amigan_99
asked on
Cisco Zone Firewall logs dropped tcp session
The destination address is a an Exchange CAS server behind an ASA firewall. Are these message of concern? What's ip ident 0 about?
10/3/2013 8:42:27 AM c3845-1.pcmt.local Informational 226676: 16435586: Dropping tcp session 10.10.12.193:50518192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:41:55 AM c3845-1.pcmt.local Informational 226675: 16435585: Dropping tcp session 10.10.13.122:60408192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:41:19 AM c3845-1.pcmt.local Informational 226674: 16435584: Dropping tcp session 10.10.12.126:56861192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:40:48 AM c3845-1.pcmt.local Informational 226673: 16435583: Dropping tcp session 10.10.12.126:56864192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:40:17 AM c3845-1.pcmt.local Informational 226672: 16435582: Dropping tcp session 10.10.12.126:56841192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:39:47 AM c3845-1.pcmt.local Informational 226671: 16435581: Dropping tcp session 10.10.12.126:56837192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:39:16 AM c3845-1.pcmt.local Informational 226670: 16435580: Dropping tcp session 10.10.12.126:56845192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:38:40 AM c3845-1.pcmt.local Informational 226669: 16435579: Dropping tcp session 10.10.13.122:60152192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:38:02 AM c3845-1.pcmt.local Informational 226668: 16435578: Dropping tcp session 10.10.13.122:60183192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:37:32 AM c3845-1.pcmt.local Informational 226667: 16435577: Dropping tcp session 10.10.13.122:59991192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:36:51 AM c3845-1.pcmt.local Informational 226666: 16435576: Dropping tcp session 10.10.12.193:49778192.168. 68.7:443 due to Stray Segment with ip ident 0
10/3/2013 8:42:27 AM c3845-1.pcmt.local Informational 226676: 16435586: Dropping tcp session 10.10.12.193:50518192.168.
10/3/2013 8:41:55 AM c3845-1.pcmt.local Informational 226675: 16435585: Dropping tcp session 10.10.13.122:60408192.168.
10/3/2013 8:41:19 AM c3845-1.pcmt.local Informational 226674: 16435584: Dropping tcp session 10.10.12.126:56861192.168.
10/3/2013 8:40:48 AM c3845-1.pcmt.local Informational 226673: 16435583: Dropping tcp session 10.10.12.126:56864192.168.
10/3/2013 8:40:17 AM c3845-1.pcmt.local Informational 226672: 16435582: Dropping tcp session 10.10.12.126:56841192.168.
10/3/2013 8:39:47 AM c3845-1.pcmt.local Informational 226671: 16435581: Dropping tcp session 10.10.12.126:56837192.168.
10/3/2013 8:39:16 AM c3845-1.pcmt.local Informational 226670: 16435580: Dropping tcp session 10.10.12.126:56845192.168.
10/3/2013 8:38:40 AM c3845-1.pcmt.local Informational 226669: 16435579: Dropping tcp session 10.10.13.122:60152192.168.
10/3/2013 8:38:02 AM c3845-1.pcmt.local Informational 226668: 16435578: Dropping tcp session 10.10.13.122:60183192.168.
10/3/2013 8:37:32 AM c3845-1.pcmt.local Informational 226667: 16435577: Dropping tcp session 10.10.13.122:59991192.168.
10/3/2013 8:36:51 AM c3845-1.pcmt.local Informational 226666: 16435576: Dropping tcp session 10.10.12.193:49778192.168.
I've seen this on Cisco with packets arriving out-of-order. Rather than reassembling the proper order, it appears the packets are being dropped.
Are both these IP addresses really private IP's, where are you capturing this traffic from?
Joel
Are both these IP addresses really private IP's, where are you capturing this traffic from?
Joel
ASKER
The 192.168 is actually a public address disguised to protect the innocent.
So the packet egresses a 3845 with ZBFW and hits the outside of an ASA. The ASA has "randomization" as a protection mechanism. Might that cause an issue with replies to the 3845?
So the packet egresses a 3845 with ZBFW and hits the outside of an ASA. The ASA has "randomization" as a protection mechanism. Might that cause an issue with replies to the 3845?
What version software is the ZBFW? That could be the cause.
ASKER
Show ver shows IOS 12.4(13r)T.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok thank you.
Not sure if this is related to your issue, but I would only be concerned if users are experiencing an issue since that error doesn't appear to be any type of attack.