Just a suggestion, if the outside is closing the connection and
the inside host acknowledges the end of connection, then the PIX
removes the state for this connection.
Now, if per accident, the acknowledgement of the end of connection is
lost after the PIX on the Internet, then the outside host will resend
its end of connection (normal behaviour of the outside host), but the
PIX will block it because it has seen the complete final handshake.
Hope this helps
-eric
At 10:54 29/06/1999 -0700, you wrote:
>
>Has anyone seen a PIX deny connections to statically built connections that
>have valid conduits?
>
>%PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
>FIN ACK
>%PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
>ACK
>%PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
>RST ACK
>%PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
>RST
>
>One example that I have is some hotmail servers that I will sendmail from
>will be denied. NOTE
>I said "some", meaning some work some don't. I will see the above error
>message with the dst/port being my mail server.
>In addition I see this on some web services.
>It seems to be an intermitten problem but I can't understand why the PIX is
>allowing the ESTABLISHED to occur then
>for no apparent reason starts to block the ACK's. and others...
>
>TIA,
>
>Gordon Douglass
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: [EMAIL PROTECTED] Mobile: +32-75-312.458
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
