Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1241
Views
0
Helpful
1
Replies

PIX 7 : Wrong Sequence number in a RST ACK

Go to solution
stefano.sassi
Level 1
Level 1

‎12-05-2006 11:00 AM - edited ‎03-11-2019 02:04 AM

Hi Everyone,

My Firewall : PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz - Software Version 7.0(4)

My BIG problems :

In a " particular condition ", in answer to an SYN ACK, the PIX send a RST ACK to the server, with an SEQ number of 1 HIGHER than it should be.

Example :

Source : 10.26.50.1 (server) Destination : 10.246.66.227 (client)

Source Port : 80 () Destination Port: 1414 ()

Sequence Number : 2191510856 Ack Number: 680687843

Header Length : 24 Flags: Ack Syn

Source : 10.246.66.227 (client) Destination : 10.26.50.1 (server)

Source Port : 1414 () Destination Port: 80 ()

Sequence Number : 680687844 Ack Number: 2191510857

Header Length : 20 Flags: Ack Rst

Source : 10.26.50.1 (server) Destination : 10.246.66.227 (client)

Source Port : 80 () Destination Port: 1414 ()

Sequence Number : 2191510857 Ack Number: 680687843

Header Length : 24 Flags: Ack Syn

Source : 10.246.66.227 (client) Destination : 10.26.50.1 (server)

Source Port : 1414 () Destination Port: 80 ()

Sequence Number : 680687844 Ack Number: 2191510858

Header Length : 20 Flags: Ack Rst

The server ignores this and sends out the ACK SYN again and this looping condition continues.

The logging (level 7) on the pix is like this :

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

...

Help me please ...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
robert.mcclain
Level 1
Level 1

‎12-07-2006 10:46 AM

Are you using the SSM-CSC module in this unit?

Look at the ASA722 release notes. I think one of the caveats it fixes is packets not being reconstructed in proper order. This could be what you're seeing.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
robert.mcclain
Level 1
Level 1

‎12-07-2006 10:46 AM

Are you using the SSM-CSC module in this unit?

Look at the ASA722 release notes. I think one of the caveats it fixes is packets not being reconstructed in proper order. This could be what you're seeing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card