Preview Tool

Cisco Bug: CSCvt75639 - DOC: No ARP table lookup for self-originated TCP RESET packets

Last Modified

Jul 12, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3) 9.6(4) 9.8(4)

Description (partial)

When a TCP packet with RESET bit generated from the ASA/FTD to reset a connection that is denied by the stateful inspection engine, the destination MAC address of this packet is not determined based on the ARP table lookup but instead is taken directly from the source MAC address of the packets (connections) that are being denied.

- ASA/FTD sends RST for denied connections - generally controlled by the 'service resetinbound' or 'service resetoutbound' commands.
- ARP table contains entry for IP a.b.c.d - MAC A,  but firewall receives packets from IP a.b.c.d MAC B.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.