Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.

Unanswered Question
Aug 6th, 2008

Hi,

Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.

%FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to

Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792


If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.

Ta

Jim


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Wed, 08/06/2008 - 23:20

This may help:


Caveat "CSCsj30582"


http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html


Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.


Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.


For example:


class-map type inspect match-any cm-esp match access-group 100


policy-map type inspect in2out class type inspect cm-esp pass


access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2


Workaround: Configure the access list so that the source is "any", for example:


access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2


First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".


Further Problem Description: If an explicit deny rule is added to the above example, for example:


access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any


Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:


Router# show access-lists 100


Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match)

Ramraj Sivagnan... Mon, 07/30/2012 - 18:01

Hi Bro

"Retransmitted Segment with Invalid Flags" means that a retransmitted packet was already acknowledged by the receiver. Hence, I don't see the the big issue here. In fact, I doubt you're hit with this Cisco Bug ID CSCte76513, but before confirm anything, do you have in your ACLs the keyword "established"? The reason I'm asking is because you didn't paste the whole config here. Furthermore, you should never use the permit "established" when you use the CBAC/ZFW.


Moving forward, can you remove these commands and let me know the outcome. I'm just trying to narrow down which line is giving you all the error messages seen



no zone-pair security OUTSIDE-IN source outside destination inside


//Don't remove these line for now, unless removing the above line doesn't solve anything :-)
no zone-pair security INSIDE-to-SELF source inside destination self
no zone-pair security OUTSIDE-to-SELF source outside destination self



Can you paste here your show access-list WAN-IN as well.




P/S: I found something similar, but it could be a long shot https://supportforums.cisco.com/thread/237095

Actions

This Discussion