We are in the process of looking for a code to begin ZBF implementation. Currently we have tried about 4 versions of 12.4 T code lines and have encountered the same issue each time. If we have two subnets configured on the same interface, with inspection enabled, the subnets are unable to communicate with each other. The following errors are seen in the inspect drop log:
Oct 6 2009 20:29:34 CDT: %FW-6-DROP_PKT: Dropping tcp session 10.32.120.213:3671 126.96.36.199:524 due to Invalid Segment with ip ident 61659 tcpflags 0x5010 seq.no 2534202883 ack 3333181490
We have been working with TAC and so far have been unable to identify a specific bug. We have tried older and the latest IOS versions. The only workaround is to disable inspection, but prefer not to do that. Anyone else encountered this or have identified a specific bug?