Preview Tool

Cisco Bug: CSCtd94681 - FWSM re-uses some PAT translation ports too frequently

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Catalyst 6500 Series Firewall Services Module

Known Affected Releases

3.1(9) 3.2(13) 4.0

Description (partial)

Starting with FWSM version 3.1(13), 3.2(8) and 4.0(1), the FWSM might re-use a PAT global xlate port within a short span of time (1 or two minutes). This might cause TCP connections to fail if a remote TCP endpoint holds a connection active in the TIME_WAIT TCP state. The FWSM might translate a new outbound connection to the same global xlate port, which would cause the remote server to drop the new TCP SYN packet if that server had a connection that matched that port in the TIME_WAIT state.

All of the following conditions must be present to experience this problem:

1) The FWSM must be configured for PAT (Port Address Translation) and the traffic in question must be subjected to the translations.
2) The remote TCP server beyond the firewall must hold a TCP connection open in the TIME_WAIT state
3) Users on the inside of the FWSM must make subsequent connections to the same remote TCP server, such that the remote TCP server sees multiple inbound connections from the same global IP on the FWSM.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.