PIX 506 x Siebel Application

jrmendes · ‎03-30-2005

Hi,

I have a IPsec tunel from a remote site (PIX 506) to a 3020 Concentrator. Users use all applications without problem except Siebel (client server application with database access). It seems that Siebel creates secondaries dynamic TCP connections and PIX is droping these packets. As these connections are not stablished before, PIX is dropping these packets. I have the message 106015 in the log file. According PIX documentation ´If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet´.

Does someone have a tip to overcome this situation ?

Thanks

owillins · ‎04-05-2005

The document IP Security Troubleshooting - Understanding and Using debug Commands has more information on troubleshooting IPSec.

http://www.cisco.com/warp/customer/707/ipsec_debug.html

fedrodri · ‎04-05-2005

Hi,

Have you think about using the 'established' command? It permits "return connections on ports other than those used for the originating connection based on an established connection" (from the Command Reference).

-- PIX Command Reference, version 6.3:

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903

Please be aware of the security risks this implies...

Example (assuming initial connection behind PIX, to Siebel server behind concentrator):

established tcp 0 siebel-port permitfrom tcp siebel-second-channel-src-port permitto tcp siebel-second-channel-dst-port

Hope that helps!

Federico Rodriguez