pix7.0 RST ACK

bma · ‎04-17-2007

Hi

We run PIX525 ver 7.01 and get following error when traffic from inside to dmz:

2007-04-17 20:31:56 UTC Local0.Info 192.168.252.1 Apr 17 2007 04:08:23 : %PIX-6-106015: Deny TCP (no connection) from 192.168.1.x/443 to 192.168.0.x/1911 flags RST ACK on interface dmz1

dmz ip is with 1.x, inside it with 0.x.

please send email to ben05_ma@yahoo.com

please help.

Thanks

ben

Patrick Iseli · ‎04-17-2007

I guess that the connection was closed because there was no activity for more than the default 60 minutes of inactivity.

The default inactivity timeout of TCP connections is 60 minutes. If there is no packet in this time the PIX closes the connection.

Then the application trys later to reuse the session which no longer exists which leads to your syslog message.

Cisco Reference:

Idle time after which a connection closes. Use 0:0:0 for the time value to never time out a connection. This duration must be at least 5 minutes. The default is 1 hour.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ae.html#wp1026093

sincerely

Patrick

bma · ‎04-17-2007

Thanks.

This error message is with https access server in the dmz(1.x)from inside network (0.x) and access is fail. Connection is in a short time and not over 60 minuters. Ping from insdie to dmz is fine. Also,https is open with dmz network. I am confuse for RST or ASK, does relate with parkerts broken..... any idea?

Regards

ben

jt3rry · ‎12-31-2007

Hi I'm experiencing a similar problem, The http traffic (from outside to DMZ) works but we are seeing a large number of "Deny TCP (no connection)" messages in a very short time frame

Dec 31 2007 09:08:54: %PIX-6-302013: Built inbound TCP connection 449113046 for outside:69.29.129.41/4874 (69.29.129.41/4874) to DMZ:192.168.204.3/80 (67.151.X.X/80)

Dec 31 2007 09:08:54: %PIX-6-106015: Deny TCP (no connection) from 69.29.129.41/4857 to 67.151.X.X/80 flags ACK on interface outside

Dec 31 2007 09:10:48: %PIX-6-302013: Built inbound TCP connection 449117848 for outside:209.213.22.120/1770 (209.213.22.120/1770) to DMZ:192.168.204.3/80 (67.151.X.X/80)

Dec 31 2007 09:10:48: %PIX-6-302013: Built inbound TCP connection 449117856 for outside:209.213.22.120/1771 (209.213.22.120/1771) to DMZ:192.168.204.3/80 (67.151.X.X/80)

Dec 31 2007 09:10:48: %PIX-6-302013: Built inbound TCP connection 449117864 for outside:209.213.22.120/1772 (209.213.22.120/1772) to DMZ:192.168.204.3/80 (67.151.X.X/80)

Dec 31 2007 09:10:49: %PIX-6-106015: Deny TCP (no connection) from 209.213.22.120/1772 to 67.151.X.X/80 flags RST on interface outside

We are running PIX release 7.0(6), It has been mentioned that this was bug was possibly corrected in 7.2(2), I'm not having much luck in searching the release notes. Has this been corrected in a later release?

thanks,