Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
4
Helpful
2
Replies

URGENT problem between interfaces in PIX 515E UR

kalle.larsson
Level 1
Level 1

‎12-10-2004 04:17 AM - edited ‎02-20-2020 11:47 PM

Hi there, dear fellows!

I hope any one can help me with this strange problem.

I have a customer that has a web portal solution where the administrator of the web should log in to the system so he/she can administer the web. The web server is placed on an interface in the PIX called "UDMZ" and when the user is logging in to the web server the server is asking another server on another interface in the PIX called "DMZ" for user credentials via LDAPs (tcp 636). Some time it works and some time it don’t. If you restart the PIX and then try to connect you can’t log in, but if you send some ICMP packets between the machines it some times start to work again. I can use TELNET with tcp port 636 and connect at any time..!?!

Via an syslog server I got this message: "%PIX-6-106015: Deny TCP (no connection) from 192.168.50.20/35491 to 192.168.18.110/636 flags PSH ACK on interface UDMZ"

The problem is regarding these two IP addresses above.

When I use a router between the servers (without the PIX) it works just fine!!

Can anyone se any problem in this configuration attached

Preview file
15 KB
Preview file
15 KB
0 Helpful
2 Replies 2

pkapoor
Level 3
Level 3

‎12-10-2004 12:26 PM

Your Sitevision_ext is sending a PSH ACK TCP flag to the Meta server. The PIX needs that the first packet of a TCP connection have a SYN flag. If there is any other kind of flag, it will check the connection table to see if there is an existing connection for that TCP packet that does not have a SYN flag. This is especially the case because your connection is being initiated in the UDMZ to the DMZ - a lower security interface to a higher security interface.

Find out why the Sitevision_ext sends a PSH ACK sometimes when it should really be sending a SYN packet.

It may work sometimes because the first TCP connection packet may have the SYN flag as expected. Telnet and ping on the other hand work because you have the right translations and ACLs applied.

kalle.larsson
Level 1
Level 1
In response to pkapoor

‎12-10-2004 02:47 PM

Thank You, Sir.

I will look in to this problem with the mysterious "ACK FLAG" from the Sitevision server.

//Kalle

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card