Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
2
Replies

Zone Firewall Dropping traffic out-self

mmedwid
Level 3
Level 3

‎10-19-2010 12:37 PM - edited ‎03-11-2019 11:56 AM

10:44:08.946 PST: %FW-6-DROP_PKT: Dropping tcp session 6.4.15.49:443 6.11.50.162:61392 on zone-pair sdm-zp-out-self class class-default due to  DROP action found in policy-map with ip ident 0

005452: Oct 19 10:51:41.336 PST: %FW-6-LOG_SUMMARY: 4 packets were dropped from 6.4.15.49:443 => 6.11.50.162:1156 (target:class)-(sdm-zp-out-self:class-default)

In actuality this traffic I believe is just reply traffic for https.  Not sure what the ip ident 0 reject issue is.  This is a Cisco 2811 ISR running Zone based policy firewalling.

6.11.50.162 would be the outside NAT address for all of the internal private address space.  Generally we can get to https sites, login and interact ok.  Any other thoughts on the drops?

Labels:
0 Helpful
2 Replies 2

Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-19-2010 12:54 PM

If https access is ok then the logs that you see are not worth worrying.

If you close a connection legitimately with FIN-ACK, FIN-ACK and ACK, and the last ACK is delayed a little, or if there is a RST sent by the client just to confirm the conn closure, they might be dropped generating that log simply because the ZBF had already tore down the conn when it saw the FINs, so the last RST or ACK didn't match an existing conn.

So if this does not relate to https isssues, that is probably why you see the log.

I hope it helps.

PK

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎10-19-2010 04:21 PM

Hello,

Panos is right. Consider the amount of connections on HTTP, HTTPs that a single host can do opening hyperlinks, downloading applets, and so on only going to a single website, even if you get the page displayed right, the firewall wont expect a packet to come late, or expect the final ACK when already saw the FIN-ACK packets agreeing the closure of the connection.  Thats why you can see that the Class default is dropping it.

Imagine this as in the ASA, in an ASA firewall you should be able to see a log that would say deny tcp "no connection" when any of these situations happens.

I think you should worry if the traffic does not work and you see any of the following messages

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1048887

If you have any doubts please let me know.

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card