HELP Ios ZBF Drops TCP traffic with "Invalid Segment" - Page 2

stathis_iku · ‎04-07-2016

Hi All,

After more than a week researching this i am just about ready to throw the box off the window.

In the office we have four zones configured on an ISR-G2 router. Namely the outside, inside, dmz and byod.

I am trying to inspect a set of protocols on traffic going from the byod to the inside but the router keeps droping all tcp traffic with the following message:

156277: Apr 7 16:34:36.679 EET: %FW-6-DROP_PKT: Dropping tcp session 10.10.100.44:58773 10.10.1.3:80 on zone-pair BYOD_IN class BYOD_TO_NAS due to Invalid Segment with ip ident 17171

What I find is interesting is that the box seems to be dropping only tcp traffic, udp and icmp goes through properly

This is definately a firewall issue since when I change the related class map to pass traffic then traffic goes through as expected.

The box is running the following ios.

Version 15.4(3)M3, RELEASE SOFTWARE (fc2)

I have posted below the relevant part from my config for your consideration.

Please let me know if you see anything out of place.

I would also be happy if you could point me to some document that I may have missed that may explain this behavior.

I thank you all in advance,

Stathis

Config follows:

========================

INTERFACE CONFIGIRATION

========================

interface Vlan40
description BYOD_NETWORK
ip address 10.10.100.2 255.255.255.0
ip helper-address 10.10.1.4
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security BYOD
ip tcp adjust-mss 1412
end

interface Vlan75
description Management Vlan
ip address 10.10.1.101 255.255.255.0
ip helper-address 10.10.1.4
no ip redirects
no ip proxy-arp
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 EIGRP_KEYS
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
ip policy route-map Distribute
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 xxxxx
end

============================

BYOD TO SERVER POLICIES

============================

Policy Map type inspect BYOD_IN_POLICY
Class BYOD_TO_NAS
Inspect
Class BYOD_TO_IN_DNS
Inspect
Class class-default
Drop log

Class Map type inspect match-all BYOD_TO_NAS
Match class-map BYOD_TO_NAS_PROTOCOLS
Match access-group name BYOD_TO_NAS

Class Map type inspect match-any BYOD_TO_NAS_PROTOCOLS
Match protocol http
Match protocol https
Match protocol ftp
Match protocol microsoft-ds
Match protocol nfs
Match protocol cifs
Match protocol netbios-dgm
Match protocol netbios-ns
Match protocol netbios-ssn
Match protocol ftps

Extended IP access list BYOD_TO_NAS
10 permit ip 10.10.100.0 0.0.0.255 host 10.10.1.3

===============================

SERVER TO BYOD POLICIES

===============================

Policy Map type inspect IN_TO_BYOD_ALLOWED
Class NAS_TO_BYOD
Inspect
Class class-default
Drop log

Class Map type inspect match-all NAS_TO_BYOD
Match class-map IN_TO_BYOD_GENERAL_PROTOCOLS
Match access-group name NAS_TO_BYOD

Class Map type inspect match-any IN_TO_BYOD_GENERAL_PROTOCOLS (id 264)
Match protocol tcp
Match protocol udp
Match protocol icmp

Extended IP access list NAS_TO_BYOD
10 permit ip host 10.10.1.3 10.10.100.0 0.0.0.255

stathis_iku · ‎04-10-2016

Hi Philip,

I did try this suggestion but unfortunately there is no change.

I also tried removing the route-map completely again the same behavior persists.

stathis_iku · ‎04-18-2016

Hi All,

We were able to resolve this after all.

It was actually not related to that particular ISR.

In fact the problem was with a core switch in the network that was interefering with the routing to that router.

Thank you Philip for the interest you demonstrated in this.

Kind regards,