12-10-2004 04:17 AM - edited 02-20-2020 11:47 PM
Hi there, dear fellows!
I hope any one can help me with this strange problem.
I have a customer that has a web portal solution where the administrator of the web should log in to the system so he/she can administer the web. The web server is placed on an interface in the PIX called "UDMZ" and when the user is logging in to the web server the server is asking another server on another interface in the PIX called "DMZ" for user credentials via LDAPs (tcp 636). Some time it works and some time it dont. If you restart the PIX and then try to connect you cant log in, but if you send some ICMP packets between the machines it some times start to work again. I can use TELNET with tcp port 636 and connect at any time..!?!
Via an syslog server I got this message: "%PIX-6-106015: Deny TCP (no connection) from 192.168.50.20/35491 to 192.168.18.110/636 flags PSH ACK on interface UDMZ"
The problem is regarding these two IP addresses above.
When I use a router between the servers (without the PIX) it works just fine!!
Can anyone se any problem in this configuration attached
12-10-2004 12:26 PM
Your Sitevision_ext is sending a PSH ACK TCP flag to the Meta server. The PIX needs that the first packet of a TCP connection have a SYN flag. If there is any other kind of flag, it will check the connection table to see if there is an existing connection for that TCP packet that does not have a SYN flag. This is especially the case because your connection is being initiated in the UDMZ to the DMZ - a lower security interface to a higher security interface.
Find out why the Sitevision_ext sends a PSH ACK sometimes when it should really be sending a SYN packet.
It may work sometimes because the first TCP connection packet may have the SYN flag as expected. Telnet and ping on the other hand work because you have the right translations and ACLs applied.
12-10-2004 02:47 PM
Thank You, Sir.
I will look in to this problem with the mysterious "ACK FLAG" from the Sitevision server.
//Kalle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide