Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1234
Views
0
Helpful
0
Comments

Legitimate TCP connections are blocked by spoofed TCP SYN packets in a PIX 500 Series Firewall with software version 6.x

TCC_2
Level 10
Level 10

‎06-22-2009 04:41 PM - edited ‎03-08-2019 06:18 PM

Core issue

This issue is due to Cisco bug ID CSCsc14915.

The root cause of this problem is that the spoofed segment creates an embryonic connection and sets up the TCP sliding window. A valid segment from a real host using the same connection as the spoofed packet sends a SYN over the same connection. Therefore, the sequence number of the valid segment is out-of-window and rejected by the PIX TCP sequence number check. Any subsequent retransmissions of the valid segment are also out-of-window and are rejected by the TCP sequence number check.

Other spoofed TCP SYN segments that create embryonic connections can also cause this behavior. Legitimate TCP connections are blocked until the embryonic connection times out.

Resolution

As a workaround, issue either the clear xlate or clear local-host command in order to allow the PIX Firewall to pass connections again.

Alternatively, download and upgrade to PIX version 6.3.5.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents