Inspection Issues with 12.4 T Code Versions

Unanswered Question
Oct 7th, 2009
User Badges:

We are in the process of looking for a code to begin ZBF implementation. Currently we have tried about 4 versions of 12.4 T code lines and have encountered the same issue each time. If we have two subnets configured on the same interface, with inspection enabled, the subnets are unable to communicate with each other. The following errors are seen in the inspect drop log:


Oct 6 2009 20:29:34 CDT: %FW-6-DROP_PKT: Dropping tcp session 10.32.120.213:3671 170.211.162.3:524 due to Invalid Segment with ip ident 61659 tcpflags 0x5010 seq.no 2534202883 ack 3333181490


We have been working with TAC and so far have been unable to identify a specific bug. We have tried older and the latest IOS versions. The only workaround is to disable inspection, but prefer not to do that. Anyone else encountered this or have identified a specific bug?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Wed, 10/07/2009 - 16:22
User Badges:
  • Cisco Employee,

What other codes did you try? What inspections do you have enabled?


The same syslog would have a little more information in 12.4(24)T


Have you tried 15.0.1M?


Have you tried to collect captures on both sides to see if packets arrive out of order if so, it could be due to CSCtc40876 and 15.0.1M would have the fix.




kenneth.rogers Thu, 10/08/2009 - 07:00
User Badges:

The images we have tried are:


c1841-adventerprisek9-mz.124-

22.T3.bin


c1841-adventerprisek9-mz.124-24.T.bin


c1841-adventerprisek9-mz.124-20.T4.bin


Also experienced the same with a 2811 router running c2800nm-advipservicesk9-mz.124-15.T9


We are inspecting the following:

tcp

udp

ftp

smtp

rcmd

vdolive

streamworks

rtsp

cuseeme

netshow

msrpc


I have not tried any additional codes or conducted any packet captures due to disturbing a production site.


Our TAC case is 612538115. Please do not think I am trying to by-pass TAC as our engineer is doing an excellent job as always in researching this. I just want to see if anyone else out there has encountered this.

Kureli Sankar Sun, 10/11/2009 - 14:27
User Badges:
  • Cisco Employee,

Best option is to try with minimum inspections.


tcp

udp

ftp


ropping tcp session 10.32.120.213:3671 170.211.162.3:524


What application is this listening on port 524? Is this Novell Core Portocol?


When you enable the FW, do http, smtp and other commonly used protol work?


Problem is only with tcp 524?


Like your TAC engineer already mentioned this may be due to asymmetry in routing. To verify this, we need packets captures before and after the router so, we can compare the seq. numbers and ack. numbers and also look at the syslog message and figure out why the FW may be dropping these packets.





Actions

This Discussion