Solved: ZBF - Reading Dropping TCP Session ?

mauric · ‎07-23-2017

Hello

Finally, my ZBF Ver 15.x works and am really happy, but when I look at my log files so I have a lot of drop messages with which I can not start yet much. Is there a lookup page where I can control this.

How do I classify these messages

- due to RST inside current window with ip ident 0

- on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0

can also control my internal "private" Network?, what is going on there or we have to go on here my loging.

Best regards
Mauri

ZBF1841#
*Jul 23 17:44:46.802: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:63322 198.71.244.131:443 due to RST inside current window with ip ident 0
*Jul 23 17:45:29.762: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.2:63303 23.50.100.101:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:46:06.518: %FW-6-DROP_PKT: Dropping tcp session 31.13.92.14:443 *.*.*.*.16:49266 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:47:28.862: %FW-6-DROP_PKT: Dropping tcp session 80.239.148.8:80 *.*.*.*.2:63370 due to SYN inside current window with ip ident 0
*Jul 23 17:48:01.778: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:63450 69.172.216.111:443 due to RST inside current window with ip ident 0
*Jul 23 17:48:32.678: %FW-6-DROP_PKT: Dropping tcp session 157.240.20.15:443 *.*.*.*.16:49253 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:49:06.390: %FW-6-DROP_PKT: Dropping tcp session 173.241.240.143:443 *.*.*.*.2:63404 due to policy match failure with ip ident 0
*Jul 23 17:49:51.378: %FW-6-DROP_PKT: Dropping tcp session 65.52.139.168:443 *.*.*.*.2:63352 due to RST inside current window with ip ident 0
*Jul 23 17:50:27.050: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.16:49318 95.100.60.71:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:50:58.518: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.16:49316 95.100.60.71:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:51:42.270: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:63545 185.33.223.200:443 due to RST inside current window with ip ident 0
*Jul 23 17:53:18.654: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:63566 185.33.222.210:443 due to RST inside current window with ip ident 0
*Jul 23 17:54:07.570: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.16:49199 17.252.92.69:5223 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:55:50.466: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:49351 17.252.27.246:443 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 17:56:21.478: %FW-6-DROP_PKT: Dropping tcp session 46.228.164.11:443 *.*.*.*.5:49428 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:57:00.210: %FW-6-DROP_PKT: Dropping tcp session 17.32.194.2:443 *.*.*.*:49156 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:57:31.422: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49174 95.100.60.71:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:58:06.094: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49212 2.20.216.200:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 17:58:47.094: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49224 2.20.216.200:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 18:02:06.938: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49235 2.20.222.194:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 18:13:28.562: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49167 17.188.165.208:5223 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 18:16:18.046: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.2:61941 162.125.18.133:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 18:17:38.758: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.2:63617 162.125.18.133:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 18:24:32.230: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:63629 40.68.222.212:443 due to RST inside current window with ip ident 0
*Jul 23 18:33:07.238: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:48282 172.217.22.42:443 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 18:36:01.766: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:49473 17.252.27.246:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 18:44:08.026: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:48282 172.217.22.42:443 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 18:44:47.474: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:33704 13.32.176.66:443 due to RST inside current window with ip ident 0
*Jul 23 18:54:22.378: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:63665 52.164.227.208:443 due to RST inside current window with ip ident 0
*Jul 23 19:19:50.046: %FW-6-DROP_PKT: Dropping tcp session 23.217.110.81:80 *.*.*.*.2:63684 due to SYN inside current window with ip ident 0
*Jul 23 19:24:32.994: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:63689 52.164.227.208:443 due to RST inside current window with ip ident 0
*Jul 23 19:35:57.194: %FW-6-DROP_PKT: Dropping tcp session 17.252.27.246:443 *.*.*.*.6:50548 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 19:37:39.850: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.2:63623 162.125.18.133:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 19:51:32.546: %FW-6-DROP_PKT: Dropping tcp session 17.252.92.26:5223 *.*.*.*.5:49483 on zone-pair Trusted->Internet class All_Protocols due to Out-Of-Order Segment with ip ident 0
*Jul 23 19:54:23.058: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:63718 40.68.222.212:443 due to RST inside current window with ip ident 0
*Jul 23 19:59:59.430: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49154 17.252.92.24:5223 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 20:00:31.142: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49285 2.20.216.200:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:01:02.234: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49378 2.22.153.176:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:01:32.586: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49403 95.100.52.47:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:02:04.390: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49154 17.252.92.24:5223 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 20:02:35.162: %FW-6-DROP_PKT: Dropping tcp session 91.198.174.192:443 *.*.*.*:49391 due to Stray Segment with ip ident 0
*Jul 23 20:03:33.382: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:50583 17.173.255.104:443 due to Stray Segment with ip ident 0
*Jul 23 20:04:03.594: %FW-6-DROP_PKT: Dropping tcp session 91.198.174.208:443 *.*.*.*:49390 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:07:48.638: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:50586 95.100.60.71:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:08:24.686: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:50592 17.111.105.233:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:10:51.038: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49416 17.252.27.246:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:11:26.734: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*:49290 17.188.165.201:5223 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:12:39.574: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:50597 17.252.27.246:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:13:11.746: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:50606 2.20.216.200:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:14:02.522: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:50633 2.20.221.29:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:22:30.058: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:50638 2.22.152.144:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:24:33.730: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:63738 52.164.227.208:443 due to RST inside current window with ip ident 0
*Jul 23 20:42:56.474: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.6:50644 2.20.221.29:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:43:47.422: %FW-6-DROP_PKT: Dropping tcp session 17.252.27.246:443 *.*.*.*.5:49490 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:50:40.342: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:50651 17.171.98.35:443 due to Stray Segment with ip ident 0
*Jul 23 20:51:55.762: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:40006 173.194.79.188:5228 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 20:54:23.426: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*132:63777 40.68.222.212:443 due to RST inside current window with ip ident 0
*Jul 23 20:58:27.246: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:49489 17.130.144.32:5223 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 20:58:58.510: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:49489 17.130.144.32:5223 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 20:59:30.150: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:41029 172.217.16.142:443 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 21:07:32.389: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:46547 54.194.225.82:80 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 21:08:19.309: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:46547 54.194.225.82:80 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0
*Jul 23 21:09:01.009: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.10:49507 17.252.27.246:443 on zone-pair Trusted->Internet class All_Protocols due to Stray Segment with ip ident 0
*Jul 23 21:09:38.581: %FW-6-DROP_PKT: Dropping tcp session *.*.*.*.5:41029 172.217.16.142:443 on zone-pair Trusted->Internet class All_Protocols due to Invalid Flags with ip ident 0

Aditya Ganjoo · ‎07-24-2017

Hi,

These log messages are seen when:

---- If a particular connection on router has already been terminated but the packets are still coming in, then the ZBF does not know which connection to associate these packets with and hence will drop.

This means that the web server sent a “reset” packet however the connection was already deleted on the router before this packet was received.

---- If the router receives out of order packets.

---- If the router receives an invalid SYN packet or a TCP packet with invalid segments in them, then the ZBF has cause to drop them.

So you can ignore these messages as they are pretty generic and if they are not impacting any production traffic.

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

mauric · ‎07-24-2017

Its possible, No Answer for this question?

Aditya Ganjoo · ‎07-24-2017

Hi,