-inner ip xx.xx.0.0 xx.xx.0.0 xx.xx.xx.0 xx.xx.xx.0
xxx_map 157 ipsec-isakmp crypto map
card crypto xxx_map 157 correspondence address xxx-tunnel
card crypto xxx_map 157 counterpart set xx.4.xx.xx
card crypto xxx_map 157 transform-set xxx_set
Hello
I came across this problem when there are other entries already exist under the same crypto map, and are already applied to an interface.
I found that by denying first crypto map interface command, change the config and re - apply the interface command then it will work very well.
So...
(1) no xxx_map interface card crypto outside
(2) place the lines of crypto map configuration
(3) interface xxx_map crypto map out
Of course, you will lose the existing tunnels if some already set up but then this happens if you reboot anyway!
It may be useful
-
We have a PIX 515e failover bundle. In the documentation, I read that the PIX failover will restart even 12 hours min. This also occur in a failover design 'ordinary '?
If the status of the lan failover interface connection is in place:
* The only FO PIX will start and becomes automatically active if it fails to detect the primary UR PIX.
* The device recharges itself all 24 hours, becomes automatically active whenever.
If the lan failover interface link status is down:
* The only FO PIX will start and are online but not become active.
Active failover ordering must be run manually to the active unit.
* The device recharges itself all 24 hours, requiring another manual failover active to make it active each time.
This is precisely why we suggest to to connect with PIX failover through a switch instead of a crossover cable.
-
I have a PIX 501 for my house. Whenever I touch or someone bumps my office that it restarts. It seems that there is a problem with the connector for the physical PIX. I have endured the pain for a while now, but I would possibly solve the problem. Everyone knows the same problem? There was an alert and/or "Recall" on this issue?
You need to replace it. There is a view of land on this issue
Maybe you are looking for
-
Whenever I connect my iPhone or iPad, it is said that a new version of iOS is available.
Whenever I connect my iPad or iPhone to my iMac, I get this message asking me if I want to update. I fell for it once, but once the update has been completed, and it was restarted, I got the prompt again. I thought that maybe it was something with my
-
Hello My Imac has been connected with a cable ethernet directly on the road, but today I can't use this connection because she says that the network cable is unplugged, witch is NOT. So now I can access via wifi. I tried to connect the network cable
-
Hello. How can I use this screen p http://www.wallpaperawesome.com/wallpapers-iphone-6-plus-inches-5-5-awesome-1.ph in my iPhone6 more? How to install? Thank you much, Adriano.
-
Upgrading RAM for Compaq Presario Cq62-215dx laptop Pc
Hi, I want to upgrade my ram to my laptop and was looking for help to find the best things of Rams. Im having trouble finding everything and do not want to spend my money on the wrong thing, any suggestions? Here are the specs of the laptop:
-
I get an error popup that says that the plugin, I'm trying to download contained a virus and was eliminated. There is a symbol to the left of the message text in the form of a coat of arms, whose base is red with an 'X' on it. I know that the plugin