Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1337
Views
0
Helpful
0
Comments

The sequence number in the outbound reset packet gets randomized in the PIX running 6.x

TCC_2
Level 10
Level 10

‎06-22-2009 06:15 PM - edited ‎03-08-2019 06:28 PM

 

Introduction

The sequence number in the outbound reset packet gets randomized in the PIX Firewall 500 series with software version 6.x.

Core issue

The issue is documented in Cisco bug ID  CSCeg04006.

This happens when the sequence number in the outbound reset (RST) segment, which comes in response to a SYN to a non-listening port, is randomized by the PIX. This PIX behavior might cause this segment to be dropped in some circumstances. It causes the client side of the connection to "hang" and continue to retransmit the initial SYNs.

The client makes the connection on the outside interface of the PIX towards the server located behind the inside interface of the PIX, and the randomization is not turned off.

SEQ number in the outbound RST packet gets randomized - CSCeg04006
Description - Symptom:
The PIX randomizes the sequence number in the outbound RST segment which
comes in response to a SYN to a non-listening port. This might cause this
segment to be dropped in some circumstances - causing the client side
of connection to "hang" and keep retransmitting the initial SYNs.

Condition:
The connection is made from the client on the outside interface of the PIX 
to the server behind the inside interface of the PIX, and the randomization
is not turned off.

Workaround:
Turn off the sequence number randomization by configuring a "norandomseq"
keyword for the affected hosts.

Resolution

The norandomseq keyword disables TCP Initial Sequence Number (ISN) randomization.TCP sequence randomization should only be disabled if another in-line firewall is also randomizing sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers (ISNs): one generated by the client and one generated by the server. The FWSM randomizes the ISN that is generated by the host/server. At least one of the ISNs must be randomly generated so that attackers cannot predict the next ISN and potentially hijack the session. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

Example

static (inside,outside) 172.16.11.1 172.16.11.1 netmask 255.255.255.255 norandomseq
or
hostname(config)# static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 tcp  1000 200 udp 1000 norandomseq
  • Known Fixed Releases:
    6.2(4.102)
    6.3(4.117)
    6.3(5.0)
Alternatively, upgrade the software to any of these versions or the latest. Refer to Software Download: Cisco PIX Security Appliance Software:
 

Reference

 

Introduction

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents