[c-nsp] Dropping tcp session due to Invalid Flags
Ivan Poddubnyy
ivan_poddubnyy at symantec.com
Thu Apr 29 16:53:21 EDT 2010
All,
I've recently migrated my Cisco 2821 routers to 15.1T.
It works good except one thing. For some connections I get messages like
this:
Apr 29 13:29:57 10.0.143.254 11979: rtr02.tu: [syslog at 9 s_sn="11979"
s_id="rtr02.dc3:514" s_tc="3542767" s_dc="0"]: 011979: Apr 29
14:29:56.363 MDT: %FW-6-DROP_PKT: Dropping tcp session
143.127.138.33:8085 143.127.138.34:179 on zone-pair zp-out-self class
cls_permitbpg due to Invalid Flags with ip ident 0
In this 143.127.138.34 is my router and 143.127.138.33 an upstream
router and BGP neighbor.
In this particular case BGP is up, I should mention.
I do see those messages for other connections, too, not related to BGP.
I'm running ZBF.
Here are the related parts of config.
-------------------------------------
...
class-map type inspect match-all cls_permitbpg
match access-group name acl_permitbgp
...
policy-map type inspect pol-permit
class type inspect cls_encrypt
pass log
class type inspect cls_permittoself
inspect
class type inspect cls_permitbpg
inspect
class type inspect cls_denytoself
pass log
class class-default
drop log
...
zone-pair security zp-out-self source out-zone destination self
service-policy type inspect pol-permit
...
ip access-list extended acl_permitbgp
permit tcp host 143.127.138.33 eq bgp host 143.127.138.34
permit tcp host 143.127.138.33 host 143.127.138.34 eq bgp
-----------
Note about this config: I don't see matches against first rule (odd in
case of BGP), I do see matches against second rule and those packets are
logged as being dropped (odd!). BGP is up (according to 'show ip bgp').
I have another example with a different set of ports.
Any help is appreciated!
Thank you!
--
Ivan Poddubnyy
Sr. Systems Administrator
Symantec Corporation / EHG
More information about the cisco-nsp
mailing list