Deny TCP (no connection) simply means the PIX has not built a valid state to allow this TCP connection. It needs to see a SYN and a SYN ACK to allow the TCP connection). If this happened immediately after your upgrade, there may have been a state established prior that was lost during the upgrade. If its still happening regularly, its either a bug in 6.0 (I couldnt find one using bug tracker) or maybe shutting down the PIX will for a few minutes will force these windows boxs (139 TCP is NetBios) to realize the connection has terminated. The destination machine isnt even getting the RST but should reset itself after a few minutes anyway. Finally, try holding the connection state open longer with the sysopt connection timewait command.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...