[c-nsp] pix 535 issue
Matt Buford
matt at overloaded.net
Tue Dec 13 15:02:32 EST 2005
It is probably worth noting that Cisco's own CSM (Content Switching Module)
load balancer violates this if you turn on cookie insertion.
The symptom I saw is that some users were unable to access web sites behind
my load balancer. A packet capture from the workstation point of view
showed a connection, GET, a gap in the TCP sequence numbers (where their PIX
dropped the packet) and then the HTTP body packets. Of course, this gap in
the TCP sequence kills the connection.
If you install the Cisco VPN client on your workstation (reducing your MSS
below MTU), place your workstation behind a PIX 7.0 firewall (enforcing
MSS), and attempt to access a CSM load balanced site with cookie insertion
whose header response packet is large enough that it exceeds MSS after
cookie insertion without exceeding MSS and getting fragmented, you will be
unable to access that web site.
CSCsb59273 covers this issue on the CSM.
----- Original Message -----
From: "Brant I. Stevens" <branto at branto.com>
To: "Alban Dani" <albcisco at gmail.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, December 05, 2005 9:58 PM
Subject: Re: [c-nsp] pix 535 issue
> There is an issue with Pix 7.x code when trying to reach certain websites.
> The workaround is also available at the URL below.
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
> 6a00804c8b9f.shtml
>
> Alink (TinyURL knock-off)
> http://alnk.org/iratecar
More information about the cisco-nsp
mailing list