Solved: Re: Cisco IOS 12.3.5a vs IOS 12.3.3c

jdmcdonald · ‎01-07-2004

I have a 2621 running IP, firewall, IDS, and NAT. I have opened the appropriate ports to allow a PCAnywhere client through the firewall to host on the inside. This works fine on IOS 12.3.3c and below. The connection starts, but does not complete when running 12.3.5a. Is this an issue with Cisco Control Plane Policing which became available in IOS version 12.3.4T and up, or is there an undocumented bug in the 12.3.5 code?

gfullage · ‎01-07-2004

There's a documented bug in 12.3(5) with IOS FW not allowing outside-initiated connections to start to inside hosts. Basically the firewall drops the TCP SYN-ACK packet returning from the inside host, so the 3-way handshake never completes. Inside-initiated connections outbound are not affected.

Bug ID is CSCec78231, you can read about it here:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search

Stick with 12.3(3) for the moment, should already be resolved in 12.3(6) when it comes out.

View solution in original post

gfullage · ‎01-07-2004

There's a documented bug in 12.3(5) with IOS FW not allowing outside-initiated connections to start to inside hosts. Basically the firewall drops the TCP SYN-ACK packet returning from the inside host, so the 3-way handshake never completes. Inside-initiated connections outbound are not affected.

Bug ID is CSCec78231, you can read about it here:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search

Stick with 12.3(3) for the moment, should already be resolved in 12.3(6) when it comes out.

frejac · ‎01-07-2004

Wow, I had exact the same problem with my router running the same image, trying to connect to the routers ports 443 or 22 from outside. What a timing. Just searched the forum and found this on the first hit :D

Thanks for the info.

frejac · ‎01-08-2004

Ive tried a handfull of the older 12.3-releases, but most of them seems to be affected with this problem. (also according to the BugID) Or if it should happen to work - then ip-inspect doesnt.

looking forward to the 12.3(6).

jdmcdonald · ‎04-07-2004

Just a side note. This issue is still a problem on 12.3.6 and 12.3.6a. Hang onto your 12.3.3e for now. Or you can always remove your IP inspect commands!

jdmcdonald · ‎05-19-2004

Another note, 12.3.9 doesn't work either. Am I missing something, do I have to modify my configuration due to something new in these newer IOS releases. Will anyone respond?

jdmcdonald · ‎08-07-2004

I have verified that 12.3.9a works properly. I am now able to get away from the deferred release of 12.3.3e. If anyone has any questions about this, email me at jmcdonald@gci.com.

jdmcdonald · ‎09-12-2004

I'm up to 12.3.10, and have discovered a minor flaw. Everything works through my firewall from the outside coming in with PCAnywhere. Any connections on my inside network coming from int fa 0/0 to any other network on the inside of my network do not work. When I connect from int e1/0 to any PCAnywhere device it works. All interfaces have IP inspect inbound. When I turn IP inspect off on the fa 0/0 interface, PCAnywhere works. It sounds like Cisco still needs to work out this bug.

jdmcdonald · ‎10-27-2004

My apologies, I have discovered that my hsrp configuration for one of the networks behind my firewall was flawed. This caused an issue when internally connecting from one specific internal network to another specific internal network via PCAnywhere. I have corrected my hsrp configuration and all works as it should have. I am now on 12.3.10a.