Firewall Wizards mailing list archives

Re: PIX 515E 7.2 Duplex problem

From: "Drumheller, Michael" <mdrumhel () harris com>
Date: Tue, 24 Apr 2007 08:21:30 -0500

Thanks for all the input.  Problem solved.  Both speed and duplex on the
PIX were configured for auto.  The device the PIX was connecting to did
not support auto and was set to full/100.  If the duplex on the PIX was
forced to full before the speed was forced to 100, the interface would
shut down.  But, forcing the PIX interface speed to 100 first and then
forcing the duplex to full works just fine.  So, it appears that you
can't leave speed in auto when forcing full duplex on the PIX.  



-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
firewall-wizards-request () listserv icsalabs com
Sent: Monday, April 23, 2007 11:00
To: firewall-wizards () listserv icsalabs com
Subject: firewall-wizards Digest, Vol 12, Issue 12

Send firewall-wizards mailing list submissions to
        firewall-wizards () listserv icsalabs com

To subscribe or unsubscribe via the World Wide Web, visit
        https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
        firewall-wizards-request () listserv icsalabs com

You can reach the person managing the list at
        firewall-wizards-owner () listserv icsalabs com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

   1. Re: PIX 515E 7.2 Duplex problem (Florin Andrei)
   2. Re: PIX 515E 7.2 Duplex problem (Chris Buechler)
   3. Tomahawk patch for L3 devices (Kowsik)
   4. Re: PIX 515E 7.2 Duplex problem (robbie.jacka () regions com)
   5. Re: H323 NAT problems with A Cyberguard. (sai)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Apr 2007 17:16:44 -0700
From: Florin Andrei <florin () andrei myip org>
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: Firewall Wizards Security Mailing List
        <firewall-wizards () listserv icsalabs com>
Message-ID: <4628066C.8060209 () andrei myip org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Drumheller, Michael wrote:

The interface on the PIX shuts down when duplex is changed from auto

to

full.  The switch it connects to is configured for full duplex but the

PIX still shows half duplex when in auto negotiate mode.  Changing to 
half duplex on both the switch and PIX works but the PIX interface

goes

down when it's changed to full duplex.  Has anyone else experienced

this

problem?


Sound like a bad interface to me.

I always configure the PIX and the switch to full duplex. Auto creates 
problems usually. Just enforce full duplex whenever possible.

-- 
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 2
Date: Fri, 20 Apr 2007 11:04:51 -0400
From: Chris Buechler <fw-wiz () chrisbuechler com>
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: Firewall Wizards Security Mailing List
        <firewall-wizards () listserv icsalabs com>
Message-ID: <4628D693.8020103 () chrisbuechler com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Drumheller, Michael wrote:


The interface on the PIX shuts down when duplex is changed from auto 
to full.  The switch it connects to is configured for full duplex but 
the PIX still shows half duplex when in auto negotiate mode.


Of course - when you force one end to full and leave the other on auto, 
the auto side ends up half duplex and you end up with a duplex mismatch.

That's what is expected to happen when you misconfigure things like 
this. You can't set one side to full and the other on auto.
suggested reading:
http://www.sun.com/blueprints/0704/817-7526.pdf
http://en.wikipedia.org/wiki/Autonegotiation
 
What if you just set the port and the PIX to auto? I hate seeing 
networks where people force duplex, 90% of them I see end up with duplex

mismatches all over because too many people don't understand how 
autonegotiation works. Every vendor including Cisco recommends using 
auto whenever both ends support it.

It *shouldn't* be an issue to set both ends, and all 515E's should have 
only 10/100 ports. But it's not recommended, personally I wouldn't care 
why it doesn't work.

You may want to check for a firmware update for your switch regardless. 
Since your PIX seems to be on the latest version it should be fine.



------------------------------

Message: 3
Date: Fri, 20 Apr 2007 23:24:43 -0700
From: Kowsik <kowsik () gmail com>
Subject: [fw-wiz] Tomahawk patch for L3 devices
To: firewall-wizards () honor icsalabs com, focus-ids () securityfocus com
Message-ID:
        <7db9abd30704202324p5e40b700qd14e58d2f35d67c8 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

We just posted a patch for tomahawk (http://tomahawk.sourceforge.net/)
to allow playbacks of pcap's through L3 devices (IP rewriting on
different subnets).

You might find it useful when you are load testing (or amplifying
attacks for) firewalls/IPS/UTM's that operate in L3 mode.

http://labs.musecurity.com/

K.

ps: Posting from my organize-my-mailing-lists-into-labels account
---
Kowsik Guruswamy
Founder/CTO, Mu Security
http://labs.musecurity.com/rss2
http://www.musecurity.com/news/rss.html


------------------------------

Message: 4
Date: Thu, 19 Apr 2007 17:03:37 -0500
From: robbie.jacka () regions com
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: mdrumhel () harris com
Cc: firewall-wizards-bounces () listserv icsalabs com,  Firewall Wizards
        Security Mailing List
<firewall-wizards () listserv cybertrust com>
Message-ID:
        
<OF208A32A5.07B48D58-ON862572C2.0078FFCF-862572C2.00792E8E () asocorp ASO.A
MSOUTH.COM>
        
Content-Type: text/plain; charset=us-ascii

Running PIX 7? I've run into this issue when using PIX7 on a 525 using a
straight through cable to a CSS11503. 100FD hardcoded on both ends
results
in the firewall 'negotiating' to half-duplex, but putting both sides in
auto results in 100FD with no issues.
--
robbie



 

             vbwilliams () neb rr

             .com

             Sent by:
To 
             firewall-wizards-         Firewall Wizards Security Mailing

             bounces@listserv.         List

             icsalabs.com
<firewall-wizards@listserv.cybertru 
                                       st.com>

 
cc 
             04/19/2007 03:27
firewall-wizards@listserv.cybertrus 
             PM                        t.com

 
Subject 
                                       Re: [fw-wiz] PIX 515E 7.2 Duplex

             Please respond to         problem

             vbwilliams () neb rr

               .com; Please

                respond to

             Firewall Wizards

             Security Mailing

                   List

             <firewall-wizards

             @listserv.icsalab

                  s.com>

 

 





Only time I've experienced it was when we had a bad NIC.  Did you try
doing the same thing on another interface?

----- Original Message -----
From: "Drumheller, Michael" <mdrumhel () harris com>
Date: Thursday, April 19, 2007 1:05 pm
Subject: [fw-wiz] PIX 515E 7.2 Duplex problem
To: firewall-wizards () listserv cybertrust com

The interface on the PIX shuts down when duplex is changed from
auto to
full.  The switch it connects to is configured for full duplex but the
PIX still shows half duplex when in auto negotiate mode.  Changing to
half duplex on both the switch and PIX works but the PIX interface
goesdown when it's changed to full duplex.  Has anyone else
experienced this
problem?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards





------------------------------

Message: 5
Date: Sat, 21 Apr 2007 10:39:55 +0500
From: sai <sonicsai () gmail com>
Subject: Re: [fw-wiz] H323 NAT problems with A Cyberguard.
To: "Firewall Wizards Security Mailing List"
        <firewall-wizards () listserv icsalabs com>
Message-ID:
        <41d04d600704202239p1155356cwdee8da6f0cf9875c () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

From what I remember about SIP, you need the firewall to preserve the

source and destination ports. NAT usually changes the source port for
outgoing traffic.



On 4/17/07, David Garrard <david () commsnet com au> wrote:

HI;

I am currently installing a Cyberguard 410 D to sit between a VOIP
server network and a private network. Getting NAT to work is extremely
challenging, has anyone reading this list done this before?





All the best;





David



------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 12, Issue 12
************************************************
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX 515E 7.2 Duplex problem Drumheller, Michael (Apr 19)
- Re: PIX 515E 7.2 Duplex problem Erich Kolb (Apr 19)
- Re: PIX 515E 7.2 Duplex problem Sanford Reed (Apr 19)
- Re: PIX 515E 7.2 Duplex problem vbwilliams (Apr 19)
  - Re: PIX 515E 7.2 Duplex problem robbie . jacka (Apr 22)
- Re: PIX 515E 7.2 Duplex problem Florin Andrei (Apr 22)
- Re: PIX 515E 7.2 Duplex problem Chris Buechler (Apr 22)
- <Possible follow-ups>
- Re: PIX 515E 7.2 Duplex problem Drumheller, Michael (Apr 24)