07-14-2012 03:43 PM - edited 03-11-2019 04:31 PM
Hi,
I have an 887VA-w connected at home. I am using ip virtual-reassembly an all interfaces (dialer and all internal VLANs), I am also using CBAC (currently setting up ZBF). The issue I am having is that I keep getting drop packet error messages and the reasons can differ. Below are some of the outputs I recieve:
Jul 14 2012 23:38:09: %FW-6-DROP_PKT: Dropping Other session 64.215.255.24:443 192.168.12.11:59748 due to Retransmitted Segment with Invalid Flags with ip ident 0 tcpflags 0x5004 seq.no 4247336252 ack 0
Home-Router#
Jul 14 2012 23:38:49: %FW-6-DROP_PKT: Dropping Other session 64.215.255.24:443 192.168.12.11:59825 due to Retransmitted Segment with Invalid Flags with ip ident 0 tcpflags 0x5004 seq.no 570307557 ack 0
Home-Router#
Jul 14 2012 23:39:26: %FW-6-DROP_PKT: Dropping http session 77.73.32.100:80 192.168.12.11:59859 due to SYN inside current window with ip ident 0 tcpflags 0x8012 seq.no 3980996654 ack 398106525
Home-Router#
Jul 14 2012 23:40:01: %FW-6-DROP_PKT: Dropping Other session 92.21.177.174:52564 23.32.26.224:443 due to Retransmitted Segment with Invalid Flags with ip ident 50491 tcpflags 0x5004 seq.no 2961330137 ack 0
Home-Router#
Jul 14 2012 23:41:06: %FW-6-DROP_PKT: Dropping Other session 173.194.34.94:443 192.168.12.11:59736 due to Retransmitted Segment with Invalid Flags with ip ident 7027 tcpflags 0x5004 seq.no 3898183889 ack 0
I have done a show ip virtual-reassembly on all the interfaces and the counter is shown as 0.
Can someone shed some light on this situation??
Thanks,
Ash
07-20-2012 12:00 PM
Hi Bro
This error message indicates that the IP 173.194.34.94 has received and acknowledge the various retransmitted packets from 192.168.12.11:59736. This can be seen occurring numerous times, based on the countless TCP Sequence Numbers, as shown in your capture. Why is 192.168.12.11 sending out numerous packets? What device is 192.168.12.11?
This has nothing to do with the “ip virtual-reassembly” command as this error doesn’t concern fragmentation.
Perhaps, could you remove the “ip inspect XXX in” command, and verify if you’re still getting this message. If yes, then this is a configuration error in your CBAC. I’m guessing you’ve not enabled ZFW yet.
By the way, perhaps this URL could assist you further https://supportforums.cisco.com/thread/237095
P/S: If you think my comments are helpful, please do rate them nicely :-)
07-29-2012 02:22 PM
Hi,
Thanks for the response. I previously had CBAC, I have now removed all CBAC config and applied zone based firewall and I am still get the drop messages.
I am using version 15.1. Do you know if this is a bug issue?
Ash
07-29-2012 08:48 PM
Hi There
This is just my suggestion, could you remove your ZFW completely, and ensure this is working. If yes, then when you paste in your ZFW config, and this don't work fine.. Then we can narrow down to ZFW config or bug. Could you paste your ZFW config here?
07-30-2012 02:08 PM
Here is the zone based firewall config:
class-map type inspect match-all ICMP
match protocol icmp
class-map type inspect match-any DHCP-to-SELF
match protocol bootps
match protocol bootpc
class-map type inspect match-any TRAFFIC-to-SELF
match access-group name ICMP-TRAFFIC-ACL
match access-group name VTY-IN
match access-group 99
match access-group name ALLOW-DHCP
match access-group name HTTPS-to-SELF
class-map type inspect match-any INSIDE-OUT
match protocol dns
match protocol ntp
match protocol http
match protocol https
match protocol ftp
match protocol tcp
match protocol udp
match protocol bittorrent
match protocol pptp
match protocol isakmp
match protocol ipsec-msft
match protocol ssh
match protocol tftp
match protocol bootpc
match protocol bootps
class-map type inspect match-any OUTSIDE-IN
match access-group name WAN-IN
!
!
policy-map type inspect INSIDE-to-SELF
class type inspect DHCP-to-SELF
pass
class type inspect TRAFFIC-to-SELF
inspect
class class-default
drop
policy-map type inspect OUTSIDE-to-SELF
class type inspect OUTSIDE-IN
inspect
class type inspect ICMP
drop
class class-default
drop
policy-map type inspect INSIDE-OUT
class type inspect INSIDE-OUT
inspect
class type inspect ICMP
inspect
police rate 8000 burst 1000
class class-default
drop
policy-map type inspect OUTSIDE-IN
class type inspect OUTSIDE-IN
inspect
class type inspect ICMP
inspect
police rate 8000 burst 1000
class class-default
drop
!
zone security inside
description *** INSIDE ZONE ***
zone security outside
description *** OUTSIDE ZONE ***
zone-pair security INSIDE-to-OUTSIDE source inside destination outside
service-policy type inspect INSIDE-OUT
zone-pair security OUTSIDE-IN source outside destination inside
service-policy type inspect OUTSIDE-IN
zone-pair security INSIDE-to-SELF source inside destination self
service-policy type inspect INSIDE-to-SELF
zone-pair security OUTSIDE-to-SELF source outside destination self
service-policy type inspect OUTSIDE-to-SELF
!
I will remove the firewall and see if the errors persist.
Thanks
07-30-2012 02:15 PM
Hi,
I just turned off the zone based firewall and it seems that it was the firewall causing the drop packets.
I have used CBAC before and not so much ZBF, however I have never come across these type of errors.
Please let me know if there is anything odd within the ZBF config.
Thanks,
Ash
07-30-2012 02:36 PM
Hello Ashley,
Of course it is the ZBFW dropping the packets.
ZBFW performs a deep packet inspection and will track and mantain a state table for the TCP connections.
In this case we are getting packets that do not agree with the information previusly seen on a current TCP session, that is why the packets are getting lost.
The ZBFW is doing it's job successfully, now you will need to focus on why this device is receiving tcp packets with invalid flags.
Now if you want to solve this for the moment (workaround) instead of inspecting the traffic just pass it. Again this would be a workaround.
Regards
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide