10-19-2010 12:37 PM - edited 03-11-2019 11:56 AM
10:44:08.946 PST: %FW-6-DROP_PKT: Dropping tcp session 6.4.15.49:443 6.11.50.162:61392 on zone-pair sdm-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0
005452: Oct 19 10:51:41.336 PST: %FW-6-LOG_SUMMARY: 4 packets were dropped from 6.4.15.49:443 => 6.11.50.162:1156 (target:class)-(sdm-zp-out-self:class-default)
In actuality this traffic I believe is just reply traffic for https. Not sure what the ip ident 0 reject issue is. This is a Cisco 2811 ISR running Zone based policy firewalling.
6.11.50.162 would be the outside NAT address for all of the internal private address space. Generally we can get to https sites, login and interact ok. Any other thoughts on the drops?
10-19-2010 12:54 PM
If https access is ok then the logs that you see are not worth worrying.
If you close a connection legitimately with FIN-ACK, FIN-ACK and ACK, and the last ACK is delayed a little, or if there is a RST sent by the client just to confirm the conn closure, they might be dropped generating that log simply because the ZBF had already tore down the conn when it saw the FINs, so the last RST or ACK didn't match an existing conn.
So if this does not relate to https isssues, that is probably why you see the log.
I hope it helps.
PK
10-19-2010 04:21 PM
Hello,
Panos is right. Consider the amount of connections on HTTP, HTTPs that a single host can do opening hyperlinks, downloading applets, and so on only going to a single website, even if you get the page displayed right, the firewall wont expect a packet to come late, or expect the final ACK when already saw the FIN-ACK packets agreeing the closure of the connection. Thats why you can see that the Class default is dropping it.
Imagine this as in the ASA, in an ASA firewall you should be able to see a log that would say deny tcp "no connection" when any of these situations happens.
I think you should worry if the traffic does not work and you see any of the following messages
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1048887
If you have any doubts please let me know.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide