Cisco IOS 12.4(20) with ZBF and DHCP problem

Answered Question
Aug 19th, 2008
User Badges:

Hello,


recently I have upgraded Cisco 871 router with IOS version 12.4(20). From upgrade on DHCP server on router is not working if Zone Based Firewall is enabled. Does any body knows what rule I have to insert into firewall to allow DHCP traffic?


Thank you and kind regards,M



Attachment: 
Correct Answer by diggy about 8 years 7 months ago

I have the same problem. It's very frustrating to say the least. Here is what I have to do to fix it...


Once you have the firewall created go to advanced. If you created it using the SDM wizard then there should be the top zone policy - sdm-permit-icmpreply (self to out-zone). Insert a rule. The rule should be


source/destination ANY

service name - I named it "dhcp-self-to-out"

services to add - bootps

action - Permit ACL


That should fix it.


Now to try and get PPTP to work. Having issues with GRE being allowed through.


I'm not at all impressed with the new zone based firewall to say the least.


I upgraded the image on my 871 from 12.4.15 to 12.4.20 and my router completely stopped working...seems to happen everytime I upgrade my IOS.


Anyone know how to go back to the ACL based IOS firewall in the higher 12.4 releases? I really have not experienced the "simplicity" of the zone based firewall, and I am not a novice.


Rate this Post if it does also fix your problem. It will help others with the same problem find quickly resolve their same issue as well.


Thanks and good luck.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
robertson.michael Tue, 08/19/2008 - 08:11
User Badges:
  • Silver, 250 points or more

Hi Marko,


I would recommend to start by configuring 'ip inspect log drop' and a syslog server on the router. Then, test the DHCP traffic and examine your logs which should show you why this traffic is being dropped. You can then take this information and adjust your firewall policies accordingly.


-Mike

mocah Wed, 08/20/2008 - 22:41
User Badges:

Hi Mike,


when I debug firewall I receive following messages:

********************************************

000059: *Aug 20 19:07:19.263 CET: FIREWALL*: NEW PAK 83D29C7C (0:0.0.0.0:68) (0:255.255.255.255:67) udp

000060: *Aug 20 19:07:19.263 CET: FIREWALL*: INSPECT feature object found

000061: *Aug 20 19:07:19.263 CET: FIREWALL*: Searching for session in cls 0x84D6D7A0 clsgrp 0x10000000, target 0xA000000D, cce clstype 0x2B

000062: *Aug 20 19:07:19.263 CET: FIREWALL*: Session not found

000063: *Aug 20 19:07:19.263 CET: FIREWALL*: FSO not valid

*******************************************

I have noticed that ARP table is not updated. It looks like FW is blocking ARP messages when, clients are not configured with static IP:

debug ARP:

********************************************

000051: Aug 20 23:14:02.612 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down

000052: Aug 20 23:14:03.616 CET: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to down

000053: Aug 20 23:14:03.616 CET: ARP STATIC: walk all static entries associated with FastEthernet2

000054: Aug 20 23:14:05.964 CET: IP ARP STATIC: periodic adj update #4, attempt to update 0 entries

000055: Aug 20 23:14:07.599 CET: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up

000056: Aug 20 23:14:07.599 CET: ARP STATIC: walk all static entries associated with FastEthernet2

000057: Aug 20 23:14:07.599 CET: ARP STATIC: walk all static entries

000058: Aug 20 23:14:08.599 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to up

000059: Aug 20 23:14:08.599 CET: ARP STATIC: walk all static entries

C871>

000096: Aug 20 23:19:24.644 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to up

000097: Aug 20 23:19:35.919 CET: IP ARP STATIC: periodic adj update #2, attempt to update 0 entries

000098: Aug 20 23:19:50.917 CET: IP ARP STATIC: periodic adj update #3, attempt to update 0 entries

000099: Aug 20 23:20:05.915 CET: IP ARP STATIC: periodic adj update #4, attempt to update 0 entries

000100: Aug 20 23:20:20.912 CET: IP ARP STATIC: periodic adj update #1, attempt to update 0 entries

000101: Aug 20 23:20:35.910 CET: IP ARP STATIC: periodic adj update #2, attempt to update 0 entries

000102: Aug 20 23:20:50.908 CET: IP ARP STATIC: periodic adj update #3, attempt to update 0 entries

000103: Aug 20 23:21:05.906 CET: IP ARP STATIC: periodic adj update #4, attempt to update 0 entries

000104: Aug 20 23:21:20.904 CET: IP ARP STATIC: periodic adj update #1, attempt to update 0 entries

********************************************


Thank you and kind regards, Marko


mocah Thu, 08/21/2008 - 11:58
User Badges:

One more log entry:


FW-6-DROP_PKT: Dropping Other session 0.0.0.0:68 255.255.255.255:67 on zone-pair Lan2Router class 15udp_1707685609 with ip ident 0


Correct Answer
diggy Fri, 09/05/2008 - 14:25
User Badges:

I have the same problem. It's very frustrating to say the least. Here is what I have to do to fix it...


Once you have the firewall created go to advanced. If you created it using the SDM wizard then there should be the top zone policy - sdm-permit-icmpreply (self to out-zone). Insert a rule. The rule should be


source/destination ANY

service name - I named it "dhcp-self-to-out"

services to add - bootps

action - Permit ACL


That should fix it.


Now to try and get PPTP to work. Having issues with GRE being allowed through.


I'm not at all impressed with the new zone based firewall to say the least.


I upgraded the image on my 871 from 12.4.15 to 12.4.20 and my router completely stopped working...seems to happen everytime I upgrade my IOS.


Anyone know how to go back to the ACL based IOS firewall in the higher 12.4 releases? I really have not experienced the "simplicity" of the zone based firewall, and I am not a novice.


Rate this Post if it does also fix your problem. It will help others with the same problem find quickly resolve their same issue as well.


Thanks and good luck.


andre.champagne... Mon, 12/01/2008 - 17:26
User Badges:

Hi,


It worked for me, but I have to add the same rule with bootpc protocol to the out-zone to self.


source/destination ANY

service name - I named it "dhcp-out-to-self"

services to add - bootpc

action - Permit ACL


Thank you.

sirdudesly Fri, 03/06/2009 - 22:35
User Badges:

When I reboot all the changes are lost and a message comes up on console that the policy map couldn't be applied. This also leaves the router totally exposed. Cisco really needs to fix this or pull SDM from their website until they do.

Alex Yeung Mon, 03/09/2009 - 00:33
User Badges:
  • Cisco Employee,

Hi,


Could you elaborate on what happened? Have you tried with Cisco Configuration Professional (CCP)? CCP is the replacement for SDM.


Regards,


Alex Yeung

sirdudesly Tue, 03/10/2009 - 02:16
User Badges:

I wasn't aware that it had been replaced, i'll give it a shot and see what happens.


Juggling full time study and work sucks I have no time for fun stuff like networking :(

sirdudesly Thu, 03/12/2009 - 01:30
User Badges:

Same issue occurs in CCP, even checking to allow DHCP through the firewall at the prompt when you create the firewall doesn't work.


Exact error message from console


"%Protocol configured in class-map DHCP cannot be configured for the self zone. Please remove the protocol and retry%Protocol configured in class-map DHCP1 cannot be configured for the self zone. Please remove the protocol and retry"


DHCP1 and DHCP are obviously the names I used (with the same settings as above)

sirdudesly Sat, 03/14/2009 - 15:34
User Badges:

Did a complete reload and tried again using CCP and the same result, DHCP is blocked (even after telling it to allow it)


If I manually create an ACL and apply it in the console I get the same error message that it needs to be removed.

Actions

This Discussion