×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

877w ZBFW issues

Unanswered Question
Jun 8th, 2012
User Badges:

Hi,


I am having a few issues since changing from a cbac firewall to a zone based firewall running on a Cisco 877w IOS:

c870-advipservicesk9-mz.124-24.T6.bin


1. Enabling http layer 7 inspection stops certain websites and downloads working. As a work around I have just enabled layer 3/4 inspection


     In my config if I enable the following then it breaks certain websites and downloads:


class-map type inspect match-all cm_http

match protocol http

match access-group name zInternal_Subnets



2. I am seeing strange traffic being dropped from port 0 to port 3? This happens quite frequently, and it generally coincides with opening fatrat which is a download manager and bit torrent client. The only info I can find on this port is:



Port(s) Protocol Service Details Source
3 tcp,udpcompressnetSynDrop trojan uses this port.
Delta Force also uses port 3 (TCP).
IANA assigned for: Compression Process
Port also used by: Midnight Commander
SG
3 tcp,udp
Compression Process (official)Wikipedia
3 tcp,udpcompressnetCompression ProcessIANA
3 tcp,udpcompressnetMidnight Commander Sometimes this program is assigned to this port



Could be a trojan or related to compression process? - what I would like to know is whether or not I should be allowing this through the firewall, ie if it's used in compressing data between clients then that could be quite usefull!?


     eg:


4049: [[email protected] s_sn="4049"]: 004043: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.6:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

4050: [[email protected] s_sn="4050"]: 004044: %FW-6-LOG_SUMMARY: 1 packet were dropped from 118.4.250.164:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

4051: [[email protected] s_sn="4051"]: 004045: %FW-6-LOG_SUMMARY: 1 packet were dropped from 190.229.222.76:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

4052: [[email protected] s_sn="4052"]: 004046: %FW-6-LOG_SUMMARY: 1 packet were dropped from 180.180.81.94:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

4053: [[email protected] s_sn="4053"]: 004047: %FW-6-LOG_SUMMARY: 1 packet were dropped from 122.125.91.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

4054: [[email protected] s_sn="4054"]: 004048: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.35:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

4055: [[email protected] s_sn="4055"]: 004049: %FW-6-LOG_SUMMARY: 1 packet were dropped from 91.205.69.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)




3. Lastly I am also getting a lot of dropped packets:



%FW-6-DROP_PKT: Dropping tcp session 10.10.0.2:34445 216.137.55.60:443  due to  RST inside current window with ip ident 0

%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:64664 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46151 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)

%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:60092 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)

%FW-6-LOG_SUMMARY: 1 packet were dropped from 178.111.60.151:55755 => 10.10.0.10:40760 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 3 packets were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46620 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)

%FW-6-LOG_SUMMARY: 1 packet were dropped from 113.160.85.70:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)

%FW-6-DROP_PKT: Dropping tcp session 118.215.189.177:443 10.10.0.3:40047 on zone-pair ZP_out_nat class class-default due to  DROP action found in policy-map with ip ident 0

%FW-6-DROP_PKT: Dropping tcp session 118.215.178.110:443 10.10.0.3:52182  due to  Stray Segment with ip ident 0

%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:51745 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:33809 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:44424 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:37326 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:57595 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 1 packet were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)

%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:65477 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)

%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:45402 (target:class)-(ZP_out_nat:class-default)

%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:40047 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)


I have attached my config also - if someone could help me out with any or all of the above would be much appreciated.


Regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mightymouse2045 Fri, 06/08/2012 - 18:29
User Badges:

I have downgraded to c870-advipservicesk9-mz.124-20.T3.bin as per the suggestion from this thread https://supportforums.cisco.com/thread/2089462 and this has resolved problem 1, with http inspection enabled all traffic is working as expected.


I will try upgrading one release at time and see what IOS version starts causing this problem and report back


I still have problems with 2 & 3 however. So any answers/suggestions regarding those would be appreciated

Henrik Grankvist Sat, 06/09/2012 - 12:56
User Badges:
  • Silver, 250 points or more

Hi


For problem 2&3: Are you having problems with some applications not working properly? Because for what I can see 95% of the dropped packets are from outside to the inside... which is good, the firewall is doing its work.


But for this for example:

"%FW-6-LOG_SUMMARY: 1 packet were dropped  from 10.5.0.3:32856 => 98.137.129.181:80  (target:class)-(ZP_OUTBOUND:cm_generic_traffic)"


The packet is being dropped from inside to outside by a policy-map that is inspecting... I don't have an answer for that.

mightymouse2045 Sun, 06/10/2012 - 04:04
User Badges:

Hey Henrik,


Yeah I have a problem uploading from within fatrat bit torrent client.... I can download but can't upload.


As I said the connections to port :3, are coinciding with opening fatrat.


As far as the configuration is concerned it looks fine to you?

Actions

This Discussion