ErrStr = Invalid Segment tcp (CBAC)

pavlosd · ‎09-16-2004

Has anyone got an error for Invalid TCP segment before? Cisco does not give much explanation about it. Moreover i get this error between a telnet session and a Diameter (Radius session) while if disabling CBAC, applications work fine.

TCP inspect is enabled. Inspect is enabled inbound on all interfaces and Access-lists applied inbound as well....

Sep 13 19:38:54.130 EEST: CBAC sis 50D9334C L4 inspect result: DROP packet 50089E10 (192.168.160.39:58938) (192.168.21.41:1812) bytes 208 ErrStr = Invalid Segment tcp

Sep 13 19:39:14.350 EEST: CBAC sis 44E50590 L4 inspect result: DROP packet 50043C40 (192.168.0.100:1610) (192.168.164.5:23) bytes 0 ErrStr = Invalid Segment tcp

Also how can I force clear all connected sessions?

scoclayton · ‎09-16-2004

Which version of IOS is this?

Scott

pavlosd · ‎09-16-2004

s72033-jk9o3sv-mz.122-17d.SXB1.bin

- 7600-SUP720/MSFC3

- ENT FW W/MPLS/IPV6/SSH/3DES

- 122-17d.SXB1

The router is also acting as a MPLS P/PE node.

lauterbachcom · ‎10-19-2004

Hi,

I have the same problem with a 2621XM running c2600-advsecurityk9-mz.123-8.T3.bin.

Besides that there a way too many packet drops with this reason between trusted hosts, it seems to prevent active FTP from working properly. It seems some important packets on the ftp-data channel are dropped.

Is there a solution yet? I can provide debug traces of the cisco and ethereal/tcpdump traces of both sides if needed.

Thanks,

Franz.