Hi,
Thanks for the feedback, and to tell you the truth it does not make any
sense what is happening. The timeout happens for files that may take 30+
seconds to upload to the servers behind the firewall. In each case we are
using http upload and the browser comes back with a server can not be
found message. If the file is small i.e. takes 10-20 seconds to upload
there are no problems at all. All the timeout settings on the PIX are on
the scale of minutes not seconds.
I tried setting syslog as suggested by many members of the list, however I
was not succesful in doing that. I tried to use an internal Redhat Linux
server to do the logging, and followed the instructions in the manual
as well as the info at Cisco's site. Does anyone have info or examples on
what need to be done on Linux other than adding the
local4.err ... in /etc.syslog.conf and restaring the syslogd server??
I got a lot of message suggesting upgrading to 5.2, but how to do that?
Who do I contact in Cisco? I emailed CCO and I did not get anything back
except an automated message.. :((
Again thanks and sorry to bother you.
Best regards,
Adonis
--
Adonis El Fakih - President, CEO -- EGS, Inc.
70 Boston Road, Suite A301, Chelmsford MA 01824 USA
Fax (978) 244-0544 - [EMAIL PROTECTED]
On Wed, 8 Nov 2000, Brian Ford wrote:
> Adonis,
>
> Looks like a timeout problem.
>
> >timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> >timeout rpc 0:10:00 h323 0:05:00
> >timeout uauth 0:30:00 absolute uauth 0:25:00 inactivity
>
> The last line sets your user authentication (uauth) and session inactivity timers.
>If any connection is inactive for 25 minutes it will be terminated. Using FTP you
>have two connections open (port 20 and 21). While you transfer data on one port the
>other sits idle and may be timing out. If the command connection is killed your FTP
>client may be noticing and shutting down. Check that.
>
> Users should be getting pinged to re-authenticate every 30 minutes (based on the
>uauth). That re-authentication is absolutely every 30 minutes because the "absolute"
>qualifier is set.
>
> The first line is the xlate or translation timer. It is set to the 3 hour default.
>The conn or connection timer is set to the 1 hour default. I see you bumped up the
>half-closed timer to 10 minutes from the default of 5. The half-close timer defines
>how long the PIX will wait for a normally four part TCP connection to close or shut
>down.
>
> Your udp timer is set to the default of 2 minutes. The second line sets the rpc and
>h323 specific timers.
>
> The easiest way to troubleshoot this problem is to set up a syslog server and log
>what is going on. I noticed you don't have that set up up at all. Syslog would
>catch the message that is generated when the PIX closes the connection.
>
> Regards,
>
> Brian
>
>
> >From: [EMAIL PROTECTED]
> >Subject: PIX ftp/http traffic
> >
> >Hi,
> >
> >We have installed a new cisco PIX 515R to protect our servers, however I
> >have been detecting some issues, and I wanted to know if anyone has
> >experienced this, or have pointers on what to tweak?
> >
> >Our site allows people to log in to the site, use the various services
> >(http traffic) and it seems to work great, however whenever you want to
> >upload a big file, the transfer never completes and the connection is
> >dropped by the firewall. The same happens if we are ftping from the
> >inside to the outside. If the file is small, then it works fine, but when
> >the files is big, the connection is closed and the download is interrupted
> >in the middles.
> >
> >Enclosed is a snippet of our configuration, maybe that helps identify where
> >the error lies.
> >
> >Thanks in advance for any help to resolve this. Since no one is able to
> >upload big files into the network..
> >
> >Adonis
> >
> >Snippet of Configuration
> >- ------------------------
> >PIX Version 4.4(5)
> >nameif ethernet0 outside security0
> >nameif ethernet1 inside security100
> >...
> >fixup protocol ftp 21
> >fixup protocol h323 1720
> >fixup protocol rsh 514
> >fixup protocol smtp 25
> >fixup protocol sqlnet 1521
> >no fixup protocol http 80
> >names
> >pager lines 24
> >logging on
> >no logging timestamp
> >no logging console
> >no logging monitor
> >logging buffered errors
> >no logging trap
> >logging facility 20
> >logging queue 512
> >interface ethernet0 auto
> >interface ethernet1 auto
> >mtu outside 1500
> >mtu inside 1500
> >...
> >arp timeout 14400
> >nat (inside) 0 216.177.x.y 255.255.255.240 0 0
> >static (inside,outside) 216.177.x.y 216.177.x.y netmask 255.255.255.240 0 0
> >conduit permit tcp host 216.177.x.a eq www any
> >conduit permit tcp host 216.177.x.b eq www any
> >conduit permit tcp host 216.177.x.c eq www any
> >rip outside passive
> >no rip outside default
> >no rip inside passive
> >rip inside default
> >route outside 0.0.0.0 0.0.0.0 216.177.xz.yz 1
> >timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> >timeout rpc 0:10:00 h323 0:05:00
> >timeout uauth 0:30:00 absolute uauth 0:25:00 inactivity
> >aaa-server TACACS+ protocol tacacs+
> >aaa-server RADIUS protocol radius
> >no snmp-server location
> >no snmp-server contact
> >snmp-server community public
> >no snmp-server enable traps
> >no floodguard enable
> >terminal width 80
>
> Brian Ford
> [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
