Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1997
Views
0
Helpful
0
Comments

When the ip inspect interface configuration command is issued, the router may drop a Synchronize/Acknowledge (SYN/ACK) reply instead of send it

TCC_2
Level 10
Level 10

‎06-22-2009 05:32 PM - edited ‎03-08-2019 06:25 PM

Core issue

This occurs when you originate a TCP connection from an interface on another router, and the ip inspect interface configuration command has not been issued.

The output of the debug ip packet detail privileged EXEC command indicates that the SYN/ACK reply  is dropped by inspect, as shown:

IP: s=192.168.128.16 (FastEthernet0.2), d=192.168.192.69 (FastEthernet0.3), len 48, dropped by inspect

TCP src=23, dst=3403, seq=143608234, ack=3669485014, win=5840 ACK SYN

Resolution

Remove the ip inspect interface configuration command from the interface of the router that  is supposed to send the SYN/ACK reply.  For more information, refer to Cisco bug ID CSCec78231. The Bug Toolkit provides information on which Cisco IOS  Software version includes the fix for this defect.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents