Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ZPFW - EasyVPN 881 FW-6-DROP_PKT due to Stray Segment

   We are trying to implement EasyVPN we are running Version 15.3(3)M1 IOS. Our issue is that the VPN tunnel comes up but no decap aat one end and no encap at the other. When we try and SSH to the device it gives us these drop paket errors.




ZPFW - EasyVPN 881 FW-6-DROP_PKT due to Stray Segment


Where is the EasyVPN interface pointing to (I refer to which zone).

A stray segment is cause of :

1) FW decided that the session is terminated, but it hasn't yet removed
all the data-structures associated with the session. In this case "show ip
inspect session" should not show the session for which the debug is reported


2) FW saw the first SYN packet and is trying to create a session. But,
before the session creation is done, it sees packets in the reverse 

direction for the same session. This could potentially happen when    

                a) Both client and server try to initiate the connection at
the same time; which is very rare OR

b) Client sends a SYN packet with IP and port numbers same as a  previous
connection (as it thinks that the previous connection has       been
terminated). The Server, for some reason is still working with the old
connection. In this case, In this case,  FW treats all the packets from the
Server, that belong to the old session, as STRAY segments.

For more information about Core and Security Networking follow my website at

Any question contact me at


Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CreatePlease to create content