I've been trying to work around a problem that has been driving me nuts for a long time. As far as I can tell IP INSPECT on 871's and 1811's (models I've tested) using a range of IOS versions from 12.3.8 to 12.4.11t can not handle sending traffic over a VPN if IP INSPECT for that particular protocol is enabled. The configurations are standard SDM created configs. Nothing weird just internet access & one vpn.
With ip inspect tcp enabled, no tcp traffic works for more than a few seconds over the VPN tunnel. With it off, VPN tunnel traffic works fine. How can this be? Should the router not be able to do firewalling and vpn at the same time? I have tried this on several different routers and to different platforms at the other end of the VPN (ASA, PIX, 1811, 1841). This is an error message I have seen:
Mar 14 00:44:26.343: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 192.168.15.10:2997 => 192.168.16.10:445 due to Invalid Segment -- ip ident 49176 tcpflags 0x5010 seq.no 1430090952 ack 2420612329
As a work around I disabled ip inspect on tcp and udp and enabled it on a bunch of specific protocols. This is OK for a short-term solution but it means that only the applications for which ip inspect is enabled work through the firewall (which mean http, https, ftp etc) and one day I can guarantee the client will want to use other applications not currently supported without using ip inspect tcp/udp.
The set-up I am trying to get working is not abnormal, in fact I would imagine 80% of 1811 installs out there use the same. Any ideas how to fix this?