Troubleshooting
Download this chapter
TroubleshootingTroubleshooting
 Feedback

Table Of Contents

Troubleshooting

Troubleshooting Matrix

Checking Your Connection to a PIX Firewall


Troubleshooting

This chapter includes the following sections to assist you with installing and running PDM:

Troubleshooting Matrix

Checking Your Connection to a PIX Firewall

For information on PDM caveats, refer to the caveats section of the Cisco PIX Device Manager Version 2.0 Release Notes.

Troubleshooting Matrix

Table 3-1 contains basic PDM troubleshooting scenarios.

Table 3-1 Common Troubleshooting Symptoms, Conditions, and Workarounds 

Symptom
Conditions
Workaround

Browser asks for acceptance of the security certificate again.

The host name or domain name has changed.

This is normal. Accept the security certificates again. (If you change the host name or domain of the PIX Firewall unit, the browser asks you to accept the new security certificate.)

Browser asks for the password again.

If you change the password on the PIX Firewall unit, the browser might ask you to re-enter the password for authentication.

Keep track of new and changed passwords.

Certificate displays a message that its time stamp is in the future when connecting to a server.

If you accidentally set the PIX Firewall unit's clock to the local time instead of UTC (Universal Coordinated Time, formerly known as Greenwich Mean Time or GMT), the certificate displays a message stating that its time stamp is in the future each time a user connects to a server.

To fix the clock setting, go to the PIX Firewall console and use the show clock command to view the time setting on the PIX Firewall. If it is not set to UTC time, use the clock command to input the correct time setting. In addition, you can use the show ca certificate command to check the time stamp on the certificate.

Browser cannot access PDM.

When you attempt to access PDM, the message "the page cannot be displayed" appears in Internet Explorer or the message "network connection was refused by the server" appears in Netscape Communicator.

1. Check that you are using "https" in your connection to "https://pix_inside_interface_
ip_address" and not "http." The connection cannot be made using "http," it must be "https."

2. Enter the show clock command at the command prompt to check that your PIX Firewall clock is set to UTC. If it is not, set it to UTC and try to connect again.

3. If you cannot connect, enter the show version command to check that you have the proper activation key to use DES or 3DES. If you do not, obtain an activation key that supports this requirement before continuing. If, after confirming that your activation key supports using DES or 3DES, you still cannot connect, refer to "Checking Your Connection to a PIX Firewall."

Some graphics or icons do not display properly.

PDM is being run with the Java Plug-in instead of your browser's native JVM.

If you have the Java Plug-in installed, you cannot have it as your default Java Virtual Machine (JVM).

Do the following to ensure that the Java plug-in is not your default JVM:

In Internet Explorer, go to Tools>Internet Options. Click the Advanced tab. Scroll down. Look for a Java (Sun) section. If there is one, disable Use Java 2. If there is no Java (Sun) section, then the Java Plug-in is already disabled.

In Netscape, go to Edit>Preferences. Click Advanced. Make sure the Enable Java Plugin check box is cleared. If this check box does not exist, the Java Plug-in is not enabled.

User cannot access PDM.

If more than five users try to access a single PIX Firewall unit using PDM, this exceeds the maximum number of simultaneous sessions allowed. The maximum number is five users in the current version.

1. If more than five users need to access a PIX Firewall, one or more can use a PIX Firewall console session via Telnet.

2. If you know that a PDM administrator's session is idle and wish to disconnect it, access the PDM Users panel on the Monitoring tab.

3. If you know the IP address of the idle connection, select the row, and click Disconnect. Another administrator can now access PDM.

PDM launches slowly.

The startup speed of PDM depends on the amount of available RAM in your computer and whether virus scanning software is running on your computer.

1. You can increase your available RAM by closing other applications.

2. The time required to download the PDM applet can be greatly affected by the speed of the link between your workstation and the PIX Firewall unit. A minimum of 56 Kbps link speed is required; however, 1.5 Mbps or higher is recommended. Once the PDM applet is loaded on your workstation, the link speed impact on PDM operation is negligible.

There is access only to the Monitoring tab in PDM.

The use of certain PIX Firewall CLI commands, and certain command combinations, limit access in PDM to the Monitoring tab.

For more information on these commands and command combinations, see the Cisco PIX Device Manager Version 2.0 Release Notes.


Checking Your Connection to a PIX Firewall

There are two requirements for a computer to communicate with the PIX Firewall. First, that it has an IP address. Second, that the computer has its default gateway IP address pointing to the IP address of the inside interface of the PIX Firewall unit. (If the host you are adding is on the other side of a router, the host's default gateway address points to the router, and the router's default address points to the PIX Firewall unit.)

To set the default gateway IP address, refer to the Cisco PIX Firewall and VPN Configuration Guide. After changing the default gateway or the IP address, be sure to reboot your computer.

If you have already assigned an IP address and default gateway to your computer (and rebooted your computer afterwards), and you still cannot access the PIX Firewall through PDM, follow these steps:

Step 1 Enter show ip interface inside at the console command prompt to check that the IP address you typed into your web browser is the same IP address that you assigned to the inside interface of your PIX Firewall; these IP addresses must be the same to make a connection.

Step 2 Check the networking setup of your console workstation. Is it configured to connect to the PIX Firewall?

Step 3 Check that your network cabling is correctly connected. Most computers have status lights on the Ethernet device, which you can use to verify that your interface has connectivity with the network. If you are connecting a workstation directly to the PIX Firewall unit's Ethernet interface, either use a cross-over cable or add a hub or switch between your computer and the PIX Firewall.

Step 4 If status lights are working or no status lights are present, access a command prompt in Windows, or use the UNIX or Linux command line to ping the PIX Firewall unit's interface IP address. For example, if the inside interface's IP address is 10.1.1.1, enter the following command to ping the PIX Firewall: 

ping 10.1.1.1

If the ping is unsuccessful or the response times out, there is a power or network connectivity problem with a hub or switch between the computer and the PIX Firewall unit.

Note If your console operating system supports a traceroute, tracert, or similar command, you may want to use it to troubleshoot the route between your computer and the PIX Firewall unit.

Step 5 If you do not detect a network connectivity problem in Step 3 or Step 4, attempt to connect to PDM from a browser by entering the following command: 

https://pix_inside_interface_ip_address

Note Remember to add the "s" to "https" or the connection fails.

"https" is what you enter to use Secure Hypertext Transfer Protocol instead of plain Hypertext Transfer Protocol (HTTP).

Step 6 If you are still unable to access PDM from your browser, access your PIX Firewall unit from the console port and verify that the following conditions exist:

a. You are running PIX Firewall software version 6.2. To determine your software version, enter the show version command and check the first line of the command output.

b. You have PDM version 2.0 installed. To determine if PDM version 2.0 is installed on your PIX Firewall unit, enter the show version command and check the second line of the command output.

c. You have an HTTP server enabled. To determine if you have HTTP server enabled, enter the show http command and check the first line of the command output.

d. Your PIX Firewall unit is allowing your PC/workstation to access PDM. To determine if your PIX Firewall unit is allowing your PC/workstation to access PDM, enter the show http command and check the command output.

Step 7 If you still cannot access PDM from your browser, refer to "Obtaining Technical Assistance" in "About This Guide."