BugZero | Cisco BugID CSCvt61770 - ITD causing invalid TCP checksum

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Last updated on December 12th, 2023

BugZero Risk Score
5.7 Medium

Overall: 5.7

Severity: 6.4

Lifecycle: 4.0

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

- Customer has ITD configuration , when the customer ssh/telenet to VIP , it is not working , as the TCP Syn reaches to the Destination but the destination never replies with TCP Syn ACK due to invalid checksum - If the Customer ping VIP then it tries to ssh/telenet it works fine.

Conditions

- version 8.3(1) - Platform Nexus7700

Workaround

Ping the VIP then do SSh/Telnet. Remove the NAT ITD and do direct ssh.

Further Problem Description

+-----------------+ NAT ITD | | +--------------------> | F3 | | 1/1 1/2 | +----+--------+---+ VLAN 600 | | VLAN 413 Capture taken from here before NATing | | +----------------------------------------------->+ | | | +----+--------+---+ | 5/1 5/2 | | M3 | | 5/5/2 5/9/3 | +----+-----+------+ | | | | | | +----------+ +------------+ | | | | Capture Taken from here | | +------------------------> | | | 1/1 | ten1/1 +------------+----+ +--------+--------+ | | | | | N6k | | CAT-2 | | | | | +-----------------+ +-----------------+ 10.10.10.10 VLAN 413 172.16.160.146 VLAN 600 Source IP 172.16.160.146 VIP 100.100.100.100/32 Node ip 10.10.10.10 - The destination (N6k) is not replying the TCP Syn due to the invalid TCP Checksum. - We took a capture from the customer side and we can see the following: +Non Working ( do ssh without Pinging the VIP) ++The souce sends SYN with TCP Checksum 0xb666 ++We checked the Syn on the destination and we still see it 0xb666 which is not correct. +Working (Ping the VIP then do SSH) ++The source sends syn with TCP checksum 0X6b5c ++We checked the Syn on the Destionation side and we can see it is changed as expected to 0x2011 - We have been able to reproduce the issue in our lab. - For more detail refer to Lab repro section. - As you know the TCP Checksum is computed over the entire set of data (pseudo header plus TCP segment), pesudo header contains the Src IP and Dest IP ASIC Team confirmed, "NAT-ITD" will not support TCP checksum update in flanker, so closing the defect.

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.3(1)

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.3(1)

Fixed versions: No known fixed versions

Top Cisco Defects

9.7Defect ID: CSCwa70008
Expired certs cause Security Intelligence updates to fail
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.7Defect ID: CSCvq12070
Not able to establish more than 2 simultaneous ASDM sessions
9.7Defect ID: CSCwf80292
ISE cannot retrieve a peer certificate during EAP-TLS authentication
9.7Defect ID: CSCvd48893
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Last updated on December 12th, 2023

BugZero Risk Score5.7 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
5.7 Medium