[c-nsp] FWSM 3.1(9) corrupting TCP SYN-ACKs when timestamps are enabled

Sam Stickland sam_mailinglists at spacething.org
Sat Sep 6 09:46:13 EDT 2008


Hi,

We do have a TAC case on this, I'm just wondering if anyone here has 
seen something similar.

We upgraded from 3.1(1) to 3.1(9) on our context based L3, FWSMs. Now, 
if an incoming SYN has timestamps there's a 50% chance that the FWSM 
generates a bad checksum when it NAT translates the returning SYN-ACK 
(from the webserver), causing the client to drop the SYN-ACK. SYNs 
without the timestamp options don't cause a problem.

The problem seems to be isolated to two inside interfaces (in two 
different contexts), but they both NAT translate into the same inside range.

Sam


More information about the cisco-nsp mailing list