Hi,

Thanks for the response. I previously had CBAC, I have now removed all CBAC config and applied zone based firewall and I am still get the drop messages.

I am using version 15.1. Do you know if this is a bug issue?

Ash

Hi There

This is just my suggestion, could you remove your ZFW completely, and ensure this is working. If yes, then when you paste in your ZFW config, and this don't work fine.. Then we can narrow down to ZFW config or bug. Could you paste your ZFW config here?

Here is the zone based firewall config:

class-map type inspect match-all ICMP

match protocol icmp

class-map type inspect match-any DHCP-to-SELF

match protocol bootps

match protocol bootpc

class-map type inspect match-any TRAFFIC-to-SELF

match access-group name ICMP-TRAFFIC-ACL

match access-group name VTY-IN

match access-group 99

match access-group name ALLOW-DHCP

match access-group name HTTPS-to-SELF

class-map type inspect match-any INSIDE-OUT

match protocol dns

match protocol ntp

match protocol http

match protocol https

match protocol ftp

match protocol tcp

match protocol udp

match protocol bittorrent

match protocol pptp

match protocol isakmp

match protocol ipsec-msft

match protocol ssh

match protocol tftp

match protocol bootpc

match protocol bootps

class-map type inspect match-any OUTSIDE-IN

match access-group name WAN-IN

!

!

policy-map type inspect INSIDE-to-SELF

class type inspect DHCP-to-SELF

  pass

class type inspect TRAFFIC-to-SELF

  inspect

class class-default

  drop

policy-map type inspect OUTSIDE-to-SELF

class type inspect OUTSIDE-IN

  inspect

class type inspect ICMP

  drop

class class-default

  drop

policy-map type inspect INSIDE-OUT

class type inspect INSIDE-OUT

  inspect

class type inspect ICMP

  inspect

  police rate 8000 burst 1000

class class-default

  drop

policy-map type inspect OUTSIDE-IN

class type inspect OUTSIDE-IN

  inspect

class type inspect ICMP

  inspect

  police rate 8000 burst 1000

class class-default

  drop

!

zone security inside

description *** INSIDE ZONE ***

zone security outside

description *** OUTSIDE ZONE ***

zone-pair security INSIDE-to-OUTSIDE source inside destination outside

service-policy type inspect INSIDE-OUT

zone-pair security OUTSIDE-IN source outside destination inside

service-policy type inspect OUTSIDE-IN

zone-pair security INSIDE-to-SELF source inside destination self

service-policy type inspect INSIDE-to-SELF

zone-pair security OUTSIDE-to-SELF source outside destination self

service-policy type inspect OUTSIDE-to-SELF

!

I will remove the firewall and see if the errors persist.

Thanks

Hi,

I just turned off the zone based firewall and it seems that it was the firewall causing the drop packets.

I have used CBAC before and not so much ZBF, however I have never come across these type of errors.

Please let me know if there is anything odd within the ZBF config.

Thanks,

Ash

Hello Ashley,

Of course it is the ZBFW dropping the packets.

ZBFW performs a deep packet inspection and will track and mantain a state table for the TCP connections.

In this case we are getting packets that do not agree with the information previusly seen on a current TCP session, that is why the packets are getting lost.

The ZBFW is doing it's job successfully, now you will need to focus on why this device is receiving tcp packets with invalid flags.

Now if you want to solve this for the moment (workaround) instead of inspecting the traffic just pass it. Again this would be a workaround.

Regards

Julio