Hi Philip, - Page 2

stathis_iku · ‎04-07-2016

Hi All,

After more than a week researching this i am just about ready to throw the box off the window.

In the office we have four zones configured on an ISR-G2 router. Namely the outside, inside, dmz and byod.

I am trying to inspect a set of protocols on traffic going from the byod to the inside but the router keeps droping all tcp traffic with the following message:

156277: Apr 7 16:34:36.679 EET: %FW-6-DROP_PKT: Dropping tcp session 10.10.100.44:58773 10.10.1.3:80 on zone-pair BYOD_IN class BYOD_TO_NAS due to Invalid Segment with ip ident 17171

What I find is interesting is that the box seems to be dropping only tcp traffic, udp and icmp goes through properly

This is definately a firewall issue since when I change the related class map to pass traffic then traffic goes through as expected.

The box is running the following ios.

Version 15.4(3)M3, RELEASE SOFTWARE (fc2)

I have posted below the relevant part from my config for your consideration.

Please let me know if you see anything out of place.

I would also be happy if you could point me to some document that I may have missed that may explain this behavior.

I thank you all in advance,

Stathis

Config follows:

========================

INTERFACE CONFIGIRATION

========================

interface Vlan40
description BYOD_NETWORK
ip address 10.10.100.2 255.255.255.0
ip helper-address 10.10.1.4
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security BYOD
ip tcp adjust-mss 1412
end

interface Vlan75
description Management Vlan
ip address 10.10.1.101 255.255.255.0
ip helper-address 10.10.1.4
no ip redirects
no ip proxy-arp
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 EIGRP_KEYS
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
ip policy route-map Distribute
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 xxxxx
end

============================

BYOD TO SERVER POLICIES

============================

Policy Map type inspect BYOD_IN_POLICY
Class BYOD_TO_NAS
Inspect
Class BYOD_TO_IN_DNS
Inspect
Class class-default
Drop log

Class Map type inspect match-all BYOD_TO_NAS
Match class-map BYOD_TO_NAS_PROTOCOLS
Match access-group name BYOD_TO_NAS

Class Map type inspect match-any BYOD_TO_NAS_PROTOCOLS
Match protocol http
Match protocol https
Match protocol ftp
Match protocol microsoft-ds
Match protocol nfs
Match protocol cifs
Match protocol netbios-dgm
Match protocol netbios-ns
Match protocol netbios-ssn
Match protocol ftps

Extended IP access list BYOD_TO_NAS
10 permit ip 10.10.100.0 0.0.0.255 host 10.10.1.3

===============================

SERVER TO BYOD POLICIES

===============================

Policy Map type inspect IN_TO_BYOD_ALLOWED
Class NAS_TO_BYOD
Inspect
Class class-default
Drop log

Class Map type inspect match-all NAS_TO_BYOD
Match class-map IN_TO_BYOD_GENERAL_PROTOCOLS
Match access-group name NAS_TO_BYOD

Class Map type inspect match-any IN_TO_BYOD_GENERAL_PROTOCOLS (id 264)
Match protocol tcp
Match protocol udp
Match protocol icmp

Extended IP access list NAS_TO_BYOD
10 permit ip host 10.10.1.3 10.10.100.0 0.0.0.255

stathis_iku · ‎04-10-2016

Hi Philip,

I did try this suggestion but unfortunately there is no change.

I also tried removing the route-map completely again the same behavior persists.

stathis_iku · ‎04-18-2016

Hi All,

We were able to resolve this after all.

It was actually not related to that particular ISR.

In fact the problem was with a core switch in the network that was interefering with the routing to that router.

Thank you Philip for the interest you demonstrated in this.

Kind regards,

HELP Ios ZBF Drops TCP traffic with "Invalid Segment"