Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
5
Helpful
1
Replies

rsh problem with PIX Firewall

pthome
Level 1
Level 1

‎02-28-2005 11:47 PM - edited ‎02-20-2020 11:59 PM

Hi all,

I have an rsh and rcp Problem with Pix Firewall since the Update from 5.2.1 to 6.3.4. All other things went well and we also use functionality from 6.3.4, so we can't go back to 5.2.1 (We don't want it, too)

The first outbound connection to an rsh server functions without Problems, but further connections to the same Server are timed out in the PIX. So only one connection at a time is possible through the PIX.

We already played with rsh fixup disabeling and enabeling but this had no effect.

The second + connection get the following state in the firewall:

ukhpix# sh conn | grep 1.2.3.4

TCP out 5.6.7.8:514 in 1.2.3.4:1023 idle 0:00:12 Bytes 0 flags sA

The Pix seems to wait for further Packets. Did anyone have similar Problems with pix and RSH.

Before the Upgrade, it worked fine and we did not change anything on the servers

Greets,

Peter

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎03-01-2005 08:46 PM

Have seen this before with 6.3(4), actually anything higher than 6.3(3.133) breaks, where anything lower works fine. In the previous case this was due to the TCP vulnerability fixes that went into this release (see http://www.cisco.com/en/US/partner/products/products_security_advisory09186a008021ba2f.shtml for details), and nothing really to do with the PIX.

Specifically the bug fix that causes this issue (at least the previous issue that I've seen) is this:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed91445&Submit=Search

You'd need a Sniffer capture of the data to and from the RSH server to be sure, but what we saw previously was the RSH server was sending a TCP FIN with an invalid sequence number. Before the vulnerability fixes went in the PIX would allow this through and the session would be closed properly on the server and client. Now though, the PIX drops this and the session hangs on the server, which also stops any other ones from getting through as when a new connection comes in it thinks it's still part of the existing one.

We had to get the RSH server software manufacturer involved, but that was a while ago and never heard anything after that.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card