Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS firewall dropping packets

hi all,

i'm getting a lot of dropped packets in ios firewall. Anyone can enlighten me why there are these few default dropping functions ? what are the effects on my network? how do i disable/tune the dropping mecanism

?

Due to RST:

503024: Sep 3 10:36:20.826 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to RST inside current window -- ip ident 53051

tcpflags 0x5014 seq.no 4089128565 ack 2915367815

Due to stray segments:

503026: Sep 3 10:37:10.434 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Stray Segment -- ip ident 11196 tcpflags 0x501

seq.no 4286787544 ack 896131408

Due to invalid segments:

503028: Sep 3 10:37:51.394 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Invalid Segment -- ip ident 59737 tcpflags

0x5004 seq.no 816531889 ack 0

Due to out of order segment:

Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Out-Of-Order Segment -- ip ident 17939 tcp

lags 0x5010 seq.no 3092955571 ack 401998231

3 REPLIES
New Member

Re: IOS firewall dropping packets

Condition:

When ip inspect or ip ips command is applied in combination with IPSEC on the egress FastEthernet interface

Workaround:

Disable both ip inspect and IPS

New Member

Re: IOS firewall dropping packets

thanks for the reply . it's sad that these features are turned on by default and there are not parameter to turn it off besides turning off the whole IOS FW module.

New Member

Re: IOS firewall dropping packets

Build exceptions for IPSEC into your firewall and IPS rules.

857
Views
3
Helpful
3
Replies