Wireshark-users: Re: [Wireshark-users] TCP checksum off-by-one errors?
Date: Wed, 4 Mar 2009 09:54:56 +0000 (GMT)
Hi all

>-  Any ideas why having the firewall in place makes a difference? I
>presume that the checksum can be calculated from the single packet - so
>when I receive packets with wrong checksums, the problem must be on the
>remote end or the path from it to me. Who sent or what has been sent
>before should not make a difference...

Cisco Firewalls (and others) perform randomization and rewriting of initial TCP sequence numbers, therefore, they 
have to recalculate the UDP or TCP checksum as well. Try the keyword "norandomseq" in the nat/global or static 
statements that relate to this connection and see if it makes a difference.

>- Have you seen something like this before? How could I proceed?

I've had the problem with a Cisco FWSM (Firewall Service Module, essentially a PIX-in-a-Cat6500-module) and while 
"fixup protocol dns" was active. The first udp packet of an outbound DNS lookup would have a wrong UDP checksum, and 
was refused by the remote DNS server that had UDP checksum verification activated.

regards

Marc