Guest

Preview Tool

Cisco Bug: CSCtb99538 - URL Filter Sending RST with invalid SEQ number

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(0.249)

Description (partial)

Symptom:

For deny-long-url ASA is sending RST packet with the wrong sequence number

Conditions:

When "deny-long-url" is configured and ASA is trying to process the uri length more than the configured or default lenght then Blocke page will be sent back to the client. After this client will respond back with FIN.ACK, for this packet ASA will respond back with RST. This RST packet will be sent out with wrong seq number. This will cause the client to ignore the RST packet and retransmint the FIN.ACK again. But by this time the conn will  be deleted in the ASA so ASA thinks that it is TCP packet without establishind the connection and it will be dropped by sending a RST again.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.