On 29 Jun 99, at 10:54, Gordon Douglass wrote:
> Has anyone seen a PIX deny connections to statically built connections that
> have valid conduits?
>
> %PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
> FIN ACK
> %PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
> ACK
> %PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
> RST ACK
> %PIX-2-106001: Inbound TCP connection denied from src/port to dst/port flags
> RST
>
> One example that I have is some hotmail servers that I will sendmail from
> will be denied. NOTE
> I said "some", meaning some work some don't. I will see the above error
> message with the dst/port being my mail server.
> In addition I see this on some web services.
> It seems to be an intermitten problem but I can't understand why the PIX is
> allowing the ESTABLISHED to occur then
> for no apparent reason starts to block the ACK's. and others...
I've seen two cases that might, at first glance, resemble what you think
you see:
1. Sometimes the internal host times out and gives up before the external
responds. In this case, not only the ESTABLISHED but also the tear-down
occur before the response arrives and is rejected.
2. Occasionally, the rejected response is from a different IP address than
the ESTABLISHED connection was addressed to. We have an active issue right
now with a site where two different IP addresses answer when we try to
connect to one of them. [The PIX is throwing out the one that doesn't match,
so the only harm is the log entries. But I wonder what would happen if we
didn't have it.]
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
