Summary:
ISG Firewall has IDP Security Modules installed in the chassis. There are no IDP policies configured, so it should not interfere with any traffic flow. However, in some applications, like FTP and HTTP, these applications fail to pass through the firewall
Symptoms:
Some applications, like FTP and HTTP, fail to pass through the firewall when the ISG has an IDP Security Module installed in the chassis.
Solution:
If IDP is installed, but not configured, and an application cannot pass traffic through the firewall, run a packet trace on the client sending the traffic. Make sure there is no checksum errors in the TCP header. If there is an incorrect TCP checksum, the IDP Security Module (SM) will silently drop this packet.
Example: The following is a sniffer trace of a single frame that exhibits an incorrect checksum:
No. Time Source Destination Protocol Info
13 0.000115 10.166.251.140 10.157.45.226 FTP Request: USER del5fr06
Frame 13 (81 bytes on wire, 81 bytes captured)
Arrival Time: Mar 19, 2007 22:55:45.886299000
Time delta from previous packet: 0.000115000 seconds
Time since reference or first frame: 0.091972000 seconds
Frame Number: 13
Packet Length: 81 bytes
Capture Length: 81 bytes
Protocols in frame: eth:ip:tcp:ftp
Ethernet II, Src: CompaqHp_9b:96:2e (00:0b:cd:9b:96:2e), Dst: All-HSRP-routers_38 (00:00:0c:07:ac:38)
Destination: All-HSRP-routers_38 (00:00:0c:07:ac:38)
Source: CompaqHp_9b:96:2e (00:0b:cd:9b:96:2e)
Type: IP (0x0800)
Internet Protocol, Src: 10.166.251.140 (10.166.251.140), Dst: 10.157.45.226 (10.157.45.226)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 67
Identification: 0x9d7a (40314)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x6888 [correct]
Good: True
Bad : False
Source: 10.166.251.140 (10.166.251.140)
Destination: 10.157.45.226 (10.157.45.226)
Transmission Control Protocol, Src Port: 33126 (33126), Dst Port: ftp (21), Seq: 7, Ack: 109, Len: 15
Source port: 33126 (33126)
Destination port: ftp (21)
Sequence number: 7 (relative sequence number)
Next sequence number: 22 (relative sequence number)
Acknowledgement number: 109 (relative ack number)
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840 (scaled)
Checksum: 0x34e8 [incorrect, should be 0x6005]
Options: (12 bytes)
NOP
NOP
Time stamp: tsval 3625582596, tsecr 2976191555
File Transfer Protocol (FTP)
USER del5fr06\r\n
Request command: USER
Request arg: del5fr06
Check the client to make sure there are no driver incompatibilities with the PC's NIC; also verify the NIC is in good operational condition. There have been some instances where a bad NIC can cause incorrect TCP checksum errors.