01-07-2004 01:46 PM - edited 03-09-2019 06:03 AM
I have a 2621 running IP, firewall, IDS, and NAT. I have opened the appropriate ports to allow a PCAnywhere client through the firewall to host on the inside. This works fine on IOS 12.3.3c and below. The connection starts, but does not complete when running 12.3.5a. Is this an issue with Cisco Control Plane Policing which became available in IOS version 12.3.4T and up, or is there an undocumented bug in the 12.3.5 code?
Solved! Go to Solution.
01-07-2004 04:38 PM
There's a documented bug in 12.3(5) with IOS FW not allowing outside-initiated connections to start to inside hosts. Basically the firewall drops the TCP SYN-ACK packet returning from the inside host, so the 3-way handshake never completes. Inside-initiated connections outbound are not affected.
Bug ID is CSCec78231, you can read about it here:
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search
Stick with 12.3(3) for the moment, should already be resolved in 12.3(6) when it comes out.
01-07-2004 04:38 PM
There's a documented bug in 12.3(5) with IOS FW not allowing outside-initiated connections to start to inside hosts. Basically the firewall drops the TCP SYN-ACK packet returning from the inside host, so the 3-way handshake never completes. Inside-initiated connections outbound are not affected.
Bug ID is CSCec78231, you can read about it here:
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search
Stick with 12.3(3) for the moment, should already be resolved in 12.3(6) when it comes out.
01-07-2004 11:53 PM
Wow, I had exact the same problem with my router running the same image, trying to connect to the routers ports 443 or 22 from outside. What a timing. Just searched the forum and found this on the first hit :D
Thanks for the info.
01-08-2004 03:18 PM
Ive tried a handfull of the older 12.3-releases, but most of them seems to be affected with this problem. (also according to the BugID) Or if it should happen to work - then ip-inspect doesnt.
looking forward to the 12.3(6).
04-07-2004 07:56 PM
Just a side note. This issue is still a problem on 12.3.6 and 12.3.6a. Hang onto your 12.3.3e for now. Or you can always remove your IP inspect commands!
05-19-2004 01:37 AM
Another note, 12.3.9 doesn't work either. Am I missing something, do I have to modify my configuration due to something new in these newer IOS releases. Will anyone respond?
08-07-2004 11:33 PM
I have verified that 12.3.9a works properly. I am now able to get away from the deferred release of 12.3.3e. If anyone has any questions about this, email me at jmcdonald@gci.com.
09-12-2004 12:01 AM
I'm up to 12.3.10, and have discovered a minor flaw. Everything works through my firewall from the outside coming in with PCAnywhere. Any connections on my inside network coming from int fa 0/0 to any other network on the inside of my network do not work. When I connect from int e1/0 to any PCAnywhere device it works. All interfaces have IP inspect inbound. When I turn IP inspect off on the fa 0/0 interface, PCAnywhere works. It sounds like Cisco still needs to work out this bug.
10-27-2004 01:24 AM
My apologies, I have discovered that my hsrp configuration for one of the networks behind my firewall was flawed. This caused an issue when internally connecting from one specific internal network to another specific internal network via PCAnywhere. I have corrected my hsrp configuration and all works as it should have. I am now on 12.3.10a.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide