My Cisco 891 is randomly dropping tcp sessions which i believe is resulting in web page timeouts and half loads.
The error messages look like these. This example includes one local ip, but it happens to lots of internal hosts randomly
Aug 15 16:54:46.299: %FW-6-DROP_PKT: Dropping tcp session 192.168.50.52:55064 188.8.131.52:443 on zone-pair ccp-zp-in-out class ccp-insp-traffic due to Stray Segment with ip ident 0
Aug 15 16:49:33.895: %FW-6-DROP_PKT: Dropping tcp session 184.108.40.206:80 192.168.50.52:54553 due to SYN inside current window with ip ident 0.
Aug 15 15:50:08.731: %FW-6-DROP_PKT: Dropping tcp session 220.127.116.11:443 192.168.50.52:60063 due to Stray Segment with ip ident 0
I've been googling the issue and no fixes have worked so far, nor am i really able to identify the source of this traffic. I've read it could be lots of out of order packets, so i enabled alarming by issuing parameter-map type ooo global -> alarming on. Nothing, nor is the out of order counter high. I've tried increasing the queue length and memory limit on virtual reassembly - no help.
I've checked my MTU, I can send 1500 fine. The interface is set to that. I went ahead and did an adjust-mss 1452 on the wan and vlan interfaces, still occuring.
I have checked my NAT timeout values, they are defaults.
I had a QoS service-policy set, which I took off thinking it may have been causing the drops. Still nothing.
My processor average usage is low.
What else can I check to identify the cause of these? My little 5MB line is definitely over saturated but this web page loading problem is only recent.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :