01-06-2012 02:52 PM - edited 03-11-2019 03:11 PM
Hi,
here is example of ZFW setup in IOS 2800 router. Bellow are error messages i am getting and router config.
Wondering why i am getting "...due to Invalid Segment with ip ident 0" error message? Should it be just a dropping session because of the ZFW configuration?
IOS version is advipservicesk9-m, 15.1(1)T
Thanks
R2-IPX#
*Jan 6 23:19:43: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.7.7.20)
R2-IPX#
*Jan 6 23:19:49: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to Invalid Segment with ip ident 0
R2-IPX#
*Jan 6 23:20:38: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to Invalid Flags with ip ident 0
R2-IPX#
*Jan 6 23:21:31: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to Invalid Flags with ip ident 0
R2-IPX#
R2-IPX#
R2-IPX#
R2-IPX#sh run
Building configuration...
Current configuration : 5400 bytes
!
! Last configuration change at 23:19:43 UTC Fri Jan 6 2012 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
!
hostname R2-IPX
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096
!
aaa new-model
!
!
aaa group server tacacs+ AAA
server 10.7.7.30
!
aaa authentication login AAA group tacacs+ local
aaa authentication login AAA-LOCAL local
aaa authentication enable default group AAA enable
aaa authorization commands 1 default group AAA if-authenticated
aaa authorization commands 15 default group AAA if-authenticated
aaa accounting exec default
action-type start-stop
group AAA
!
aaa accounting commands 1 default
action-type start-stop
group AAA
!
aaa accounting commands 15 default
action-type start-stop
group AAA
!
aaa accounting network default
action-type start-stop
group AAA
!
aaa accounting connection default
action-type start-stop
group AAA
!
aaa accounting system default
action-type start-stop
group AAA
aaa session-id common
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name ip.net
ip port-map user-PORT9001 port tcp 9001
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
!
voice-card 0
!
!
!
username admin privilege 15 password 0 password
!
redundancy
!
!
!
class-map type inspect match-any CM-TCPUDP
description **Inspect tcp OR udp**
match protocol tcp
match protocol udp
class-map type inspect match-all user-PORT9001
match protocol user-PORT9001
class-map type inspect match-all CM-ICMP
description **to match prot icmp and types defined in ICMP**
match protocol icmp
match access-group name ICMP
!
!
policy-map type inspect PM-INSIDE->DC
description ** from INSIDE to DC **
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-EXEC->DC
description **port mapping from EXEC to DC **
class type inspect user-PORT9001
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-DC->EXEC
class type inspect CM-ICMP
class class-default
drop
policy-map type inspect PM-EXEC->OUTSIDE
description **from EXEC to OUTSIDE**
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-IN->OUTSIDE
description **from INSIDE to OUTSIDE**
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-DC->OUTSIDE
description ** from DC to OUTSIDE **
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
!
zone security OUTSIDE
zone security INSIDE
zone security EXEC
zone security DC
zone-pair security IN-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM-IN->OUTSIDE
zone-pair security EXEC-OUTSIDE source EXEC destination OUTSIDE
service-policy type inspect PM-EXEC->OUTSIDE
zone-pair security DC-OUTSIDE source DC destination OUTSIDE
service-policy type inspect PM-DC->OUTSIDE
zone-pair security INSIDE-DC source INSIDE destination DC
service-policy type inspect PM-INSIDE->DC
zone-pair security EXEC-DC source EXEC destination DC
service-policy type inspect PM-EXEC->DC
zone-pair security DC-EXEC source DC destination EXEC
service-policy type inspect PM-DC->EXEC
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
interface FastEthernet0/0
ip address 192.1.24.102 255.255.255.0
zone-member security OUTSIDE
duplex auto
speed auto
!
interface FastEthernet0/0.8
shutdown
!
interface FastEthernet0/0.9
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.7
encapsulation dot1Q 7
ip address 10.7.7.102 255.255.255.0
zone-member security INSIDE
!
interface FastEthernet0/1.34
encapsulation dot1Q 34
ip address 10.34.34.102 255.255.255.0
zone-member security DC
!
interface FastEthernet0/1.44
encapsulation dot1Q 44
ip address 10.44.44.102 255.255.255.0
zone-member security EXEC
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
router ospf 1
log-adjacency-changes
network 10.7.7.0 0.0.0.255 area 100
network 10.34.34.0 0.0.0.255 area 100
network 10.44.44.0 0.0.0.255 area 100
network 10.100.100.0 0.0.0.255 area 100
network 192.1.24.0 0.0.0.255 area 100
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static 10.7.7.20 192.1.24.20
ip route 1.0.0.0 255.0.0.0 FastEthernet0/0
ip route 3.0.0.0 255.0.0.0 FastEthernet0/0
ip route 7.7.7.7 255.255.255.255 192.1.24.108
ip route 10.88.88.0 255.255.255.0 192.1.24.108
ip route 10.100.100.0 255.255.255.0 192.1.24.103
!
ip access-list extended ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login authentication AAA-LOCAL
line aux 0
line vty 0 4
exec-timeout 120 0
privilege level 15
logging synchronous
login authentication AAA
transport input telnet ssh
!
scheduler allocate 20000 1000
end
01-06-2012 03:06 PM
Hello,
Are you getting these logs just for traffic going to port 9001?
Julio
01-06-2012 03:14 PM
Not just for port9001;
for traffic direction INSIDE->OUTSIDE i got dropped tcp session due to "stray segment with ip ident 0"
01-06-2012 04:15 PM
Hello,
Okay so all traffic gets dropped, can you be a little more specific please.
Then I will look for an answer on this.
Regards,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: