Eric,
I agree but the failure rate is too high. I see ~50 percent of messages sent
from hotmail get dropped (I mean dropped no bounces, nothing). The only
thing I
have seen is the PIX denying the ACK's, RST's, and FIN ACK's.
Gordon Douglass
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Vyncke
> Sent: Tuesday, June 29, 1999 1:47 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: PIX deniel messages?
>
>
> Just a suggestion, if the outside is closing the connection and
> the inside host acknowledges the end of connection, then the PIX
> removes the state for this connection.
>
> Now, if per accident, the acknowledgement of the end of connection is
> lost after the PIX on the Internet, then the outside host will resend
> its end of connection (normal behaviour of the outside host), but the
> PIX will block it because it has seen the complete final handshake.
>
> Hope this helps
>
> -eric
>
> At 10:54 29/06/1999 -0700, you wrote:
> >
> >Has anyone seen a PIX deny connections to statically built
> connections that
> >have valid conduits?
> >
> >%PIX-2-106001: Inbound TCP connection denied from src/port
> to dst/port flags
> >FIN ACK
> >%PIX-2-106001: Inbound TCP connection denied from src/port
> to dst/port flags
> >ACK
> >%PIX-2-106001: Inbound TCP connection denied from src/port
> to dst/port flags
> >RST ACK
> >%PIX-2-106001: Inbound TCP connection denied from src/port
> to dst/port flags
> >RST
> >
> >One example that I have is some hotmail servers that I will
> sendmail from
> >will be denied. NOTE
> >I said "some", meaning some work some don't. I will see the
> above error
> >message with the dst/port being my mail server.
> >In addition I see this on some web services.
> >It seems to be an intermitten problem but I can't understand
> why the PIX is
> >allowing the ESTABLISHED to occur then
> >for no apparent reason starts to block the ACK's. and others...
> >
> >TIA,
> >
> >Gordon Douglass
> >
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> Eric Vyncke
> Consulting Engineer Cisco Systems EMEA
> Phone: +32-2-778.4677 Fax: +32-2-778.4300
> E-mail: [EMAIL PROTECTED] Mobile: +32-75-312.458
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
