Cisco Bug: CSCuq80704 - ASA classifies TCP packets as PAWS failure incorrectly
Apr 25, 2019
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
9.1(5) 9.4(3) 9.4(3.4) 9.6(1)
Symptom: The ASA may incorrectly classify some TCP segments as failing a PAWS test when the TS.value present in the tcp header wraps around the 2^32 mark. Per RFC 1323, this should not cause the connect to fail. When a packet hits the ASA on an existing connection, the packet is dropped and the counter below increments: ciscoasa/pri/act# sh asp drop Frame drop: TCP packet failed PAWS test (tcp-paws-fail) Conditions: This occurs when the TS.value in a TCP packet/connection wraps around the 2^32 limit for that counter.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases