Sudden connection failures in TCP traffic such as SSH, NFS, CIFS with Cisco ASA firewall

Solution Unverified - Updated -

Issue

  • After a Cisco ASA firmware upgrade, connections are dropped. The Cisco ASA reports a TCP PAWS failure and drops packets:
33: 19:10:43.774236       802.1Q vlan#123 P0 10.0.0.24:22 > 192.168.0.110:60018: P 299327905:299328005(100) ack 207669419 win 339 <nop,nop,timestamp 2703 2363294310> Drop-reason: (tcp-paws-fail) TCP packet failed PAWS test
  • TCP sessions like SSH appear to hang, but establishing a new session works again straight away
  • NFS Client reports "nfs: server not responding" then "nfs: server OK" 10 minutes later

Environment

  • Red Hat Enterprise Linux
  • Cisco ASA, seen on firmware versions 9.6(2) or 9.1(7)9
  • TCP connection. More likely with long-lived TCP connection such as SSH, NFS, CIFS, etc

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In