topic Re: Inspection Issues with 12.4 T Code Versions in Network Security

Inspection Issues with 12.4 T Code Versions

kenneth.rogers — Mon, 11 Mar 2019 16:24:08 GMT

We are in the process of looking for a code to begin ZBF implementation. Currently we have tried about 4 versions of 12.4 T code lines and have encountered the same issue each time. If we have two subnets configured on the same interface, with inspection enabled, the subnets are unable to communicate with each other. The following errors are seen in the inspect drop log:

Oct 6 2009 20:29:34 CDT: %FW-6-DROP_PKT: Dropping tcp session 10.32.120.213:3671 170.211.162.3:524 due to Invalid Segment with ip ident 61659 tcpflags 0x5010 seq.no 2534202883 ack 3333181490

We have been working with TAC and so far have been unable to identify a specific bug. We have tried older and the latest IOS versions. The only workaround is to disable inspection, but prefer not to do that. Anyone else encountered this or have identified a specific bug?

Thanks

Re: Inspection Issues with 12.4 T Code Versions

Kureli Sankar — Wed, 07 Oct 2009 23:22:28 GMT

What other codes did you try? What inspections do you have enabled?

The same syslog would have a little more information in 12.4(24)T

Have you tried 15.0.1M?

Have you tried to collect captures on both sides to see if packets arrive out of order if so, it could be due to CSCtc40876 and 15.0.1M would have the fix.

Re: Inspection Issues with 12.4 T Code Versions

sadsiddi — Thu, 08 Oct 2009 03:09:39 GMT

what is the TAC case#?

Re: Inspection Issues with 12.4 T Code Versions

kenneth.rogers — Thu, 08 Oct 2009 14:00:31 GMT

The images we have tried are:

c1841-adventerprisek9-mz.124-

22.T3.bin

c1841-adventerprisek9-mz.124-24.T.bin

c1841-adventerprisek9-mz.124-20.T4.bin

Also experienced the same with a 2811 router running c2800nm-advipservicesk9-mz.124-15.T9

We are inspecting the following:

tcp

udp

ftp

smtp

rcmd

vdolive

streamworks

rtsp

cuseeme

netshow

msrpc

I have not tried any additional codes or conducted any packet captures due to disturbing a production site.

Our TAC case is 612538115. Please do not think I am trying to by-pass TAC as our engineer is doing an excellent job as always in researching this. I just want to see if anyone else out there has encountered this.

Re: Inspection Issues with 12.4 T Code Versions

Kureli Sankar — Sun, 11 Oct 2009 21:27:35 GMT

Best option is to try with minimum inspections.

tcp

udp

ftp

ropping tcp session 10.32.120.213:3671 170.211.162.3:524

What application is this listening on port 524? Is this Novell Core Portocol?

When you enable the FW, do http, smtp and other commonly used protol work?

Problem is only with tcp 524?

Like your TAC engineer already mentioned this may be due to asymmetry in routing. To verify this, we need packets captures before and after the router so, we can compare the seq. numbers and ack. numbers and also look at the syslog message and figure out why the FW may be dropping these packets.