05-28-2007 05:39 AM - edited 03-11-2019 03:21 AM
Hello,
I'm still working in a valid configuration for a 2811 with IOS Firewall
with two WAN interfaces, one Ethernet and one DSL (with a HWIC-DSL port).
I configured two wan ports with SDM, DSL port as failover to the Ethernet
connection. DSL is working with IP Negotiated.
Current tests shows the following issue when Ethernet connection is down:
000057: *May 28 13:52:48.195 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 88.17.245.247:1584 => 213.4.130.210:80 due to Invalid Ack (or no Ack) -- ip ident 15619 tcpflags 0x5010 seq.no 1024469584 ack 1157493661
000058: *May 28 13:53:20.187 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 88.17.245.247:1584 => 213.4.130.210:80 due to Invalid Ack (or no Ack) -- ip ident 15956 tcpflags 0x5010 seq.no 1024469584 ack 1157493661
000059: *May 28 13:53:52.179 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 88.17.245.247:1584 => 213.4.130.210:80 due to Invalid Ack (or no Ack) -- ip ident 16186 tcpflags 0x5010 seq.no 1024469584 ack 1157493661
000060: *May 28 13:54:24.171 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1584 due to policy match failure -- ip ident 38064 tcpflags 0x5010 seq.no 1157479061 ack 1024469583
000061: *May 28 13:54:56.167 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1584 due to policy match failure -- ip ident 55729 tcpflags 0x5010 seq.no 1157479061 ack 1024469583
000062: *May 28 13:55:28.155 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1584 due to policy match failure -- ip ident 56754 tcpflags 0x5014 seq.no 1157493661 ack 1024469583
000063: *May 28 13:56:14.599 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1588 due to policy match failure -- ip ident 14772 tcpflags 0x5014 seq.no 1165193308 ack 1776675591
000064: *May 28 13:56:46.371 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 64702 tcpflags 0x5010 seq.no 1376485898 ack 2263723581
000065: *May 28 13:57:23.015 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3/2, changed state to up
000066: *May 28 13:57:50.375 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 35164 tcpflags 0x5010 seq.no 1376485898 ack 2263723581
000067: *May 28 13:58:54.379 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 12205 tcpflags 0x5010 seq.no 1376485898 ack 2263723581
000068: *May 28 13:59:58.383 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 50077 tcpflags 0x5010 seq.no 1376485898 ack 2263723581
000069: *May 28 14:01:02.387 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 19913 tcpflags 0x5010 seq.no 1376485898 ack 2263723581
000070: *May 28 14:02:06.383 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 64241 tcpflags 0x5014 seq.no 1376488818 ack 2263723581
000071: *May 28 14:02:41.147 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:43248 due to policy match failure -- ip ident 60688 tcpflags 0x5014 seq.no 1979999494 ack 671214943
As I can see, ACK packets from external webs are dropped by match policy maps
I think the problem is related to some NAT issue, but I'm not sure.
Any ideas?
Thanks in advance
Ignacio Siles.
06-04-2007 06:24 AM
I think you need to add a class to explicitly allow TCP traffic from the trusted IP address and insert this class to be before the class that inspects TCP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide