Eugene, snippet from http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html
The following example shows a possible message that can be displayed when packets are dropped: *Sep 9 19:56:28.699: %FW-6-DROP_PKT: Dropping tcp pkt 17.2.2.1:0 => 19.2.2.1:0 with ip ident 229 due to Invalid Header length *Sep 9 20:30:47.839: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 17.2.2.1:42829 => 19.2.2.1:80 due to SYN pkt with illegal flags -- ip ident 23915 tcpflags 40962 seq.no 3928613134 ack 0 *Sep 10 00:30:24.931: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 17.2.2.1:45771 => 19.2.2.1:80 due to SYN with data or with PSH/URG flags -- ip ident 55001 tcpflags 40962 seq.no 2232798685 ack 0 *Aug 29 21:57:16.895: %FW-6-DROP_PKT: Dropping tcp pkt 17.2.2.1:51613 => 19.2.2.1:80 due to Out-Of-Order Segment Table 35<http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1048937>describes messages that occur when packets are dropped. Table 35 ip inspect log drop-pkt Messages Field Description Invalid Header length The datagram is so small that it could not contain the layer 4 TCP, Universal Computer Protocol (UCP), or Internet Control Message Protocol (ICMP) header. Police rate limiting Rate limiting is enabled, and the packet in question has exceeded the rate limit. Session limiting Session limiting is on, and the session count exceeds the configured session threshold. Bidirectional traffic disabled Session is unidirectional and the firewall is seeing packets in the other direction and dropping the session. SYN with data or with PSH/URG flags TCP SYN packet is seen with data. Segment matching no TCP connection Non-initial TCP segment is received without a valid session. Invalid Segment There is an invalid TCP segment. Invalid Seq# The packet contains an invalid TCP sequence number. Invalid Ack (or no Ack) The packet contains an invalid TCP acknowledgement number. Invalid Flags Flags in a TCP segment are invalid. Invalid Checksum There is an invalid TCP checksum. SYN inside current window A synchronization packet is seen within the window of an already established TCP connection. RST inside current window A reset (RST) packet is observed within the window of an already established TCP connection. Out-Of-Order Segment The packets in a segment are out of order. Retransmitted Segment with Invalid Flags A retransmitted packet was already acknowledged by the receiver. Stray Segment A TCP segment is received that should not have been received through the TCP state machine such as a TCP SYN packet being received in the listen state. Internal Error The TCP state machine that is maintained by the firewall encounters an internal error. Invalid Window scale option The responder on one side of a firewall proposes an illegal window scale option. The window scale option is illegal in this case because the initiating side did not propose the option first. Invalid TCP options The options in the TCP header are not TCP protocol compliant. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE #35914 (Security) On Wed, Aug 1, 2012 at 11:02 AM, Eugene Pefti <eug...@koiossystems.com>wrote: > Hi Kings, > In this case these packets should be different from packets dropped by ACL > ? > Can you please give me an example of the packet that is dropped by CBAC > and reported by "FW-6-DROP_PKT". > I remember there's a table somewhere at Cisco docs with specific > conditions qualifying to drop. > I just want to simulate and confirm that I can see events generated by FW > for dropped packets. > > Eugene > > From: Kingsley Charles <kingsley.char...@gmail.com> > Date: Tuesday, July 31, 2012 10:24 PM > To: Eugene Pefti <eug...@koiossystems.com> > Cc: "ccie_security@onlinestudylist.com" <ccie_security@onlinestudylist.com > > > Subject: Re: [OSL | CCIE_Security] "ip inspect log drop-pkt" doesn't have > any effect in CBAC > > It informs the packets dropped by CBAC. > > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE #35914 (Security) > > > On Tue, Jul 31, 2012 at 5:13 PM, Eugene Pefti <eug...@koiossystems.com>wrote: > >> Folks,**** >> >> Has someone had any use of the above said command while having CBAC >> firewall?**** >> >> I expected it to show me dropped packets that are not allowed inbound but >> the router was silent until I add “log” option to the incoming ACL.**** >> >> On the other hand it works good in ZFW:**** >> >> ** ** >> >> Jul 31 10:31:48.122: %FW-6-DROP_PKT: Dropping Unknown-l7 session >> 200.13.111.12:52818 200.13.25.2:23 on zone-pair INSIDE-OUTSIDE class >> class-default due to DROP action found in policy-map with ip ident 0**** >> >> ** ** >> >> Eugene**** >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
