Cisco Zone Firewall logs dropped tcp session

The destination address is a an Exchange CAS server behind an ASA firewall.  Are these message of concern?  What's ip ident 0 about?

      10/3/2013 8:42:27 AM      c3845-1.pcmt.local      Informational      226676: 16435586: Dropping tcp session 10.10.12.193:50518192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:41:55 AM      c3845-1.pcmt.local      Informational      226675: 16435585: Dropping tcp session 10.10.13.122:60408192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:41:19 AM      c3845-1.pcmt.local      Informational      226674: 16435584: Dropping tcp session 10.10.12.126:56861192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:40:48 AM      c3845-1.pcmt.local      Informational      226673: 16435583: Dropping tcp session 10.10.12.126:56864192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:40:17 AM      c3845-1.pcmt.local      Informational      226672: 16435582: Dropping tcp session 10.10.12.126:56841192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:39:47 AM      c3845-1.pcmt.local      Informational      226671: 16435581: Dropping tcp session 10.10.12.126:56837192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:39:16 AM      c3845-1.pcmt.local      Informational      226670: 16435580: Dropping tcp session 10.10.12.126:56845192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:38:40 AM      c3845-1.pcmt.local      Informational      226669: 16435579: Dropping tcp session 10.10.13.122:60152192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:38:02 AM      c3845-1.pcmt.local      Informational      226668: 16435578: Dropping tcp session 10.10.13.122:60183192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:37:32 AM      c3845-1.pcmt.local      Informational      226667: 16435577: Dropping tcp session 10.10.13.122:59991192.168.68.7:443 due to Stray Segment with ip ident 0
      10/3/2013 8:36:51 AM      c3845-1.pcmt.local      Informational      226666: 16435576: Dropping tcp session 10.10.12.193:49778192.168.68.7:443 due to Stray Segment with ip ident 0
LVL 2
amigan_99Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
http://www.networking-forum.com/viewtopic.php?f=35&t=34399

Not sure if this is related to your issue, but I would only be concerned if users are experiencing an issue since that error doesn't appear to be any type of attack.
0
jrhelgesonCommented:
I've seen this on Cisco with packets arriving out-of-order. Rather than reassembling the proper order, it appears the packets are being dropped.

Are both these IP addresses really private IP's, where are you capturing this traffic from?

Joel
0
amigan_99Network EngineerAuthor Commented:
The 192.168 is actually a public address disguised to protect the innocent.

So the packet egresses a 3845 with ZBFW and hits the outside of an ASA.  The ASA has "randomization" as a protection mechanism.  Might that cause an issue with replies to the 3845?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

jrhelgesonCommented:
What version software is the ZBFW?  That could be the cause.
0
amigan_99Network EngineerAuthor Commented:
Show ver shows IOS  12.4(13r)T.
0
jrhelgesonCommented:
I think that's the issue - this sounds similar enough, if not identical.

http://www.networking-forum.com/viewtopic.php?f=35&t=34399
I have seen this before with 12.4T that was completely random. I opened up a TAC case with Cisco about it. I can barely remember what the exact issue was but it was something about the way the source untrusted going to the server trusted side would do with TCP options and I cannot recall. The fix was to upgrade to 15.1. It was only for one web based application.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amigan_99Network EngineerAuthor Commented:
Ok thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.