Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ZBF: Logging of drops because of inspects

Hi all,

It's all about zone-based firewalling on an IOS router with 12.4(T) image.

is there a possibility to log drops, that are caused by an inspect action? For example a packet with the tcp-flag "ACK" is dropped, because there was no initial "SYN" - so the packet is out of state and dropped.

From a configuration point of view, it would look like the following:

I have a policy-map with different class-maps. One class-map for tcp-traffic inspection, one for udp inspection and one class-default with a drop action.

If there is an out-of-state TCP packet, it would match the tcp-traffic class-map and is dropped, due to inspection. But there is no logging event for that.

I use 12.4(11)T4 with adv. IP services.


When doing a "debug ip packet", I can that the packet is dropped, because of the inspection. But a debugging output won't help me. Especially a debug ip packet in a live environment :-))

REMOTE-LBR1# debug ip packet detail


000331: *Jun 30 15:51:09.759 MESZ: IP: tableid=0, s= (FastEthernet0/1), d= (FastEthernet0/0), routed via FIB

000332: *Jun 30 15:51:09.763 MESZ: IP: s= (FastEthernet0/1), d= (FastEthernet0/0), len 40, dropped by inspect

Cisco Employee

Re: ZBF: Logging of drops because of inspects

Try 'ip inspect log drop-pkt', it works in both classic IOS FW config and Zone-based FW config.

Alex Yeung

CreatePlease to create content