As it turns out, the problem goes away if I use old-fashioned iptables, that is without connection tracking. Go figure! Take home lesson is do not use connection tracking iptables behind a Cisco FireWall Service Module. Is this just to be accepted as canon, or can somebody actually explain to me WHY? best regards, Bent On 10/8/07, Bent Terp <bent at nagstrup.dk> wrote: > The only thing which shows up is that the client start sending > duplicate ACK's, getting "Destination unreachable" as reply from the > server (not from the Cisco). This happened 220 KB into the transfer in > this case, but that figure varies quite a bit. >