topic Cisco 887VA-W - dropped packets in Network Security

Cisco 887VA-W - dropped packets

Ashley Sahonta — Mon, 11 Mar 2019 23:31:00 GMT

Hi,

I have an 887VA-w connected at home. I am using ip virtual-reassembly an all interfaces (dialer and all internal VLANs), I am also using CBAC (currently setting up ZBF). The issue I am having is that I keep getting drop packet error messages and the reasons can differ. Below are some of the outputs I recieve:

Jul 14 2012 23:38:09: %FW-6-DROP_PKT: Dropping Other session 64.215.255.24:443 192.168.12.11:59748 due to Retransmitted Segment with Invalid Flags with ip ident 0 tcpflags 0x5004 seq.no 4247336252 ack 0

Home-Router#

Jul 14 2012 23:38:49: %FW-6-DROP_PKT: Dropping Other session 64.215.255.24:443 192.168.12.11:59825 due to Retransmitted Segment with Invalid Flags with ip ident 0 tcpflags 0x5004 seq.no 570307557 ack 0

Home-Router#

Jul 14 2012 23:39:26: %FW-6-DROP_PKT: Dropping http session 77.73.32.100:80 192.168.12.11:59859 due to SYN inside current window with ip ident 0 tcpflags 0x8012 seq.no 3980996654 ack 398106525

Home-Router#

Jul 14 2012 23:40:01: %FW-6-DROP_PKT: Dropping Other session 92.21.177.174:52564 23.32.26.224:443 due to Retransmitted Segment with Invalid Flags with ip ident 50491 tcpflags 0x5004 seq.no 2961330137 ack 0

Home-Router#

Jul 14 2012 23:41:06: %FW-6-DROP_PKT: Dropping Other session 173.194.34.94:443 192.168.12.11:59736 due to Retransmitted Segment with Invalid Flags with ip ident 7027 tcpflags 0x5004 seq.no 3898183889 ack 0

I have done a show ip virtual-reassembly on all the interfaces and the counter is shown as 0.

Can someone shed some light on this situation??

Thanks,

Ash

Cisco 887VA-W - dropped packets

Ramraj Sivagnanam Sivajanam — Fri, 20 Jul 2012 19:00:08 GMT

Hi Bro

This error message indicates that the IP 173.194.34.94 has received and acknowledge the various retransmitted packets from 192.168.12.11:59736. This can be seen occurring numerous times, based on the countless TCP Sequence Numbers, as shown in your capture. Why is 192.168.12.11 sending out numerous packets? What device is 192.168.12.11?

This has nothing to do with the “ip virtual-reassembly” command as this error doesn’t concern fragmentation.

Perhaps, could you remove the “ip inspect XXX in” command, and verify if you’re still getting this message. If yes, then this is a configuration error in your CBAC. I’m guessing you’ve not enabled ZFW yet.

By the way, perhaps this URL could assist you further https://supportforums.cisco.com/thread/237095

P/S: If you think my comments are helpful, please do rate them nicely 🙂

Cisco 887VA-W - dropped packets

Ashley Sahonta — Sun, 29 Jul 2012 21:22:39 GMT

Hi,

Thanks for the response. I previously had CBAC, I have now removed all CBAC config and applied zone based firewall and I am still get the drop messages.

I am using version 15.1. Do you know if this is a bug issue?

Ash

Cisco 887VA-W - dropped packets

Ramraj Sivagnanam Sivajanam — Mon, 30 Jul 2012 03:48:06 GMT

Hi There

This is just my suggestion, could you remove your ZFW completely, and ensure this is working. If yes, then when you paste in your ZFW config, and this don't work fine.. Then we can narrow down to ZFW config or bug. Could you paste your ZFW config here?

Cisco 887VA-W - dropped packets

Ashley Sahonta — Mon, 30 Jul 2012 21:08:51 GMT

Here is the zone based firewall config:

class-map type inspect match-all ICMP

match protocol icmp

class-map type inspect match-any DHCP-to-SELF

match protocol bootps

match protocol bootpc

class-map type inspect match-any TRAFFIC-to-SELF

match access-group name ICMP-TRAFFIC-ACL

match access-group name VTY-IN

match access-group 99

match access-group name ALLOW-DHCP

match access-group name HTTPS-to-SELF

class-map type inspect match-any INSIDE-OUT

match protocol dns

match protocol ntp

match protocol http

match protocol https

match protocol ftp

match protocol tcp

match protocol udp

match protocol bittorrent

match protocol pptp

match protocol isakmp

match protocol ipsec-msft

match protocol ssh

match protocol tftp

match protocol bootpc

match protocol bootps

class-map type inspect match-any OUTSIDE-IN

match access-group name WAN-IN

policy-map type inspect INSIDE-to-SELF

class type inspect DHCP-to-SELF

pass

class type inspect TRAFFIC-to-SELF

inspect

class class-default

drop

policy-map type inspect OUTSIDE-to-SELF

class type inspect OUTSIDE-IN

inspect

class type inspect ICMP

drop

class class-default

drop

policy-map type inspect INSIDE-OUT

class type inspect INSIDE-OUT

inspect

class type inspect ICMP

inspect

police rate 8000 burst 1000

class class-default

drop

policy-map type inspect OUTSIDE-IN

class type inspect OUTSIDE-IN

inspect

class type inspect ICMP

inspect

police rate 8000 burst 1000

class class-default

drop

zone security inside

description *** INSIDE ZONE ***

zone security outside

description *** OUTSIDE ZONE ***

zone-pair security INSIDE-to-OUTSIDE source inside destination outside

service-policy type inspect INSIDE-OUT

zone-pair security OUTSIDE-IN source outside destination inside

service-policy type inspect OUTSIDE-IN

zone-pair security INSIDE-to-SELF source inside destination self

service-policy type inspect INSIDE-to-SELF

zone-pair security OUTSIDE-to-SELF source outside destination self

service-policy type inspect OUTSIDE-to-SELF

I will remove the firewall and see if the errors persist.

Thanks

Cisco 887VA-W - dropped packets

Ashley Sahonta — Mon, 30 Jul 2012 21:15:02 GMT

Hi,

I just turned off the zone based firewall and it seems that it was the firewall causing the drop packets.

I have used CBAC before and not so much ZBF, however I have never come across these type of errors.

Please let me know if there is anything odd within the ZBF config.

Thanks,

Ash

Cisco 887VA-W - dropped packets

Julio Carvajal — Mon, 30 Jul 2012 21:36:55 GMT

Hello Ashley,

Of course it is the ZBFW dropping the packets.

ZBFW performs a deep packet inspection and will track and mantain a state table for the TCP connections.

In this case we are getting packets that do not agree with the information previusly seen on a current TCP session, that is why the packets are getting lost.

The ZBFW is doing it's job successfully, now you will need to focus on why this device is receiving tcp packets with invalid flags.

Now if you want to solve this for the moment (workaround) instead of inspecting the traffic just pass it. Again this would be a workaround.

Regards

Julio