01-06-2012 02:52 PM - edited 03-11-2019 03:11 PM
Hi,
here is example of ZFW setup in IOS 2800 router. Bellow are error messages i am getting and router config.
Wondering why i am getting "...due to Invalid Segment with ip ident 0" error message? Should it be just a dropping session because of the ZFW configuration?
IOS version is advipservicesk9-m, 15.1(1)T
Thanks
R2-IPX#
*Jan 6 23:19:43: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.7.7.20)
R2-IPX#
*Jan 6 23:19:49: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to Invalid Segment with ip ident 0
R2-IPX#
*Jan 6 23:20:38: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to Invalid Flags with ip ident 0
R2-IPX#
*Jan 6 23:21:31: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to Invalid Flags with ip ident 0
R2-IPX#
R2-IPX#
R2-IPX#
R2-IPX#sh run
Building configuration...
Current configuration : 5400 bytes
!
! Last configuration change at 23:19:43 UTC Fri Jan 6 2012 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
!
hostname R2-IPX
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096
!
aaa new-model
!
!
aaa group server tacacs+ AAA
server 10.7.7.30
!
aaa authentication login AAA group tacacs+ local
aaa authentication login AAA-LOCAL local
aaa authentication enable default group AAA enable
aaa authorization commands 1 default group AAA if-authenticated
aaa authorization commands 15 default group AAA if-authenticated
aaa accounting exec default
action-type start-stop
group AAA
!
aaa accounting commands 1 default
action-type start-stop
group AAA
!
aaa accounting commands 15 default
action-type start-stop
group AAA
!
aaa accounting network default
action-type start-stop
group AAA
!
aaa accounting connection default
action-type start-stop
group AAA
!
aaa accounting system default
action-type start-stop
group AAA
aaa session-id common
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name ip.net
ip port-map user-PORT9001 port tcp 9001
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
!
voice-card 0
!
!
!
username admin privilege 15 password 0 password
!
redundancy
!
!
!
class-map type inspect match-any CM-TCPUDP
description **Inspect tcp OR udp**
match protocol tcp
match protocol udp
class-map type inspect match-all user-PORT9001
match protocol user-PORT9001
class-map type inspect match-all CM-ICMP
description **to match prot icmp and types defined in ICMP**
match protocol icmp
match access-group name ICMP
!
!
policy-map type inspect PM-INSIDE->DC
description ** from INSIDE to DC **
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-EXEC->DC
description **port mapping from EXEC to DC **
class type inspect user-PORT9001
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-DC->EXEC
class type inspect CM-ICMP
class class-default
drop
policy-map type inspect PM-EXEC->OUTSIDE
description **from EXEC to OUTSIDE**
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-IN->OUTSIDE
description **from INSIDE to OUTSIDE**
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
policy-map type inspect PM-DC->OUTSIDE
description ** from DC to OUTSIDE **
class type inspect CM-TCPUDP
inspect
class type inspect CM-ICMP
pass
class class-default
drop
!
zone security OUTSIDE
zone security INSIDE
zone security EXEC
zone security DC
zone-pair security IN-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM-IN->OUTSIDE
zone-pair security EXEC-OUTSIDE source EXEC destination OUTSIDE
service-policy type inspect PM-EXEC->OUTSIDE
zone-pair security DC-OUTSIDE source DC destination OUTSIDE
service-policy type inspect PM-DC->OUTSIDE
zone-pair security INSIDE-DC source INSIDE destination DC
service-policy type inspect PM-INSIDE->DC
zone-pair security EXEC-DC source EXEC destination DC
service-policy type inspect PM-EXEC->DC
zone-pair security DC-EXEC source DC destination EXEC
service-policy type inspect PM-DC->EXEC
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
interface FastEthernet0/0
ip address 192.1.24.102 255.255.255.0
zone-member security OUTSIDE
duplex auto
speed auto
!
interface FastEthernet0/0.8
shutdown
!
interface FastEthernet0/0.9
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.7
encapsulation dot1Q 7
ip address 10.7.7.102 255.255.255.0
zone-member security INSIDE
!
interface FastEthernet0/1.34
encapsulation dot1Q 34
ip address 10.34.34.102 255.255.255.0
zone-member security DC
!
interface FastEthernet0/1.44
encapsulation dot1Q 44
ip address 10.44.44.102 255.255.255.0
zone-member security EXEC
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
router ospf 1
log-adjacency-changes
network 10.7.7.0 0.0.0.255 area 100
network 10.34.34.0 0.0.0.255 area 100
network 10.44.44.0 0.0.0.255 area 100
network 10.100.100.0 0.0.0.255 area 100
network 192.1.24.0 0.0.0.255 area 100
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static 10.7.7.20 192.1.24.20
ip route 1.0.0.0 255.0.0.0 FastEthernet0/0
ip route 3.0.0.0 255.0.0.0 FastEthernet0/0
ip route 7.7.7.7 255.255.255.255 192.1.24.108
ip route 10.88.88.0 255.255.255.0 192.1.24.108
ip route 10.100.100.0 255.255.255.0 192.1.24.103
!
ip access-list extended ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login authentication AAA-LOCAL
line aux 0
line vty 0 4
exec-timeout 120 0
privilege level 15
logging synchronous
login authentication AAA
transport input telnet ssh
!
scheduler allocate 20000 1000
end
01-06-2012 03:06 PM
Hello,
Are you getting these logs just for traffic going to port 9001?
Julio
01-06-2012 03:14 PM
Not just for port9001;
for traffic direction INSIDE->OUTSIDE i got dropped tcp session due to "stray segment with ip ident 0"
01-06-2012 04:15 PM
Hello,
Okay so all traffic gets dropped, can you be a little more specific please.
Then I will look for an answer on this.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide