cbac debugging

Unanswered Question
Jul 30th, 2007
User Badges:

HI Guys,

How can I know why CBAC drops a packet. For example, the log I recieve for a dropped packet is

.Jul 30 11:42:01: %FW-6-DROP_PKT: Dropping tcp pkt 191.147.27.13:42423 => 111.136.132.36:80


(IP addresses have been changed)

How can I know why this packet was dropped?

The partial config that resulted in the above log is as below


ip inspect log drp-pkt


int fa0/1

ip inspect name myfw out


Since the inspection is in the outbound direction , what does the log mean, in which direction was the packet transiting when it was dropped? Does the log mean the dropped packet had a source of 191.147.27.13 or is it merely a session indicator like

packet of session 191.147.27.13=>111.136.132.36 dropped?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fmeetz Fri, 08/03/2007 - 05:49
User Badges:
  • Bronze, 100 points or more

I think CBAC inspects packet sequence numbers in TCP connections to verify that they are within expected ranges; CBAC drops any suspicious packets.


luqmankondeth Fri, 08/03/2007 - 06:03
User Badges:

cbac does do that and also drops packets it feels are part of an attack.however, the IOS doesnt give me any information (or I dont know how to get it) on why it dropped a particular packet.

Actions

This Discussion