Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.


Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.

%FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to

Stray Segment with ip ident 46866 tcpflags 0x5010 1237259566 ack 3465174792

If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.




Re: Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp ses

This may help:

Caveat "CSCsj30582"

Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.

Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.

For example:

class-map type inspect match-any cm-esp match access-group 100

policy-map type inspect in2out class type inspect cm-esp pass

access-list 100 permit esp host host access-list 100 permit esp host host

Workaround: Configure the access list so that the source is "any", for example:

access-list 100 permit esp any host access-list 100 permit esp any host

First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".

Further Problem Description: If an explicit deny rule is added to the above example, for example:

access-list 100 permit esp host host access-list 100 permit esp host host access-list 100 deny esp any any

Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:

Router# show access-lists 100

Extended IP access list 100 10 permit esp host host (999 matches) 20 permit esp host host (999 matches) 30 deny ip any any (1 match)

Re: Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp ses

Hi Bro

"Retransmitted Segment with Invalid Flags" means that a retransmitted packet was already acknowledged by the receiver. Hence, I don't see the the big issue here. In fact, I doubt you're hit with this Cisco Bug ID CSCte76513, but before confirm anything, do you have in your ACLs the keyword "established"? The reason I'm asking is because you didn't paste the whole config here. Furthermore, you should never use the permit "established" when you use the CBAC/ZFW.

Moving forward, can you remove these commands and let me know the outcome. I'm just trying to narrow down which line is giving you all the error messages seen

no zone-pair security OUTSIDE-IN source outside destination inside

//Don't remove these line for now, unless removing the above line doesn't solve anything :-)
no zone-pair security INSIDE-to-SELF source inside destination self
no zone-pair security OUTSIDE-to-SELF source outside destination self

Can you paste here your show access-list WAN-IN as well.

P/S: I found something similar, but it could be a long shot

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
CreatePlease to create content