IOS firewall dropping packets

Unanswered Question
Sep 2nd, 2007

hi all,

i'm getting a lot of dropped packets in ios firewall. Anyone can enlighten me why there are these few default dropping functions ? what are the effects on my network? how do i disable/tune the dropping mecanism

?

Due to RST:

503024: Sep 3 10:36:20.826 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to RST inside current window -- ip ident 53051

tcpflags 0x5014 seq.no 4089128565 ack 2915367815

Due to stray segments:

503026: Sep 3 10:37:10.434 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Stray Segment -- ip ident 11196 tcpflags 0x501

seq.no 4286787544 ack 896131408

Due to invalid segments:

503028: Sep 3 10:37:51.394 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Invalid Segment -- ip ident 59737 tcpflags

0x5004 seq.no 816531889 ack 0

Due to out of order segment:

Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Out-Of-Order Segment -- ip ident 17939 tcp

lags 0x5010 seq.no 3092955571 ack 401998231

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
sadbulali Fri, 09/07/2007 - 08:15

Condition:

When ip inspect or ip ips command is applied in combination with IPSEC on the egress FastEthernet interface

Workaround:

Disable both ip inspect and IPS

yuliang11 Wed, 09/26/2007 - 22:54

thanks for the reply . it's sad that these features are turned on by default and there are not parameter to turn it off besides turning off the whole IOS FW module.

m-ketchum Sat, 10/13/2007 - 08:04

Build exceptions for IPSEC into your firewall and IPS rules.

Actions

This Discussion