[c-nsp] FWSM 3.1(9) corrupting TCP SYN-ACKs when timestamps are enabled

[Sam Stickland]

Hi,

We do have a TAC case on this, I'm just wondering if anyone here has 
seen something similar.

We upgraded from 3.1(1) to 3.1(9) on our context based L3, FWSMs. Now, 
if an incoming SYN has timestamps there's a 50% chance that the FWSM 
generates a bad checksum when it NAT translates the returning SYN-ACK 
(from the webserver), causing the client to drop the SYN-ACK. SYNs 
without the timestamp options don't cause a problem.

The problem seems to be isolated to two inside interfaces (in two 
different contexts), but they both NAT translate into the same inside range.

Sam