cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1516
Views
0
Helpful
2
Replies

PIX 535 Deny TCP flags PSH ACK on interface inside

We are using a Pix 535 firewall and we're trying to establish a VPN connection from inside our network to another network. (not site-to-site VPN).

This is just a simple connection using the Windows VPN client. On the firewall logs we are getting:

Deny TCP (no connection) (172.16.x.x /2903) to (64.42.x.x/1723) flags PSH ACK on interface inside

Deny TCP src outside:(64.42.x.x/1723) dst inside: (216.110.x.x/54922) by access-group "aclout"

The weird thing is that sometimes it connects and sometimes it doesn't. (i.e. if you try to VPN a few times, it will start working).

It seems that when the reply comes back on a high number port sometimes it works and sometimes it doesn't.

The other side is using a Microsoft VPN server. I checked with a tech on the other side and they don't have any call back features enabled.

We can successfully VPN to other networks just fine.

I'm thinking that sometimes the other side resets the connection, so our firewall sees it as a brand new connection and it denies it.

Any ideas??

2 Replies 2

rmeans
Level 3
Level 3

What OS is your PIX 535? Have you enabled fixup protocol pptp 1723 (6.x) or inspect pptp (7.x)?

abinjola
Cisco Employee
Cisco Employee

can you post your config here,...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: