[c-nsp] RST packets being generated by IOS Firewall on 6509 after
session tear down
Grant Moerschel
gm at wavegard.com
Thu Feb 17 12:05:11 EST 2005
Using IOS firewall (12.2.18sxd3) on a 6509, has anyone observed
conditions where the switch will generate a rst on behalf of a host at
the end of a graceful session tear down? For example: (fin, fin, ack,
ack) from (client, server, server, client) followed by the firewall
sending rst packets to both the server and client. We know the host is
not sending the rst.
This sounds like an ip audit function but that is not supported on the
6509. It also sounds like what happens when the half-open session count
is exceeded. We are checking to see if the per host half-open session
count is being exceeded but we suspect that in some cases it is NOT
however the rst packets are still being sent.
We have bumped the global half-open count to well above what is required
based on the stats we see in "sh ip inspect stat"
--
==================================================
Grant P. Moerschel gm at wavegard.com
More information about the cisco-nsp
mailing list