Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 7 : Wrong Sequence number in a RST ACK

Hi Everyone,

My Firewall : PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz - Software Version 7.0(4)

My BIG problems :

In a " particular condition ", in answer to an SYN ACK, the PIX send a RST ACK to the server, with an SEQ number of 1 HIGHER than it should be.

Example :

Source : 10.26.50.1 (server) Destination : 10.246.66.227 (client)

Source Port : 80 () Destination Port: 1414 ()

Sequence Number : 2191510856 Ack Number: 680687843

Header Length : 24 Flags: Ack Syn

Source : 10.246.66.227 (client) Destination : 10.26.50.1 (server)

Source Port : 1414 () Destination Port: 80 ()

Sequence Number : 680687844 Ack Number: 2191510857

Header Length : 20 Flags: Ack Rst

Source : 10.26.50.1 (server) Destination : 10.246.66.227 (client)

Source Port : 80 () Destination Port: 1414 ()

Sequence Number : 2191510857 Ack Number: 680687843

Header Length : 24 Flags: Ack Syn

Source : 10.246.66.227 (client) Destination : 10.26.50.1 (server)

Source Port : 1414 () Destination Port: 80 ()

Sequence Number : 680687844 Ack Number: 2191510858

Header Length : 20 Flags: Ack Rst

The server ignores this and sends out the ACK SYN again and this looping condition continues.

The logging (level 7) on the pix is like this :

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

PIX- %PIX-6-106015: Deny TCP (no connection) from 10.26.50.1/80 to 10.246.66.227/1414 flags SYN ACK on interface inside

...

Help me please ...

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: PIX 7 : Wrong Sequence number in a RST ACK

Are you using the SSM-CSC module in this unit?

Look at the ASA722 release notes. I think one of the caveats it fixes is packets not being reconstructed in proper order. This could be what you're seeing.

1 REPLY
Community Member

Re: PIX 7 : Wrong Sequence number in a RST ACK

Are you using the SSM-CSC module in this unit?

Look at the ASA722 release notes. I think one of the caveats it fixes is packets not being reconstructed in proper order. This could be what you're seeing.

550
Views
0
Helpful
1
Replies
CreatePlease to create content