Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
0
Helpful
0
Replies

Cisco IOS Zone-based Firewall issue

Pradeep H A
Level 1
Level 1

‎12-05-2012 11:41 PM - edited ‎03-04-2019 06:19 PM

Hi,

Can anybody clarify if the line "received 25 packets out of order" in the show policy-map type inspect output correspond to the log about session being dropped due to invalid Seq# ? because I am not seeing packet drops anywhere else in our network... what might be the possible issue?

Thanks a lot in advance

Router#show policy-map type inspect zone-pair store-to-wan-policy

policy exists on zp store-to-wan-policy

Zone-pair: store-to-wan-policy

Service-policy inspect : store-to-wan-policy

   Class-map: store-to-wan (match-all)

     Match: access-group name store2wan

     Match: class-map match-any protocols

       Match: protocol pptp

         0 packets, 0 bytes

         30 second rate 0 bps

       Match: protocol ftp

         0 packets, 0 bytes

         30 second rate 0 bps

       Match: protocol dns

         0 packets, 0 bytes

         30 second rate 0 bps

       Match: protocol ldap

         0 packets, 0 bytes

         30 second rate 0 bps

       Match: protocol snmp

          0 packets, 0 bytes

         30 second rate 0 bps

       Match: protocol icmp

         0 packets, 0 bytes

         30 second rate 0 bps

       Match: protocol tcp

         0 packets, 0 bytes

         30 second rate 0 bps

       Match: protocol udp

         0 packets, 0 bytes

         30 second rate 0 bps

   Inspect

       Packet inspection statistics [process switch:fast switch]

       tcp packets: [344526:285947185]

       udp packets: [758583:4725011]

       icmp packets: [1:113268]

       Session creations since subsystem startup or last reset 5483319

       Current session counts (estab/half-open/terminating) [27:0:0]

       Maxever session counts (estab/half-open/terminating) [461:82:42]

       Last session created 00:00:04

       Last statistic reset never

       Last session creation rate 79

       Maxever session creation rate 1528

       Last half-open session total 0

       TCP reassembly statistics

       received 25 packets out-of-order; dropped 0

       peak memory usage 2 KB; current usage: 0 KB

       peak queue length 1

   Class-map: class-default (match-any)

     Match: any

     Drop

       236974 packets, 37544695 bytes

Router#sh log | i store-to-wan-policy

Dec 6 04:30:35.598 UTC: %FW-6-DROP_PKT: Dropping udp session 10.54.12.86:137 198.94.220.196:137 on zone-pair store-to-wan-policy class class-default due to DROP action found in policy-map with ip ident 0

Dec 6 04:42:57.729 UTC: %FW-6-DROP_PKT: Dropping udp session 10.54.12.86:137 198.94.220.196:137 on zone-pair store-to-wan-policy class class-default due to DROP action found in policy-map with ip ident 0

Dec 6 04:43:28.661 UTC: %FW-6-DROP_PKT: Dropping tcp session 10.54.12.151:53810 198.94.69.97:53 on zone-pair store-to-wan-policy class store-to-wan due to Invalid Seq# with ip ident 0

Router#sh clock

05:42:25.806 UTC Thu Dec 6 2012

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents