Showing results for 
Search instead for 
Did you mean: 

Core issue

This issue is due to Cisco bug ID CSCsc14915.

The root cause of this problem is that the spoofed segment creates an embryonic connection and sets up the TCP sliding window. A valid segment from a real host using the same connection as the spoofed packet sends a SYN over the same connection. Therefore, the sequence number of the valid segment is out-of-window and rejected by the PIX TCP sequence number check. Any subsequent retransmissions of the valid segment are also out-of-window and are rejected by the TCP sequence number check.

Other spoofed TCP SYN segments that create embryonic connections can also cause this behavior. Legitimate TCP connections are blocked until the embryonic connection times out.


As a workaround, issue either the clear xlate or clear local-host command in order to allow the PIX Firewall to pass connections again.

Alternatively, download and upgrade to PIX version 6.3.5.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links