Some TCP traffic (ssh and Telnet sessions) get reset when allowed for some minutes through our PIX 520 image 6.0(2). Going though Cisco bug sheet, I found out this problem belongs to bug: CSCdr11711 which should be resolved by upgrading to 5.0(1) or later. So does any one knows while this is happening(?) and if there's a command to eliminate the timeout of the sessions.
The bug you mention has to do with someone forging TCP RST packets for your connection. Prior to this bug the PIX only checked for the source/dest addresses and ports in teh RST packet and would close the connection, it wouldn't check for the correct ACK/SEQ numbers. Unless someone is forging TCP RST packets for your connection this has nothing to do with your problem.
What is your conn and xlate idle timers set to? Are these connections idle or are they disconnected even if the user is typing something in? Are they always disconnected at the same time interval, or is it random? Is it only Telnet and SSH session? What does the PIX syslog show when this happens? Can you put a Sniffer on these segments (both inside and outside) and see where the RST is actually coming from?
I'n not very sure that I understand what exactly tcp connections are reseted. Some NATed traffic or some management connection to the PIX box?
If some NAT traffic is resetted, please check is that TCP connections have ECN flag set. PIX TCP NAT stack follows the RFCs with a large delay (more than year) and only by demand (if you open a case for it). There was very hudge problem with non supporting of ECN flags and HotMail for example (they use a PIX), so they was not able to receive mails from ECN enabled hosts. Probably your problem is not that, but anyway, you should upgrade to 6.1 or better to 6.2 to resolve that ECN issue.
I just want to note that the earliest 2.4 linux kernels have ECN option set on by default (because of PIX/Hotmail problems, Linux gurus decide to set it off by default in latest kernels)
I was wondering in regards to the ssh and telnet sessions timing out. Does this bug still exist in PIX 515E image 6.2(2). Because where im at we are experiencing a large amout of telnet timeouts which appear to be at random intervals. These sessions are left hanging and more are created until there are no more licenses for sessions or until we clear out all hung telnet sessions. we currently have the telnet and ssh timeouts set to 60 like a book on the pix box recommends. Im open to suggestions?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...