cbac debugging

Unanswered Question
Jul 30th, 2007

HI Guys,

How can I know why CBAC drops a packet. For example, the log I recieve for a dropped packet is

.Jul 30 11:42:01: %FW-6-DROP_PKT: Dropping tcp pkt 191.147.27.13:42423 => 111.136.132.36:80

(IP addresses have been changed)

How can I know why this packet was dropped?

The partial config that resulted in the above log is as below

ip inspect log drp-pkt

int fa0/1

ip inspect name myfw out

Since the inspection is in the outbound direction , what does the log mean, in which direction was the packet transiting when it was dropped? Does the log mean the dropped packet had a source of 191.147.27.13 or is it merely a session indicator like

packet of session 191.147.27.13=>111.136.132.36 dropped?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fmeetz Fri, 08/03/2007 - 05:49

I think CBAC inspects packet sequence numbers in TCP connections to verify that they are within expected ranges; CBAC drops any suspicious packets.

luqmankondeth Fri, 08/03/2007 - 06:03

cbac does do that and also drops packets it feels are part of an attack.however, the IOS doesnt give me any information (or I dont know how to get it) on why it dropped a particular packet.

Actions

This Discussion