Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.
%FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to
Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792
If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.
Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
class-map type inspect match-any cm-esp match access-group 100
policy-map type inspect in2out class type inspect cm-esp pass
Re: Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp ses
"Retransmitted Segment with Invalid Flags" means that a retransmitted packet was already acknowledged by the receiver. Hence, I don't see the the big issue here. In fact, I doubt you're hit with this Cisco Bug ID CSCte76513, but before confirm anything, do you have in your ACLs the keyword "established"? The reason I'm asking is because you didn't paste the whole config here. Furthermore, you should never use the permit "established" when you use the CBAC/ZFW.
Moving forward, can you remove these commands and let me know the outcome. I'm just trying to narrow down which line is giving you all the error messages seen
no zone-pair security OUTSIDE-IN source outside destination inside
//Don't remove these line for now, unless removing the above line doesn't solve anything :-) no zone-pair security INSIDE-to-SELF source inside destination self no zone-pair security OUTSIDE-to-SELF source outside destination self
Can you paste here your show access-list WAN-IN as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :