IOS firewall dropping packets

Unanswered Question
Sep 2nd, 2007
User Badges:

hi all,

i'm getting a lot of dropped packets in ios firewall. Anyone can enlighten me why there are these few default dropping functions ? what are the effects on my network? how do i disable/tune the dropping mecanism

?




Due to RST:

503024: Sep 3 10:36:20.826 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to RST inside current window -- ip ident 53051

tcpflags 0x5014 seq.no 4089128565 ack 2915367815


Due to stray segments:

503026: Sep 3 10:37:10.434 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Stray Segment -- ip ident 11196 tcpflags 0x501

seq.no 4286787544 ack 896131408



Due to invalid segments:

503028: Sep 3 10:37:51.394 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Invalid Segment -- ip ident 59737 tcpflags

0x5004 seq.no 816531889 ack 0


Due to out of order segment:

Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Out-Of-Order Segment -- ip ident 17939 tcp

lags 0x5010 seq.no 3092955571 ack 401998231







  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
sadbulali Fri, 09/07/2007 - 08:15
User Badges:
  • Bronze, 100 points or more

Condition:

When ip inspect or ip ips command is applied in combination with IPSEC on the egress FastEthernet interface


Workaround:

Disable both ip inspect and IPS


yuliang11 Wed, 09/26/2007 - 22:54
User Badges:

thanks for the reply . it's sad that these features are turned on by default and there are not parameter to turn it off besides turning off the whole IOS FW module.

m-ketchum Sat, 10/13/2007 - 08:04
User Badges:

Build exceptions for IPSEC into your firewall and IPS rules.

Actions

This Discussion