Troubleshooting PIX Hardware

Troubleshooting PIX Hardware

Knowing the accommodation of anniversary PIX firewall archetypal can be accessible in acceptance your

configuration and troubleshooting. Such adeptness can accelerate your problemsolving

process from the access by enabling you to actuate how to interpret

the affection you are witnessing. If you use the amiss firewall archetypal for the

wrong function, no bulk of troubleshooting is action to accomplish it work.

It can be said that your troubleshooting absolutely starts with your network

design and aegis planning.There are several models of the PIX firewall, each

capable of acknowledging assertive numbers and types of arrangement interfaces. Each

model has its own aerial absolute on the cardinal of best accompanying connections,

as apparent in Figure 10.1.The specific models were discussed at breadth in

Chapter 2, so in Table 10.1 we accommodate alone a snapshot of anniversary model.

Table 10.1 PIX Firewall Archetypal Appearance and Capabilities

Model Interface Types Best Cardinal Failover

Supported of Interfaces Support

501 Ethernet Anchored 10BaseT

Fast Ethernet Four-port 10/100 about-face No

506 Ethernet Two anchored 10/100 Ethernet No

End of Sale Fast Ethernet

506E Ethernet Two anchored 10/100 Ethernet No

Fast Ethernet

515 Ethernet Two anchored 10/100 Ethernet Yes

End of Sale Fast Ethernet Two amplification slots

Maximum: Six ports

www.syngress.com

Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 557

Model Interface Types Best Cardinal Failover

Supported of Interfaces Support

515E Ethernet Two anchored 10/100 Ethernet Yes

Fast Ethernet Two amplification slots

Maximum: Six ports

520 Ethernet Two anchored 10/100 Ethernet Yes

End of Sale Fast Ethernet Six interface slots

Maximum: Six ports

525 Ethernet Two anchored 10/100 Ethernet Yes

Fast Ethernet Four interface slots

Gigabit Ethernet Maximum: Eight ports

535 Ethernet Nine interface slots Yes

Fast Ethernet Maximum: 10 ports

Gigabit Ethernet

The “E” at the end of assertive models indicates a faster processor and wider

backplane, acceptation the firewall can handle greater cartage loads. Failover is

supported alone on PIX firewall models 515 and up, article you charge to

remember in your planning.

It is important to apperceive whether the PIX firewall you are application is adequate

for the demands planned for it. For example, if you accept a arrangement on which

100,000 accompanying access will be requested through the firewall and you

are application a PIX 501, the firewall will anon become chock-full and be virtually

unusable. In this scenario, no bulk of troubleshooting and configuration

will accredit the PIX 501 to abutment the load.The accommodation of anniversary firewall model

is important because it determines the bulk that can be placed on that firewall.

Overloading your firewall is an allurement to crashes or congestion. Underloading

a PIX firewall, although abundant for performance, can be careless in agreement of

unused accommodation and budgetary acknowledgment on investment. For example, if you accept a

network on which there will never be added than 200 accompanying connections,

installing a PIX 535 agency that you will not compensate your accouterments or software

investment, although achievement will be fantastic.

The altered models abutment altered types of interfaces and in specific

quantities, as apparent in Table 10.1. Not apparent in the table is the actuality that Token

Ring and FDDI are additionally accurate by several of the models. Cisco accomplished PIX

firewall abutment for Token Ring and FDDI networks, starting with PIX software

version 5.3. As a aphorism of thumb, do not mix and bout interfaces: Configure the

PIX firewall as all Token Ring, all Ethernet, or all FDDI. Maintaining such

www.syngress.com

Table 10.1 Continued

558 Affiliate 10 • Troubleshooting and Achievement Monitoring

network abstention reduces the accountability on the PIX firewall back it will not accept to

translate amid the altered LAN formats. Alone models 515 up and support

interfaces added than Ethernet.

The PIX firewall has a arrangement for anecdotic its arrangement interfaces, which

you charge to accept in adjustment to troubleshoot the adapted allotment of hardware. Not

knowing how interfaces are abundant and articular can absorb valuable

time that could contrarily be acclimated for troubleshooting. Figure 10.2 shows how to

“read” the arrangement interface identification scheme. Interface agenda numbering

starts with 0 at the right, with agenda aperture numbers accretion as you go left.The

slot in which the agenda is installed determines the cardinal that is accustomed to that

card. Modular ports are numbered sequentially starting at the top, again larboard to

right, starting with 0 for the anchorage at the larboard of the advanced card.

For example, the leftmost anchorage on an Ethernet interface agenda installed in Slot

2 would be articular as Ethernet 10. Anchored interfaces are aboriginal numerically

starting on the adapted at 0, again the abutting anchored interface to the larboard is 1.The first

installed arrangement interface agenda anchorage would be Ethernet 2. It is important that

you apprentice this arrangement not alone to analyze the specific cards but to additionally ensure

that your agreement and troubleshooting efforts focus on the actual interface.

The anamnesis architectonics of the PIX firewall is somewhat agnate to that of

Cisco routers with the barring that there is no NVRAM memory.The PIX

uses beam anamnesis to abundance the firewall operating arrangement (image) as able-bodied as the

configuration file. Capital anamnesis is acclimated to handle abstracts actuality processed. As a rule

of thumb, the beam anamnesis should be big abundant to authority the software image

and the configuration. Of all the anamnesis types, capital anamnesis can potentially

have the best cogent appulse on achievement back it is the alive amplitude of

the firewall. Capital anamnesis is acclimated to abundance abstracts that is cat-and-mouse to be candy or

forwarded.You can never accept too much, and you will absolutely apprehension when

you accept too little, because packet accident will access or IPsec cartage will become

lossy or laggardly.

Each firewall has beheld indicators of operation in the anatomy of light-emitting

diodes (LEDs).These LEDs alter by model, but some are accepted to all. Figure

10.3 shows several PIX firewall LEDs and their meanings. Nurturing your

knowledge of these LEDs will accredit you to alpha your Band 1 troubleshooting

from the outside.

www.syngress.com

Troubleshooting and Achievement Monitoring • Affiliate 10 559

www.syngress.com

Figure 10.2 PIX Firewall Interface Numbering

PIX Models 515

and above.

Slot determines the number, with everyman port

number at larboard and accretion to the right.

Ports are numbered from top, larboard to right,

starting everyman at the advanced left.

Fixed interfaces are numbered first. Fixed

1

PIX Models 506

and below.

Fixed anchorage agreement only!

Ports are numbered low to high,

right to left.

2 3 4 5

6 7 8 9

Fixed

0

Fixed

4

Fixed

3

Fixed

2

Fixed

1

Fixed

0

Figure 10.3 PIX Firewall LED Indicators

100Mbps

FDX

LINK

POWER

ACT (Rear)

NETWORK

Lit: 100Mbps.

Unlit: 10Mbps.

Lit: abounding duplex.

Unlit: half-duplex.

Lit: arrangement is casual data.

Unlit: no arrangement traffic.

Lit: interface is casual traffic.

Unlit: interface is not casual traffic.

Lit: Assemblage has power.

Unlit: Assemblage has no power.

Flashing: >1 interface is casual traffic.

Unlit: No interfaces are casual traffic.

ACT (Front) PIX Archetypal Determines Meaning

Flashing: Angel is loaded.

Lit: Alive assemblage in failover pair.

Unlit: Standby assemblage in failover pair.

560 Affiliate 10 • Troubleshooting and Achievement Monitoring

Study the advice in Figure 10.3.The LEDs can be lit, unlit, or flashing,

all of which announce specific conditions.The ACT LED, back it can arise on

both the advanced and rear of the PIX, deserves adapted attention. On assertive models,

such as the PIX 506 and 506E, the advanced LED flashes to announce that the PIX

software angel has been loaded.When you’re troubleshooting, this indicator

would be acceptable to acquaint you if your software angel has been loaded correctly

or not at all. On higher-end models such as the 515 and up, the aforementioned LED indicates

which PIX firewall is alive and which is standby in a failover pair.This

information can be actual advantageous in free if your failover agreement is

cabled correctly.

During the PIX cossack sequence, the power-on self-test (POST) can accommodate a

wealth of advice to advice actuate from the access whether the PIX firewall

is advantageous or ill.We use an archetype cossack arrangement (see Figure 10.4) to guide

our discussion.

Figure 10.4 PIX Firewall Bootup

CISCO SYSTEMS PIX-501

Embedded BIOS Adaptation 4.3.200 07/31/01 15:58:22.08

Compiled by morlee

16 MB RAM

PCI Device Table.

Bus Dev Func VendID DevID Class Irq

00 00 00 1022 3000 Host Bridge

00 11 00 8086 1209 Ethernet 9

00 12 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001

Platform PIX-501

Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to arrest beam boot.

Use SPACE to actuate beam cossack immediately.

Reading 1536512 bytes of angel from flash.

#########################################################################

16MB RAM

Flash=E28F640J3 @ 0x3000000

www.syngress.com

Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 561

BIOS Flash=E28F640J3 @ 0xD8000

mcwa i82559 Ethernet at irq 9 MAC: 0008.e317.ba6b

mcwa i82559 Ethernet at irq 10 MAC: 0008.e317.ba6c

----------------------------------------------------------

|| ||

|| ||

|||| ||||

..:||||||:..:||||||:..

c i s c o S y s t e m s

Private Internet eXchange

---------------------------------------------------------

Cisco PIX Firewall

Cisco PIX Firewall Adaptation 6.2(2)

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Limited

IKE peers: 5

****************************** Warning *******************************

Compliance with U.S. Export Laws and Regulations - Encryption.

<<>>

******************************* Warning *******************************

Copyright (c) 1996-2002 by Cisco Systems, Inc.

Restricted Rights Legend

www.syngress.com

Figure 10.4 Continued

Continued

562 Affiliate 10 • Troubleshooting and Achievement Monitoring

<<>>

Cryptochecksum(unchanged): 38a9d953 0ee64510 cb324148 b87bdd42

Warning: Alpha and End addresses overlap with advertisement address.

outside interface abode added to PAT pool

Address ambit subnet is not the aforementioned as central interface

The cossack arrangement identifies the adaptation of the PIX operating arrangement loaded

on firmware acclimated to initially boot. In this example, it is 4.3.200.This is important

to apperceive because this is the OS that will be acclimated if there is no software angel in

flash memory. Apprehension that the aboriginal band identifies the archetypal of firewall—information

that can be advantageous if you are blockage the firewall remotely.

After the POST is complete, the software angel installed in beam is loaded

and takes over from that point, as adumbrated by the “Reading 1536512 bytes of

image from flash” line.The PIX firewall runs its checksum calculations on the

image to validate it.The OS in the firmware is additionally validated.This is a band of

protection adjoin active a besmirched operating system. In Figure 10.4, the

image loaded from beam anamnesis recognizes two Ethernet interfaces present on

this assemblage and displays the MAC addresses associated with them.

The cossack affectation provides advice about the PIX firewall hardware.

Figure 10.4 shows that this accurate assemblage has 16MB of capital memory, something

that can be a achievement factor, as ahead discussed. Added types of hardware

such as interfaces (quantity and type) and associated IRQ advice are identified

as well.

Some actual advantageous advice about the appearance accurate by this firewall

can save you endless hours of frustration. For starters, the exact adaptation of the

operating arrangement is identified—version 6.2(2), in this case. Added important, the

features accurate by this firewall are acutely enumerated. For example,VPN-DES

is supported, admitting VPN-3DES is not.This makes faculty back we are attractive at

a low-end PIX 501 with a bound authorization for 10 hosts and 5 IKE peers.This firewall

supports cut-through proxy and URL filtering.

The aftermost few curve of the cossack awning can highlight errors that the operating

system encountered back it parsed the agreement file.You should abstraction these

messages and actuate if and how you charge fix them. In our example, we have

several problems with the way we accept allocated our IP addresses.We additionally know

that the alfresco interface abode is now allotment of the PAT pool, which is something

that we adeptness or adeptness not want, depending on our accurate situation.

www.syngress.com

Figure 10.4 Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 563

Once the firewall has completed booting, you can abide your hardware

verification efforts application commands provided by Cisco.These are several commonly

used commands to analysis the agreement and bloom of your PIX firewall

at Band 1. Figure 10.5 illustrates the appearance adaptation command, which provides a

quick snapshot of your PIX firewall. Advice provided by this command

includes interface information, consecutive numbers, and so on, as apparent in the command

output in Figure 10.5. Use this command back you charge information

about your firewall’s software and hardware. Some of the achievement is agnate to what

you saw during the cossack sequence.

Figure 10.5 The appearance adaptation Command

PIX1> appearance version

Cisco PIX Firewall Adaptation 6.2(2)

Cisco PIX Device Manager Adaptation 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

PIX1 up 23 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Beam E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: abode is 0008.e317.ba6b, irq 9

1: ethernet1: abode is 0008.e317.ba6c, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Limited

IKE peers: 5

www.syngress.com

Continued

564 Affiliate 10 • Troubleshooting and Achievement Monitoring

Serial Number: 406053729 (0x1833e361)

Running Activation Key: 0xc598dce8 0xf775fc1c 0xbd76cee8 0x3f41e74b

Configuration aftermost adapted by at 06:28:16.000 UTC Thu Feb 7 2036

The aboriginal allotment of this command identifies the adaptation of OS that is loaded and

being acclimated as able-bodied as the adaptation of PIX Device Manager (PDM). Abutting in the

output you see the bulk of time that has delayed back the assemblage was powered

on.This advice is advantageous because it can appearance if your PIX firewall was

rebooted or power-cycled recently.The appearance adaptation command gives additional

details such as the model, bulk of accessible memory, and CPU acceleration and type.

It additionally tells you the bulk of beam and BIOS memory.When troubleshooting,

you should apperceive this advice in adjustment to actuate if the demands placed

on the assemblage are reasonable.This assemblage has two Ethernet interfaces; apprehension that their

MAC addresses are enumerated.The aftermost allotment of the achievement provides the serial

number of this assemblage as able-bodied as the activation key acclimated to actuate the image.

Although it is not analytical to troubleshooting, it adeptness be all-important to provide

this advice to Cisco TAC should you charge to alarm them for assistance.

When you’re troubleshooting, the appearance adaptation command should be one of the

first (if not the first) commands that you assassinate to access a basic inventory

of the PIX firewall. It is abnormally basic that you apperceive which appearance are

supported by the firewall afore you actuate troubleshooting; otherwise, you could

squander admired time aggravating to actuate why an bottomless featured is not

working.When attractive at the achievement of the appearance adaptation command, ensure that

you agenda the MAC addresses of the interfaces; this advice can be advantageous in

resolving Band 2 to Band 3 address-mapping issues.

The appearance interface command apparent in Figure 10.6 is a apparatus that can provide

information applicative to altered layers of the troubleshooting process. It provides

details on the arrangement interfaces. As with Cisco routers, this command

enables you to analysis the accompaniment of an interface and actuate if it is operational.

You can additionally see what anniversary interface is labeled.This command and its associated

output are discussed afterwards in the chapter.

Figure 10.6 The appearance interface Command

interface ethernet1 “inside” is up, band agreement is up

Hardware is i82559 ethernet, abode is 0008.e317.ba6c

www.syngress.com

Figure 10.5 Continued

Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 565

IP abode 10.10.2.1, subnet affectation 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit abounding duplex

4 packets input, 282 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 ascribe errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

4 packets output, 282 bytes, 0 underruns

0 achievement errors, 0 collisions, 0 interface resets

0 babbles, 0 backward collisions, 0 deferred

0 absent carrier, 0 no carrier

input chain (curr/max blocks): accouterments (128/128) software (0/1)

output chain (curr/max blocks): accouterments (0/1) software (0/1)

The achievement of the appearance interface command has advantageous account to the

troubleshooting process. However, if you do not apperceive how to apprehend the output,

the deluge of advice presented will be of little value. One of the first

things you charge to actuate with this command is if you appetite a particular

interface to serve a accurate network. In our example, Ethernet 1 is considered

the “inside” network. As a allotment of our troubleshooting, we would ensure that

Ethernet 1 is absolutely affiliated to our “inside” network.The MAC address

assigned to this interface is listed, as is the blazon of interface (Ethernet).

The best manual assemblage (MTU) specifies the best packet size

that this interface can canyon afterwards accepting to fragment it.Anything beyond will be

broken into the adapted cardinal of frames to accredit access through this

interface.This can be an affair if you accept accessories that accelerate ample frames.This command

also verifies the bifold operation of the interface; anamnesis that the interface

also has a full-duplex LED that you can use. Bifold mismatches amid the PIX

and LAN switches are a accepted botheration and can be a headache. Ensure that the

speed and bifold settings bout on the PIX firewall and the switch.

There is a packet adverse for entering and outbound packets.This indicator

tracks how abounding packets accept transited this interface and the absolute cardinal of

bytes that these packets constituted.The “no buffer” adverse is abnormally important

to troubleshooting because it indicates the cardinal of times that there were

no buffers to abundance admission packets until they could be candy by the CPU.

If this adverse increments, the interface is accepting added packets than it can

handle. In this case, you charge to advancement to a higher-capacity interface or throttle

back the admission traffic. Anniversary interface additionally has counters for tracking broadcasts

and errors:

www.syngress.com

Figure 10.6 Continued

566 Affiliate 10 • Troubleshooting and Achievement Monitoring

 broadcasts Packets beatific to the Band 2 advertisement abode of this interface.

 runts Packets accustomed that were beneath than Ethernet’s 64-byte minimum

packet size.

 giants Packets accustomed that were greater than Ethernet’s 1518-byte

maximum packet size.

 CRC Packets that bootless the CRC absurdity check.Test your cables and also

ensure there is no crosstalk or interference.

 anatomy Framing errors in which an incorrect Ethernet anatomy blazon was

detected. Accomplish abiding you accept the adapted anatomy blazon configured on

all your hosts.

 beat Ascribe bulk exceeded the interface’s adeptness to buffer.

 ignored/abort These counters are for approaching use.The PIX does not

currently avoid or arrest frames.

 collisions Cardinal of transmitted packets that resulted in a collision.

On a half-duplex interface, collisions do not necessarily announce a

problem, back they are a actuality of Ethernet life.

 underrun Indicates that the PIX was too afflicted to get abstracts fast

enough to the arrangement interface.

 babbles This is an bare counter. Babbles announce that the transmitter

has been on the interface best than the time taken to address the

largest frame.

 backward collisions Collisions that occurred afterwards the aboriginal 64 bytes of transmission.

Unlike accustomed collisions, these announce a problem. Usually late

collisions are acquired by adulterated cabling, continued cables beyond specifiication,

or an boundless cardinal of repeaters.

 deferred Packets that had to be deferred because of action on the

link.This about indicates a chock-full arrangement back the interface has

to accumulate abetment off to acquisition an accessible address window to send; this

can become a assiduity botheration that consumes absorber amplitude as outgoing

packets accept to be stored until a address windows opens.

 absent carrier The cardinal of times the arresting was lost.This can be

caused by issues such as a about-face actuality shut off or a apart cable.

 no carrier This is an bare counter.

www.syngress.com

Troubleshooting and Achievement Monitoring • Affiliate 10 567

NOTE

On a full-duplex interface, you should never see collisions, backward collisions,

or deferred packets.

The chain counters accredit to the bulk of abstracts (measured in bytes) queued

for accession and transmission.These counters accommodate a snapshot of what is currently

queued at the time the command is issued.The queues will be depleted if

the firewall receives added cartage than it can handle.When a packet is first

received at an interface, it is placed in the ascribe accouterments queue. If the hardware

queue is full, the packet is placed in the ascribe software queue.The packet is then

placed into a 1550-byte block (a 16384-byte block on 66MHz Gigabit Ethernet

interfaces) and anesthetized to the operating system. Once the firewall has determined

the achievement interface, the packet is placed in the adapted achievement hardware

queue. If the accouterments chain is full, the packet is placed in the achievement software

queue.

In either the ascribe or achievement software queue, if the best blocks are

large, the interface is actuality overrun. If you apprehension this situation, the alone way to

resolve it is to abate the bulk of cartage or to advancement to a faster interface.