PIX + tcp handshake debug

michelcaissie · ‎11-15-2004

Hi,

we have an application running between 2 custom proxy servers with a PIX

between them. The application runs fine when both proxys are on the same

lan.

It stops working when we insert the PIX.

Access-group allows everything , inside device is translated on the outside

static (inside,outside) 172.20.0.95 172.20.0.95 netmask 255.255.255.255 0 0

When we put a debug packet we can see ;

1***172.20.0.95 SYN to 172.19.8.146 on the inside

2***PIX forwarding the 172.20.0.95 SYN to 172.19.8.146 on the outside

(using its own sequence number)

3***172.19.8.146 SYNACK to 172.20.0.95 on the outside

4***PIX forwarding the 172.19.8.146 SYNACK to 172.20.0.95 on the inside

5***172.20.0.95 ACK to 172.19.8.146

6**** But we don't see the PIX forwarding the last ACK on the outside .

We suspect that it is dropped by the PIX intrusion-protection mechanism.

Can anyone tell me if they see something wrong with the last packet ,

explaining why it is dropped ?

And can this be bypassed through some PIX tweaking ?

see debug packet trace in attachment

thanks

scoclayton · ‎11-15-2004

Try issuing a 'debug fixup tcp' on the PIX and attempting the connection again. If the PIX is dropping the packets as a result of the ASA, this debug will tell you why.

One other note, I would HIGHLY suggest using the capture utility on the PIX as opposed to the 'debug packet' unless you really get a kick out of doing hex conversions all day ;)

Scott