ip inspect breaks tunnelled traffic

Unanswered Question
Mar 15th, 2007

I've been trying to work around a problem that has been driving me nuts for a long time. As far as I can tell IP INSPECT on 871's and 1811's (models I've tested) using a range of IOS versions from 12.3.8 to 12.4.11t can not handle sending traffic over a VPN if IP INSPECT for that particular protocol is enabled. The configurations are standard SDM created configs. Nothing weird just internet access & one vpn.

With ip inspect tcp enabled, no tcp traffic works for more than a few seconds over the VPN tunnel. With it off, VPN tunnel traffic works fine. How can this be? Should the router not be able to do firewalling and vpn at the same time? I have tried this on several different routers and to different platforms at the other end of the VPN (ASA, PIX, 1811, 1841). This is an error message I have seen:

Mar 14 00:44:26.343: %FW-6-DROP_TCP_PKT: Dropping tcp pkt => due to Invalid Segment -- ip ident 49176 tcpflags 0x5010 seq.no 1430090952 ack 2420612329

As a work around I disabled ip inspect on tcp and udp and enabled it on a bunch of specific protocols. This is OK for a short-term solution but it means that only the applications for which ip inspect is enabled work through the firewall (which mean http, https, ftp etc) and one day I can guarantee the client will want to use other applications not currently supported without using ip inspect tcp/udp.

The set-up I am trying to get working is not abnormal, in fact I would imagine 80% of 1811 installs out there use the same. Any ideas how to fix this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
mcordiez Thu, 03/15/2007 - 23:20

OK, I think I've fixed it. I cranked the MTU down to 1300 from 1340 and enabled the ip inspect both in and out on the outside interface of the router. Seems to work much better now...

kelvindam Mon, 05/21/2007 - 23:19

Its more likely the hardware encryption engine.

Try "no crypt engine accel"

to turn off the hardware encryption...wich interfeers with CBAC in these SW versions.


BRUNO WOLLMANN Wed, 06/27/2007 - 12:39


How did you know hardware encryption and CBAC don't play nicely together? I was having the exact same problem, entered "no crypt engine accel" and all is working great.

I'm running 12.4(11)T. Do you know if this has been fixed in a later version of IOS?

Your post has saved me hours of troubleshooting.




This Discussion