IOS Zone Firewall -- randomly lose remote SNMP to WLCM through firewall?
I've got a 3825 running 12.4(24)T with a WLCM module installed in it. We are currently configuring this device for deployment (very soon!).
I have some zone based firewall rules setup. Basically so our WCS server at our main campus can talk to the WLCM.
There is a VPN crypto-map applied to my outside interface (gig0/0) which connects back to our main campus network (220.127.116.11/16). VPN connectivity appears to be working without any issues.
IP address of my WCS server on my main campus is 18.104.22.168.
My WLCM's local IP address is 10.2.1.5 (global is 22.214.171.124).
The problem is on initial boot of the 3825, SNMP/ICMP/HTTP/HTTPS connectivity to the WLCM from my WCS server works fine. But, what will randomly happen after 10 minutes to several hours (it is random) SNMP connectivity will cease to the WLCM from my WCS server-- but I can still ping/HTTP/HTTPS to the WLCM from the WCS server.
All syslog is reporting when connectivity ceases is:
%FW-6-DROP_PKT: Dropping udp session 126.96.36.199:40869 10.2.1.5:161 with ip ident 0
I have changed the policy-maps for OUTSIDE-TO-VLAN1 and VLAN1-TO-OUTSIDE zone-pairs to "inspect" instead of "pass log" and still experience the same problem.
I'll paste relevant portions of the configuration file to look at. I don't understand why I'm seeing this behavior, as the MAN-NETS ACL contains all the correct IP's to communicate.
If I turn of the zone based firewall, everything works fine without any problems.
I've also tried downgrading to 12.4(22)T1 and experience the same issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :