Tips and Troubleshooting

Table Of Contents

Tips and Troubleshooting

Checking Your Connection to the PIX Firewall

Tips on Using PDM

Troubleshooting


Tips and Troubleshooting


This chapter provides tips on using PDM and instructions on basic PDM troubleshooting symptoms and workarounds. Use this information prior to contacting the Technical Assistance Center (see the "Preface").

This chapter includes the following topics:

Checking Your Connection to the PIX Firewall

Tips on Using PDM

Troubleshooting

Checking Your Connection to the PIX Firewall

To communicate with the PIX Firewall, your computer should have an IP address and, if it is located on different LAN, your computer should be configured with a route to the PIX Firewall.

To set the default gateway IP address, refer to the Cisco PIX Firewall and VPN Configuration Guide.

If you cannot access the PIX Firewall through PDM, follow these steps:


Step 1 Enter show ip interface inside at the console command prompt to check that the IP address you typed into your web browser is the same IP address that you assigned to the inside interface of your PIX Firewall; these IP addresses must be the same to make a connection.

Step 2 Check the networking setup of your console workstation to see how it is connected to the PIX Firewall.

Step 3 Check that your network cabling is connected.

If you are connecting a workstation directly to the PIX Firewall unit's Ethernet interface, use a cross-over cable or add a hub or switch between your computer and the PIX Firewall.

Step 4 If the LEDs indicate the system is not working, ping the PIX Firewall unit's interface IP address. For example, if the inside interface's IP address is 10.1.1.1, enter the following command to ping the PIX Firewall:

ping 10.1.1.1

If the ping is unsuccessful, there is a power or network connectivity problem.


Note If your console operating system supports a traceroute, tracert, or similar command, use it to troubleshoot the route between your computer and the PIX Firewall unit.


Step 5 You can connect to PDM from a browser by entering the following command:

https://pix_inside_interface_ip_address


Note Remember to add the "s" to "https" or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the PIX Firewall that you are using PDM to configure or monitor.


Step 6 If you are still unable to access PDM from your browser, verify that the following conditions exist:

a. You are running PIX Firewall software Version 6.3. To determine your software version, enter the show version command and check the first line of the command output.

b. You have PDM Version 3.0 installed. To determine if PDM Version 3.0 is installed on your PIX Firewall unit, enter the show version command and check the second line of the command output.

c. You have an HTTP server enabled. To determine if you have HTTP server enabled, enter the show http command and check the first line of the command output.

d. Your PIX Firewall unit is allowing your PC/workstation to access PDM. To determine if your PIX Firewall unit is allowing your PC/workstation to access PDM, enter the show http command and check the command output.

Step 7 If you still cannot access PDM from your browser, refer to the "Preface".


Tips on Using PDM

For ease when using PDM, follow these tips:

You can view the size of your configuration from the PIX Firewall console. Either connect a computer to the PIX Firewall unit or use Telnet to access the console.

After entering the enable mode password, use the show flashfs command to view the configuration size, as shown in the following example:

pixdoc515(config)# show flashfs
flash file system:  version:2  magic:0x12345679
  file 0: origin:       0 length:1511480
  file 1: origin: 2883584 length:1639
  file 2: origin:       0 length:0
  file 3: origin: 3014656 length:4311804
  file 4: origin: 8257536 length:280

The "file 1" line lists the number of characters in your configuration after the "length" parameter. In this example, the configuration consists of 1639 characters. Divide this number by 1024 to view the number of kilobytes. The configuration in this example is slightly more than 1.6 KB.

The first time you use PDM with a PIX Firewall, PDM asks permission to save PDM-specific commands to your PIX Firewall configuration. These commands are necessary to update PDM's network topology information and do not change your network security policy on the PIX Firewall. When prompted, you can choose not to accept these commands, but without the network topology information, PDM can only monitor your PIX Firewall. Consequently, not accepting these commands limits your access in PDM to the Monitoring tab.

For Microsoft Internet Explorer web browsers, when prompted to accept certificates select the Always trust content from Cisco Systems check box so that the certificate is automatically accepted the next time you run PDM.

For Netscape Communicator or Navigator, select the Remember this decision check box so that the certificate is automatically accepted when you run PDM.

The following conditions can affect the performance of PDM on your workstation:

You can run several PDM sessions on a single workstation. The maximum number of PDM sessions you can run varies depending on your workstation's resources such as memory, CPU speed, and browser type.

The time required to download the PDM applet can be greatly affected by the speed of the link between your workstation and the PIX Firewall unit. A minimum of 56 Kbps link speed is required; however, 3.84 Mbps or higher is recommended. Once the PDM applet is loaded on your workstation, the link speed impact on PDM operation is negligible.

If your workstation's resources are running low, you should close and reopen your browser before launching PDM.

For information on PDM caveats, refer to the "Caveats" section of the Cisco PIX Device Manager Release Notes Version 3.0.

Troubleshooting

For information on PDM caveats, refer to the caveats section of the Cisco PIX Device Manager Release Notes Version 3.0.

Table 5-1 contains basic PDM troubleshooting scenarios.

Table 5-1 Common Troubleshooting Symptoms, Conditions, and Workarounds 

Symptom
Conditions
Workaround

Browser asks for acceptance of the security certificate again.

The host name or domain name has changed.

This is normal. Accept the security certificates again. (If you change the host name or domain of the PIX Firewall unit, the browser asks you to accept the new security certificate.)

Browser asks for the password again.

If you change the password on the PIX Firewall unit, the browser might ask you to reenter the password for authentication.

If you use the Java Plug-in, the browser will prompt you for your username and password twice.

Keep track of new and changed passwords.

Certificate displays a message that its timestamp is in the future when connecting to the PIX Firewall.

The browser displays a message with the certificate's timestamp each time a user connects to the PIX Firewall.

To reset the PIX Firewall clock setting, go to the Configuration>System Properties> Administration>Clock screen on PDM. Using PDM, look at the VPN screen under IKE>Certificate>Enrollment to check the timestamp on the certificate. Alternatively, you can also use the show ca certificate command to check the timestamp on the certificate.

Browser cannot access PDM.

When you attempt to access PDM, the message "the page cannot be displayed" appears in Internet Explorer or the message "network connection was refused by the server" appears in Netscape Communicator.

1. Check that you are using "https" in your connection to "https://pix_inside_interface_
ip_address
" and not "http." The connection cannot be made using "http," it must be "https."

2. If you cannot connect, enter the show version command to check that you have the proper activation key to use DES or 3DES. If you do not, obtain an activation key that supports this requirement before continuing. If, after confirming that your activation key supports using DES or 3DES, you still cannot connect, refer to "Checking Your Connection to the PIX Firewall".

Clicking Grant causes PDM to crash.

If you are using PDM with Netscape Version 4.73 and you have a corrupted certificate database, the browser may crash if you do the following:

1. Run an applet that uses a digital certificate.

2. Renew the certificate.

3. Run the new applet with the updated certificate.

4. Start PDM.

5. Click Grant to launch PDM.

This can happen on Windows, Sun Solaris, or Linux and is a problem in the Netscape Java Virtual Machine (JVM).

To work around this, remove the corrupted cert7.db file (the certificate database file), located in the your Netscape directory. A new cert7.db file is created when you run Netscape again.

However, this removes all of the certificates that you have previously accepted as trusted. (This includes certificates that you accepted from other sites as well as certificates that you entered manually.)

Help files appear corrupted.

This can occur when you are using Microsoft Internet Explorer 5.0 and do not have HTTP 1.1 enabled.

This can occur because PDM compresses the online Help files and Internet Explorer requires HTTP 1.1 to be enabled to handle compressed files properly.

In Internet Explorer, click Tools>Internet Options>Advanced. Scroll down to HTTP 1.1 settings. Select the Use HTTP 1.1 check box. Click Apply. Close and restart your browser.

If you are using a proxy server, select the Use HTTP 1.1 through proxy connections check box.

Some graphics or icons do not display properly.

PDM is being run with a Java Plug-in that is not supported (PDM supports Java Plug-ins 1.3.1, 1.4.0, and 1.4.1).

If you have the Java Plug-in installed, confirm that it is your default Java Virtual Machine (JVM).

Do the following to ensure that the Java Plug-in is your default JVM:

In Internet Explorer, click Tools>Internet Options. Click the Advanced tab. Scroll down. Look for a Java (Sun) section. If there is one, confirm that Use Java 2 is checked.

In Netscape, click Edit>Preferences. Click Advanced. Make sure the Enable Java Plugin check box is checked.

User cannot access PDM.

If more than five users try to access a single PIX Firewall unit using PDM, this exceeds the maximum number of simultaneous sessions allowed. The maximum number is five users in the current version.

1. If more than five users need to access a PIX Firewall, one or more can use a PIX Firewall console session via Telnet.

2. If you know that a PDM administrator's session is idle and wish to disconnect it, access the PDM Users panel on the Monitoring tab.

3. If you know the IP address of the idle connection, select the row, and click Disconnect. Another administrator can now access PDM.

PDM launches slowly.

The startup speed of PDM depends on the amount of available RAM in your computer and whether virus scanning software is running on your computer.

1. You can increase your available RAM by closing other applications.

2. The time required to download the PDM applet can be greatly affected by the speed of the link between your workstation and the PIX Firewall unit. A minimum of 56 Kbps link speed is required; however, 3.84 Mbps or higher is recommended. Once the PDM applet is loaded on your workstation, the link speed impact on PDM operation is negligible.

3. See Load Time Improvements in "PC/Workstation Requirements" in Chapter 1.

Performance of PDM is slow.

When using the Java Plug-in and accessing your PIX Firewall using an IP address instead of a host name, the performance of PDM is dramatically slower. This occurs if the PIX Firewall host name is not in DNS or in the local hosts file.

Assure that the PIX Firewall host name is in DNS. If you are running Windows, and there is no DNS in your network or your DNS does not have the PIX Firewall entry, modify the "hosts" file.

On Windows NT, 2000, and XP, the hosts file is located at C:\WINNT\system32\drivers\etc\hosts.

On Windows 98 and ME, it is at C:\Windows\hosts.

Each line in the hosts file is in the format "<ip> <hostname>". For example:


192.168.1.1   
pixfirewall.example.com

There is access only to the Monitoring tab in PDM.

The use of certain PIX Firewall CLI commands, and certain command combinations, limit access in PDM to the Monitoring tab.

For more information on these commands and command combinations, see the Cisco PIX Device Manager Release Notes Version 3.0.