Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TCP reset on PIX520 6.0(2)

Some TCP traffic (ssh and Telnet sessions) get reset when allowed for some minutes through our PIX 520 image 6.0(2). Going though Cisco bug sheet, I found out this problem belongs to bug: CSCdr11711 which should be resolved by upgrading to 5.0(1) or later. So does any one knows while this is happening(?) and if there's a command to eliminate the timeout of the sessions.

3 REPLIES
Cisco Employee

Re: TCP reset on PIX520 6.0(2)

The bug you mention has to do with someone forging TCP RST packets for your connection. Prior to this bug the PIX only checked for the source/dest addresses and ports in teh RST packet and would close the connection, it wouldn't check for the correct ACK/SEQ numbers. Unless someone is forging TCP RST packets for your connection this has nothing to do with your problem.

What is your conn and xlate idle timers set to? Are these connections idle or are they disconnected even if the user is typing something in? Are they always disconnected at the same time interval, or is it random? Is it only Telnet and SSH session? What does the PIX syslog show when this happens? Can you put a Sniffer on these segments (both inside and outside) and see where the RST is actually coming from?

New Member

Re: TCP reset on PIX520 6.0(2)

I'n not very sure that I understand what exactly tcp connections are reseted. Some NATed traffic or some management connection to the PIX box?

If some NAT traffic is resetted, please check is that TCP connections have ECN flag set. PIX TCP NAT stack follows the RFCs with a large delay (more than year) and only by demand (if you open a case for it). There was very hudge problem with non supporting of ECN flags and HotMail for example (they use a PIX), so they was not able to receive mails from ECN enabled hosts. Probably your problem is not that, but anyway, you should upgrade to 6.1 or better to 6.2 to resolve that ECN issue.

I just want to note that the earliest 2.4 linux kernels have ECN option set on by default (because of PIX/Hotmail problems, Linux gurus decide to set it off by default in latest kernels)

New Member

Re: TCP reset on PIX520 6.0(2)

I was wondering in regards to the ssh and telnet sessions timing out. Does this bug still exist in PIX 515E image 6.2(2). Because where im at we are experiencing a large amout of telnet timeouts which appear to be at random intervals. These sessions are left hanging and more are created until there are no more licenses for sessions or until we clear out all hung telnet sessions. we currently have the telnet and ssh timeouts set to 60 like a book on the pix box recommends. Im open to suggestions?

219
Views
0
Helpful
3
Replies