Im having an issue with alot of my sites with RST inside current window and Stray Segment errors
It is making all applications send alot of retrys and preventing downloads from finishing.
Seems to have something to do with the CBAC of http and https tcp packets.
I have tried various things, and adjusting tcp-mss and such, nothing seems to fix the problem.
Below is all info:
Platform: 1811 Router
IOS: c181x-advipservicesk9-mz.124-15.T9.bin 12.4(15)T9
I have also tried 12.4(22)T, and 12.4(24)T2 both have the same issue.
Config:
LOG:
----------------------------------
Bill
It is making all applications send alot of retrys and preventing downloads from finishing.
Seems to have something to do with the CBAC of http and https tcp packets.
I have tried various things, and adjusting tcp-mss and such, nothing seems to fix the problem.
Below is all info:
Platform: 1811 Router
IOS: c181x-advipservicesk9-mz.124-15.T9.bin 12.4(15)T9
I have also tried 12.4(22)T, and 12.4(24)T2 both have the same issue.
Config:
Code:
version 12.4
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret <supersecret>
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.38.1 192.168.38.10
ip dhcp excluded-address 192.168.38.240 192.168.38.255
!
ip dhcp pool Office
network 111.168.38.0 255.255.255.0
default-router 111.111.38.1
domain-name test.local
dns-server 111.111.38.1
!
!
ip domain name BumsteadC.local
ip host Bumstead-S01.BumsteadC.local 10.50.7.100
ip host Bumstead-S02.BumsteadC.local 10.50.7.101
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
no ip port-map ymsgr port tcp 5050 description Yahoo! Instant Messenger
ip port-map user-kaseya port tcp 5721 description Kaseya Data
ip port-map user-yahoo port tcp 5050 description Yahoo IM
!
ip inspect log drop-pkt
ip inspect one-minute high 4000
ip inspect one-minute low 3000
ip inspect tcp reassembly queue length 64
ip inspect tcp reassembly timeout 30
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW pptp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW ica
ip inspect name SDM_LOW icabrowser
ip inspect name SDM_LOW user-kaseya
ip inspect name SDM_LOW user-yahoo
ip ips notify SDEE
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 3
!
!
crypto ipsec transform-set aes256-sha-trans esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile plains-ipsec-profile-1
set transform-set aes256-sha-trans
!
!
archive
log config
hidekeys
!
!
ip ssh authentication-retries 2
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_HIGH
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
drop
class sdm_p2p_kazaa
drop
!
!
!
!
interface Tunnel0
description DMVPN
bandwidth 1000
ip address 172.31.1.38 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.31.1.1 <DMVPN Hub1>
ip nhrp map 172.31.1.2 <DMVPN Hub2>
ip nhrp map multicast <DMVPN Hub1>
ip nhrp map multicast <DMVPN Hub2>
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.31.1.1
ip nhrp nhs 172.31.1.2
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key <key>
tunnel protection ipsec profile plains-ipsec-profile-1
!
interface FastEthernet0
description HIGHSPEED_INET
no ip dhcp client request dns-nameserver
ip address x.x.x.110 255.255.255.252
ip access-group inet_acl in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
service-policy input sdmappfwp2p_SDM_HIGH
service-policy output sdmappfwp2p_SDM_HIGH
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
description OPERATOR_LAN
spanning-tree portfast
!
interface FastEthernet3
description OPERATOR_LAN
spanning-tree portfast
!
interface FastEthernet4
description OPERATOR_LAN
spanning-tree portfast
!
interface FastEthernet5
description OPERATOR_LAN
spanning-tree portfast
!
interface FastEthernet6
description OPERATOR_LAN
spanning-tree portfast
!
interface FastEthernet7
description OPERATOR_LAN
spanning-tree portfast
!
interface FastEthernet8
description OPERATOR_LAN
spanning-tree portfast
!
interface FastEthernet9
description OPERATOR_LAN
spanning-tree portfast
!
interface Vlan1
ip address 192.168.38.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
!
router eigrp 12345
network 172.31.1.0 0.0.0.255
network 192.168.38.0
no auto-summary
!
router rip
network 10.0.0.0
network 192.168.38.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.109
!
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 150 interface FastEthernet0 overload
ip nat inside source static tcp 10.50.7.100 3389 interface FastEthernet0 3390
!
ip access-list standard snmp
permit 172.16.164.0 0.0.0.255
!
ip access-list extended inet_acl
permit gre any any
permit udp any any eq isakmp
permit esp any any
permit tcp 209.148.223.192 0.0.0.7 any eq 3390
permit tcp host 208.118.96.132 any eq 3390
permit tcp any any eq 22
permit udp host 208.67.222.222 eq domain any
permit udp host 208.67.220.220 eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any eq bootps any eq bootpc
deny ip any any
!
logging trap debugging
logging 172.16.164.10
logging 172.16.164.12
access-list 150 remark No-NAT ACL
access-list 150 deny ip 192.168.38.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 deny ip 192.168.38.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 150 deny ip 192.168.38.0 0.0.0.255 172.16.0.0 0.0.15.255
access-list 150 permit ip 192.168.38.0 0.0.0.255 any
snmp-server community test RO snmp
snmp-server community test RW snmp
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
No Unauthorized Access!
-----------------------------------------------------------------------
^C
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
endLOG:
Code:
*Oct 27 16:47:52: %FW-6-DROP_PKT: Dropping Other session 209.148.219.193:443 192.168.38.11:1323 due to RST inside current window with ip ident 25800 tcpflags 0x5014 seq.no 288975356 ack 3363647737
*Oct 27 16:48:31: %FW-6-DROP_PKT: Dropping Other session 209.148.219.193:443 192.168.38.12:2020 due to Stray Segment with ip ident 1472 tcpflags 0x5011 seq.no 2686554796 ack 4275837539
*Oct 27 16:49:18: %FW-6-DROP_PKT: Dropping Other session 216.224.252.110:1033 209.148.219.193:443 due to RST inside current window with ip ident 229 tcpflags 0x5014 seq.no 2387206851 ack----------------------------------
Bill