cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
581
Views
0
Helpful
1
Replies
Beginner

TCP Window Variation Sig fires repeatedly

Sig 1307/0 TCP Window Variation is constantly firing on my IPS. The explanation mentions that some "improperly implemented" firewalls can cause this signature to fire. I have an ASA 5520 between my users and the internet and all internet traffic is NATed. It fires on normal web traffic to known good sites as well as traffic between sites coming in over IPSEC VPN, which is exempted from NAT. Any ideas on what may be causing this?

1 REPLY 1
Highlighted
Frequent Contributor

Re: TCP Window Variation Sig fires repeatedly

This signature Sig 1307/0 will fire when the TCP window varies in a suspect manner. The right edge of the recieve window for TCP decreases. The TCP RFCs state that this should not occur.

This signature will NOT function in promiscuous mode.

Some incorrectly implemented proxies or network address translation firewalls could modify the window can cause this signature to fire.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards