Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Legitimate TCP connections are blocked by spoofed TCP SYN packets in a PIX 500 Series Firewall with software version 6.x

Core issue

This issue is due to Cisco bug ID CSCsc14915.

The root cause of this problem is that the spoofed segment creates an embryonic connection and sets up the TCP sliding window. A valid segment from a real host using the same connection as the spoofed packet sends a SYN over the same connection. Therefore, the sequence number of the valid segment is out-of-window and rejected by the PIX TCP sequence number check. Any subsequent retransmissions of the valid segment are also out-of-window and are rejected by the TCP sequence number check.

Other spoofed TCP SYN segments that create embryonic connections can also cause this behavior. Legitimate TCP connections are blocked until the embryonic connection times out.

Resolution

As a workaround, issue either the clear xlate or clear local-host command in order to allow the PIX Firewall to pass connections again.

Alternatively, download and upgrade to PIX version 6.3.5.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:41 PM
Updated by:
 
Labels (1)