Re: 106023: Deny tcp src outside from WWW Servers

In article <1126096187.425251.140780@g44g2000cwa.googlegroups.com>,
Rene Obrecht <groups@no-woman-no-cry.ch> wrote:
:Just found something in debug mode, this entry is when i click "abort"
:or "reload" in my browser (TCP Reset-I). So everything is fine or can
:this error message be "hidden", because with 500 WWW Users we got a lot
:of them in the logfile.

:%PIX-6-302014: Teardown TCP connection 35416669 for
:outside:ISAPROXY/8080 to inside:172.22.113.5/2027 duration 0:00:01
:bytes 10898 TCP Reset-I

:%PIX-4-106023: Deny tcp src outside:ISAPROXY/8080 dst
:inside:172.22.113.5/2027 by access-group "dmz_to_intranet"

Yes, you found an important clue to the behaviour, one that a lot of
people never notice.

What is happening is that the PIX is cleaning up the connection
information while there are still packets returning from the remote
end. The PIX is not noticing that they belonged to the previous
connection and so is not quietly dropping them. I have not, though,
seen any good hypotheses advanced as to why the Deny message does not
include the "flags SYN" message that would normally appear in such
a case.

This behaviour started appearing in PIX 6.3(1), if I recall correctly.
In PIX 6.2, the cleanup routine waited longer.

-- 
   I was very young in those days, but I was also rather dim.
   -- Christopher Priest