[c-nsp] pix 6.1(3)

Michael Malitsky malitsky at netabn.com
Thu Jul 11 15:49:23 EDT 2013

Sounds eerily familiar, although I can't find any notes for v6.  The first releases of 7 had a similar issue, caused by the firewall dropping any packets with MSS>negotiated size.
However, you options are very few.  Try disabling the http fixup to confirm it is the inspection engine causing the problem.  In version 6, there is no way to tune the inspection engines, on/off is the only button, so your only option is to upgrade.  I suggest trying 6.5.last (I think 6.5.105), if that doesn't work go to 7, the highest version that supports a PIX.  In v7 you can at least exempt the problem traffic from inspection.  Best option - upgrade to an ASA.



Date: Thu, 11 Jul 2013 09:51:16 -0500
From: "Aaron" <aaron1 at gvtc.com>
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] pix 6.1(3)
Message-ID: <000001ce7e46$186efb20$494cf160$@gvtc.com>
Content-Type: text/plain;       charset="us-ascii"

Anyone ever dealt with a weird issue whereas when going to a certain website
via a cisco pix, the tcp syn and syn/ack flow fine, but the final ack is
lost inside the pix. ?  my sniffs seems to show this.


More information about the cisco-nsp mailing list