09-02-2007 06:47 PM - edited 03-10-2019 03:46 AM
hi all,
i'm getting a lot of dropped packets in ios firewall. Anyone can enlighten me why there are these few default dropping functions ? what are the effects on my network? how do i disable/tune the dropping mecanism
?
Due to RST:
503024: Sep 3 10:36:20.826 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to RST inside current window -- ip ident 53051
tcpflags 0x5014 seq.no 4089128565 ack 2915367815
Due to stray segments:
503026: Sep 3 10:37:10.434 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Stray Segment -- ip ident 11196 tcpflags 0x501
seq.no 4286787544 ack 896131408
Due to invalid segments:
503028: Sep 3 10:37:51.394 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Invalid Segment -- ip ident 59737 tcpflags
0x5004 seq.no 816531889 ack 0
Due to out of order segment:
Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Out-Of-Order Segment -- ip ident 17939 tcp
lags 0x5010 seq.no 3092955571 ack 401998231
09-07-2007 08:15 AM
Condition:
When ip inspect or ip ips command is applied in combination with IPSEC on the egress FastEthernet interface
Workaround:
Disable both ip inspect and IPS
09-26-2007 10:54 PM
thanks for the reply . it's sad that these features are turned on by default and there are not parameter to turn it off besides turning off the whole IOS FW module.
10-13-2007 08:04 AM
Build exceptions for IPSEC into your firewall and IPS rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide