BugZero | Cisco BugID CSCvt61770 - ITD causing invalid TCP checksum

OPERATIONAL DEFECT DATABASE

...

BugZero | Cisco BugID CSCvt61770 - ITD causing invalid TCP checksum

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Last updated on December 12th, 2023

BugZero Risk Score
5.7 Medium

Overall: 5.7

Severity: 6.4

Lifecycle: 4.0

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

- Customer has ITD configuration , when the customer ssh/telenet to VIP , it is not working , as the TCP Syn reaches to the Destination but the destination never replies with TCP Syn ACK due to invalid checksum - If the Customer ping VIP then it tries to ssh/telenet it works fine.

Conditions

- version 8.3(1) - Platform Nexus7700

Workaround

Ping the VIP then do SSh/Telnet. Remove the NAT ITD and do direct ssh.

Further Problem Description

+-----------------+ NAT ITD | | +--------------------> | F3 | | 1/1 1/2 | +----+--------+---+ VLAN 600 | | VLAN 413 Capture taken from here before NATing | | +----------------------------------------------->+ | | | +----+--------+---+ | 5/1 5/2 | | M3 | | 5/5/2 5/9/3 | +----+-----+------+ | | | | | | +----------+ +------------+ | | | | Capture Taken from here | | +------------------------> | | | 1/1 | ten1/1 +------------+----+ +--------+--------+ | | | | | N6k | | CAT-2 | | | | | +-----------------+ +-----------------+ 10.10.10.10 VLAN 413 172.16.160.146 VLAN 600 Source IP 172.16.160.146 VIP 100.100.100.100/32 Node ip 10.10.10.10 - The destination (N6k) is not replying the TCP Syn due to the invalid TCP Checksum. - We took a capture from the customer side and we can see the following: +Non Working ( do ssh without Pinging the VIP) ++The souce sends SYN with TCP Checksum 0xb666 ++We checked the Syn on the destination and we still see it 0xb666 which is not correct. +Working (Ping the VIP then do SSH) ++The source sends syn with TCP checksum 0X6b5c ++We checked the Syn on the Destionation side and we can see it is changed as expected to 0x2011 - We have been able to reproduce the issue in our lab. - For more detail refer to Lab repro section. - As you know the TCP Checksum is computed over the entire set of data (pseudo header plus TCP segment), pesudo header contains the Src IP and Dest IP ASIC Team confirmed, "NAT-ITD" will not support TCP checksum update in flanker, so closing the defect.

Change history

2023-12-12 Added: 8.3(1)

Top Cisco Defects

9.7Defect ID: CSCwh22127
Software initiated reboot due to OMPD crash (segmentation fault)
9.7Defect ID: CSCwa00729
All NADs got deleted due to one particular NAD deletion
9.7Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability
9.7Defect ID: CSCvx32806
Access Points stuck in bootloop due to image checksum verification failed

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Cisco - Defect ID: CSCvt61770

ITD causing invalid TCP checksum

Last updated on December 12th, 2023

BugZero Risk Score5.7 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
5.7 Medium