Cisco Bug: CSCtb99538 - URL Filter Sending RST with invalid SEQ number
Nov 09, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: For deny-long-url ASA is sending RST packet with the wrong sequence number Conditions: When "deny-long-url" is configured and ASA is trying to process the uri length more than the configured or default lenght then Blocke page will be sent back to the client. After this client will respond back with FIN.ACK, for this packet ASA will respond back with RST. This RST packet will be sent out with wrong seq number. This will cause the client to ignore the RST packet and retransmint the FIN.ACK again. But by this time the conn will be deleted in the ASA so ASA thinks that it is TCP packet without establishind the connection and it will be dropped by sending a RST again.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases