1

In December our Cisco PIX 501 appeared to hang taking the webservers behind it offline. It did this 4 times in the space of a couple of weeks and the "remote hands" engineer at the data-centre (where everything is colocated) reported:

simply rebooting the box once didn't work. We had to reboot the box several times and even re-seat the port0 cable before it would come back online.

So we replaced the PIX with a spare (501), same config installed and everything looked ok. Except this PIX "hung" yesterday. The problem is with the external interface because we can connect to the PIX from an internal IP and show int returns

interface ethernet0 "outside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0000.1234....
IP address x.x.x.x, subnet mask 255.255.255.0

The router that our PIX's external interface is connecting to also reports the line down:

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/32, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/32, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/32, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/32, changed state to up

How do I work out what is causing the line to drop? We have replaced the physical firewall, the network cable and the ports that the cable connects to. We've got informational logging running (using Kiwi) and can also see the line going down there but no idea why:

411002: Line protocol on Interface outside, changed state to down

Last time it happened, we tried shutting down and restarting the external interface - no joy, reload the PIX, no joy, changing the interface to 100full (for some reason it shows up as half-duplex when it was on auto), no joy. The line came back up "on its own" after a few minutes, not in response to anything we were trying (I think). I'm not convinced it's the PIX, data-centre thinks it's us...

Dan
  • 783
  • 1
  • 13
  • 21
  • 1
    If you replaced the hardware entirely, and you're still having the issue, how about looking at what's on the other end of the cable? – SpacemanSpiff Jan 20 '11 at 04:11
  • 1
    I agree with SpacemanSpiff on this. If you've replaced the physical hardware, and replace the cable between you and the router, I'd say it's their end. Is the router in with your equipment? Or do you have a patch panel port to plug into? Ask them to run a test on the cabling between your location, and their equipment using decent test equipment (like a good Fluke tester). Also have them test their router as well, see if they can change you to another port if possible. – Jon Angliss Jan 20 '11 at 04:29
  • When the line protocol is down the ethernet0 status reports half duplex, but when it's up the status is 100full. We're connected to a different port now (bypassing the patch panel). – Dan Jan 21 '11 at 21:34

1 Answers1

1

Ask them to switch you to a different network port: you've got the half-duplex thing, and it taking a few minutes to bring the line up. Also, how well was your spare pix tested, are you sure it isn't another dud?

DutchUncle
  • 1,265
  • 8
  • 16
  • The spare pix was operational until november last year when we retired a couple of servers, but we're also thinking that the first pix that we replaced is in fact fine, it was the network/switch/patch panel all along. But proving it feels very trial and error. – Dan Jan 21 '11 at 21:30
  • Excellent to hear you found the problem and you don't have to buy any new pix :-) – DutchUncle Jan 22 '11 at 14:52
  • I know that selecting this to be the accepted answer will in no way change whether our pix/network goes down again or not, but do I want to risk it! – Dan Mar 08 '11 at 11:48
  • Thanks for the +15, I'm touching wood to compensate & to keep your gear faring well :-) – DutchUncle May 07 '11 at 20:44