[c-nsp] TCP Reset

Derick Winkworth dwinkworth at att.net
Wed May 20 07:50:18 EDT 2009

What Cisco devices are in the path?  We had to configure an ACL on a
7200 denying inbound TCP RSTs, because of a bug where there there 7200
(if it was doing PAT) was erroneously sending the RST to the wrong

Long story short,  NAT session #1 would properly terminate on the 7200,
but the server would think the port was still open.  The server would
timeout and send a RST four minutes later.

Within that four minute window the 7200 would reuse the same source port
for a NAT session #2.  When the server's four minute timer went off for
the first session, and the RST was sent... the 7200 would send the RST
to the client in the second session, thus erroneously terminating a
valid TCP session.  There is a bug ID for this somewhere....

Hitesh Vinzoda wrote:
> Dear All,
> I m facing a problem from some clients behaving suspiciously when they
> telnet to squid proxy. (
> After TCP Syn request by client the server is responding with RST.
> Wireshark logs from client is attached. Comments are invited for this case.
> Thanks in advance
> Ronnie
> ------------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.339 / Virus Database: 270.12.35/2123 - Release Date: 05/19/09 17:59:00

More information about the cisco-nsp mailing list