Comment 12 for bug 1388786

This can be fixed by turning off TCP sequence reordering on the Cisco appliance. Please note this also affects your Mac, BSD and Windows machines. You can turn off SACK on your host if you don't care about performance.

This feature was enabled by Cisco to protect Windows 95 hosts from TCP sequence prediction attacks (yeah, don't fix the problem, just break the network). However Cisco doesn't translate the SACK ranges it has modified the sequences for so your host gets back the 'wrong' range in the SACK response and simply ignores it because it doesn't match anything it sent.

https://supportforums.cisco.com/document/48551/single-tcp-flow-performance-firewall-services-module-fwsm