pix 7.0.4 drops legitimate vpn traffic after de-cryption
I have a VPN Setup terminated on a Pix 515E on my side from a business partner. They Have an HPUX box that sends print jobs over the vpn to a server on my side using LPD. Seemingly at random, When the number of jobs gets heavy, the HPUX Box shuts down it's print queues that point to my server. Other traffic is un-affected.
After much troubleshooting I discovered it is the pix515E at my site dropping packets after they are de-crypted.
When I do a sho asp drop I can see several counters incrementing. When I did a capture <name> type asp drop all, there were the packets from the remote HPUX box. After further captures, I determined that the asp-drop reason is "TCP DUP and has been ACKed"
from the remote site, a debug shows that the HPUX box is simply resending a packet for which it did not recieve an ACK. Every one of the retransmits is blocked in the manner above, by my PIX.
My question is What exactly does "TCP DUP and has been ACKed" mean? and what conditions must exist for the asp in PIX ver 7.x to drop a packet in this manner?
I have been pulling my hair out over this one, any help would be greatly appreciated. Layer 2, the Hosts, acls and NAT have all been eliminated...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :