Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

pix 7.0.4 drops legitimate vpn traffic after de-cryption

I have a VPN Setup terminated on a Pix 515E on my side from a business partner. They Have an HPUX box that sends print jobs over the vpn to a server on my side using LPD. Seemingly at random, When the number of jobs gets heavy, the HPUX Box shuts down it's print queues that point to my server. Other traffic is un-affected.

After much troubleshooting I discovered it is the pix515E at my site dropping packets after they are de-crypted.

When I do a sho asp drop I can see several counters incrementing. When I did a capture <name> type asp drop all, there were the packets from the remote HPUX box. After further captures, I determined that the asp-drop reason is "TCP DUP and has been ACKed"

from the remote site, a debug shows that the HPUX box is simply resending a packet for which it did not recieve an ACK. Every one of the retransmits is blocked in the manner above, by my PIX.

My question is What exactly does "TCP DUP and has been ACKed" mean? and what conditions must exist for the asp in PIX ver 7.x to drop a packet in this manner?

I have been pulling my hair out over this one, any help would be greatly appreciated. Layer 2, the Hosts, acls and NAT have all been eliminated...

New Member

Re: pix 7.0.4 drops legitimate vpn traffic after de-cryption

Update: Downgrading to 6.3(5) resolves this issue.... However, there are features in 7.x that I will be needing in the near future.

How does one submit a bug report?

CreatePlease to create content