Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

tcp inspect dropping packets

Hi

We have a bespoke FTP app that seems to fail when ip inspect is enabled on our 837 router. The inspect is configured for tcp and ftp.

I have found that the tcp inspection is the reason for the FTP traffic being dropped. When you tie this in with the fact that all other applications are working it looks like the bespoke application is triggering something that the tcp inspect feature does not like.

Command line FTP and also explorer FTP work fine.

CBAC sis 8221F454 L4 inspect result: DROP packet 81C0ADEC (x.x.x.x:1063) (x.x.x.x:21) bytes 0 ErrStr = Stray Segment tcp

2005-10-11 10:05:30 Local7.Debug x.x.x.x 75041: 078135: Oct 11 10:05:43.066: IP: s=x.x.x.x (Ethernet0), d=x.x.x.x (Dialer1), len 40, dropped by inspect

2005-10-11 10:05:30 Local7.Debug x.x.x.x 75042: 078136: Oct 11 10:05:43.066: TCP src=1063, dst=21, seq=31901079, ack=31901079, win=0 RST

I cannot find anything on the Cisco website about this anyone able to help on this?

Thanks in advance

4 REPLIES
Gold

Re: tcp inspect dropping packets

just wondering whether we are discussing inbound ftp or outbound ftp. that is, whether you are hosting a ftp server behind the router or trying to access a ftp server that's out the internet.

also, verify the issue by disabling cbac and test the app again.

New Member

Re: tcp inspect dropping packets

outbound ftp

the application works fine with no cbac and a normal acl

specifically the tcp inspect feature and not the ftp inspect feature is casuing the problem

the version we are using is 12.3(11)T7 it works fine with 12.3(7)T12 but we noticed other problems with 12.3(7)T12 so had to upgrade

thanks

New Member

Re: tcp inspect dropping packets

I have similar pb on a 2821 12.4(3a) when using CBAC and Nat for outbound connection

look at debug:

ip inspect name Cbac_Sortant ftp

ip inspect name Cbac_Sortant esmtp

ip inspect name Cbac_Sortant udp

ip inspect name Cbac_Sortant http

!

005357: *Jan 27 17:22:37.915 CET: NAT: Allocated Port for -> : wanted 4024 got 4024

005358: *Jan 27 17:22:37.915 CET: NAT: i: tcp (, 4024) -> (66.249.93.99, 80) [31765]

005359: *Jan 27 17:22:37.915 CET: NAT: s=->, d=66.249.93.99 [31765]

005360: *Jan 27 17:22:37.915 CET: CBAC Pak 43ABD8E0 sis 4430C150 initiator_addr (:4024) responder_addr (66.249.93.99:80)

initiator_alt_addr (:4024) responder_alt_addr (66.249.93.99:80)

005361: *Jan 27 17:22:37.915 CET: CBAC OBJ_CREATE: create sis 4430C150

005362: *Jan 27 17:22:37.915 CET: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (:4024) -- responder (66.249.93.99:80)

005363: *Jan 27 17:22:37.915 CET: CBAC sis 4430C150 pak 43ABD8E0 SIS_CLOSED/LISTEN TCP SYN SEQ 2678976374 LEN 0 (:4024) => (66.249.93.99:80)

005364: *Jan 27 17:22:37.915 CET: CBAC OBJ-CREATE: sid 443133C4 acl Acl_Outside Prot: tcp

005365: *Jan 27 17:22:37.915 CET: Src 66.249.93.99 Port [80:80]

005366: *Jan 27 17:22:37.915 CET: Dst Port [4024:4024]

005367: *Jan 27 17:22:37.915 CET: CBAC OBJ_CREATE: create host entry 4428FDE0 addr 66.249.93.99 bucket 133 (vrf 0:0)

005368: *Jan 27 17:22:37.947 CET: NAT*: o: tcp (66.249.93.99, 80) -> (, 4024) [14338]

005369: *Jan 27 17:22:37.947 CET: NAT*: s=66.249.93.99, d=-> [14338]

005370: *Jan 27 17:22:37.947 CET: NAT: i: tcp (, 4024) -> (66.249.93.99, 80) [31767]

005371: *Jan 27 17:22:37.947 CET: NAT: s=->, d=66.249.93.99 [31767]

005372: *Jan 27 17:22:37.947 CET: CBAC sis 4430C150 pak 43ABC3F8 SIS_OPENING/SYNSENT TCP ACK 2736494676 SEQ 2678976375 LEN 0 (:4024) => (66.249.93.99:80)

005373: *Jan 27 17:22:37.947 CET: CBAC sis 4430C150 L4 inspect result: DROP packet 43ABC3F8 (:4024) (66.249.93.99:80) bytes 0 ErrStr = Invalid Segment http

005374: *Jan 27 17:22:37.947 CET: NAT: i: tcp (, 4024) -> (66.249.93.99, 80) [31768]

005375: *Jan 27 17:22:37.947 CET: NAT: s=->, d=66.249.93.99 [31768]

005376: *Jan 27 17:22:37.947 CET: CBAC sis 4430C150 pak 4407BEE8 SIS_OPENING/SYNSENT TCP PSH ACK 2736494676 SEQ 2678976375 LEN 285 (:4024) => (66.249.93.99:80)

005377: *Jan 27 17:22:37.947 CET: CBAC sis 4430C150 L4 inspect result: DROP packet 4407BEE8 (:4024) (66.249.93.99:80) bytes 285 ErrStr = Invalid Segment http

005378: *Jan 27 17:22:40.935 CET: NAT: i: tcp (, 4024) -> (66.249.93.99, 80) [31770]

005379: *Jan 27 17:22:40.935 CET: NAT: s=->, d=66.249.93.99 [31770]

005380: *Jan 27 17:22:40.935 CET: CBAC sis 4430C150 pak 4407D054 SIS_OPENING/SYNSENT TCP PSH ACK 2736494676 SEQ 2678976375 LEN 285 (:4024) => (66.249.93.99:80)

005381: *Jan 27 17:22:40.939 CET: CBAC sis 4430C150 L4 inspect result: DROP packet 4407D054 (:4024) (66.249.93.99:80) bytes 285 ErrStr = Invalid Segment http

New Member

Re: tcp inspect dropping packets

517
Views
0
Helpful
4
Replies
CreatePlease to create content