[c-nsp] pix 535 issue

Matt Buford matt at overloaded.net
Tue Dec 13 15:02:32 EST 2005


It is probably worth noting that Cisco's own CSM (Content Switching Module) 
load balancer violates this if you turn on cookie insertion.

The symptom I saw is that some users were unable to access web sites behind 
my load balancer.  A packet capture from the workstation point of view 
showed a connection, GET, a gap in the TCP sequence numbers (where their PIX 
dropped the packet) and then the HTTP body packets.  Of course, this gap in 
the TCP sequence kills the connection.

If you install the Cisco VPN client on your workstation (reducing your MSS 
below MTU), place your workstation behind a PIX 7.0 firewall (enforcing 
MSS), and attempt to access a CSM load balanced site with cookie insertion 
whose header response packet is large enough that it exceeds MSS after 
cookie insertion without exceeding MSS and getting fragmented, you will be 
unable to access that web site.

CSCsb59273 covers this issue on the CSM.

----- Original Message ----- 
From: "Brant I. Stevens" <branto at branto.com>
To: "Alban Dani" <albcisco at gmail.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, December 05, 2005 9:58 PM
Subject: Re: [c-nsp] pix 535 issue


> There is an issue with Pix 7.x code when trying to reach certain websites.
> The workaround is also available at the URL below.
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
> 6a00804c8b9f.shtml
>
> Alink (TinyURL knock-off)
> http://alnk.org/iratecar



More information about the cisco-nsp mailing list