Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
2
Replies

PIX randomizing TCP sequence in ICMP Frag packets

sergey.klusov
Level 1
Level 1

‎03-07-2008 01:26 AM - edited ‎03-11-2019 05:13 AM

I have a PIX-515E, Software Version 7.2(1) with NAT disabled, in router mode, and almost all inspection off. REcently i noticed that PIX randomizing TCP sequence in ICMP Frag embedded message, that is last 4 bytes of the packet. Looks like windows hosts are okay with that, BUT i have some unix boxes and looks like they use TCP Seq header part for PathMTU discovery process. Is there some way to disable this randomization?

Here is tcpdump of packet before and after passing PIX:

this is packet from router with lower mtu just before PIX

10:32:54.775244 00:1c:f6:2e:4b:6f > 00:1d:45:21:a6:51, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 255, id 18463, offset 0, flags [none],

proto: ICMP (1), length: 56) 10.23.5.3 > 10.23.0.241: ICMP 10.35.1.3 unreachable - need to frag (mtu 1280), length 36

(tos 0x8, ttl 61, id 2080, offset 0, flags [DF], proto: TCP (6),

length: 1420) 10.23.0.241.22 > 10.35.1.3.64856: tcp 1384 [bad hdr length 16

- too short, < 20]

0x0000: 4500 0038 481f 0000 ff01 5984 0a17 0503 E..8H.....Y.....

0x0010: 0a17 00f1 0304 bdf6 0000 0500 4508 058c ............E...

0x0020: 0820 4000 3d06 1a17 0a17 00f1 0a23 0103 ..@.=........#..

0x0030: 0016 fd58 2723 1573 ...X'#.s

--------------------------^^^^^^^^^^^

note the bytes

and this is the same packet _after_ PIX

10:32:54.775492 00:1d:45:21:a6:52 > 00:1b:78:e3:c7:66, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 255, id 18463, offset 0, flags [none],

proto: ICMP (1), length: 56) 10.23.5.3 > 10.23.0.241: ICMP 10.35.1.3 unreachable - need to frag (mtu 1280), length 36

(tos 0x8, ttl 61, id 2080, offset 0, flags [DF], proto: TCP (6),

length: 1420) 10.23.0.241.22 > 10.35.1.3.64856: tcp 1400 [bad hdr length 0

- too short, < 20]

0x0000: 4500 0038 481f 0000 ff01 5984 0a17 0503 E..8H.....Y.....

0x0010: 0a17 00f1 0304 a065 0000 0500 4508 058c .......e....E...

0x0020: 0820 4000 3d06 1a17 0a17 00f1 0a23 0103 ..@.=........#..

0x0030: 0016 fd58 2e89 2b9e ...X..+.

---------------------------^^^^^^^^^

bytes changed

Labels:
0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎03-13-2008 07:16 AM

The PIX altering the initial sequence number of the TCP SYN segment sent by the server is the normal (default) behavior for packets going from a higher security interface to a lower security interface (like in your case.) When going from a lower security interface to a higher security interface, the PIX does not randomize the initial sequence number. You are correct that Linux/Unix will drop ICMP messages that have TCP sequence numbers that fall outside the expected range, i.e. packets that have been sent and not yet acknowledged (in-flight packets).

As a resolution the PIX can be told to not to randomization of the TCP sequence number by adding the "norandomseq" keyword to the "nat" statements.

0 Helpful

sergey.klusov
Level 1
Level 1
In response to amritpatek

‎03-13-2008 09:42 PM

Thanks for reply.

Actually i solved this issue by specifying this:

class-map global-class

match any

!

!

policy-map global-policy

class global-class

set connection random-sequence-number disable

as i said before, i have NAT disabled.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card