09-02-2007 06:47 PM - edited 03-10-2019 03:46 AM
hi all,
i'm getting a lot of dropped packets in ios firewall. Anyone can enlighten me why there are these few default dropping functions ? what are the effects on my network? how do i disable/tune the dropping mecanism
?
Due to RST:
503024: Sep 3 10:36:20.826 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to RST inside current window -- ip ident 53051
tcpflags 0x5014 seq.no 4089128565 ack 2915367815
Due to stray segments:
503026: Sep 3 10:37:10.434 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Stray Segment -- ip ident 11196 tcpflags 0x501
seq.no 4286787544 ack 896131408
Due to invalid segments:
503028: Sep 3 10:37:51.394 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Invalid Segment -- ip ident 59737 tcpflags
0x5004 seq.no 816531889 ack 0
Due to out of order segment:
Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Out-Of-Order Segment -- ip ident 17939 tcp
lags 0x5010 seq.no 3092955571 ack 401998231
09-07-2007 08:15 AM
Condition:
When ip inspect or ip ips command is applied in combination with IPSEC on the egress FastEthernet interface
Workaround:
Disable both ip inspect and IPS
09-26-2007 10:54 PM
thanks for the reply . it's sad that these features are turned on by default and there are not parameter to turn it off besides turning off the whole IOS FW module.
10-13-2007 08:04 AM
Build exceptions for IPSEC into your firewall and IPS rules.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: