Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 535 Deny TCP flags PSH ACK on interface inside

We are using a Pix 535 firewall and we're trying to establish a VPN connection from inside our network to another network. (not site-to-site VPN).

This is just a simple connection using the Windows VPN client. On the firewall logs we are getting:

Deny TCP (no connection) (172.16.x.x /2903) to (64.42.x.x/1723) flags PSH ACK on interface inside

Deny TCP src outside:(64.42.x.x/1723) dst inside: (216.110.x.x/54922) by access-group "aclout"

The weird thing is that sometimes it connects and sometimes it doesn't. (i.e. if you try to VPN a few times, it will start working).

It seems that when the reply comes back on a high number port sometimes it works and sometimes it doesn't.

The other side is using a Microsoft VPN server. I checked with a tech on the other side and they don't have any call back features enabled.

We can successfully VPN to other networks just fine.

I'm thinking that sometimes the other side resets the connection, so our firewall sees it as a brand new connection and it denies it.

Any ideas??

2 REPLIES
Community Member

Re: PIX 535 Deny TCP flags PSH ACK on interface inside

What OS is your PIX 535? Have you enabled fixup protocol pptp 1723 (6.x) or inspect pptp (7.x)?

Cisco Employee

Re: PIX 535 Deny TCP flags PSH ACK on interface inside

can you post your config here,...

1208
Views
0
Helpful
2
Replies
CreatePlease to create content