Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Zone Firewall Dropping traffic out-self

10:44:08.946 PST: %FW-6-DROP_PKT: Dropping tcp session on zone-pair sdm-zp-out-self class class-default due to  DROP action found in policy-map with ip ident 0

005452: Oct 19 10:51:41.336 PST: %FW-6-LOG_SUMMARY: 4 packets were dropped from => (target:class)-(sdm-zp-out-self:class-default)

In actuality this traffic I believe is just reply traffic for https.  Not sure what the ip ident 0 reject issue is.  This is a Cisco 2811 ISR running Zone based policy firewalling. would be the outside NAT address for all of the internal private address space.  Generally we can get to https sites, login and interact ok.  Any other thoughts on the drops?

Cisco Employee

Re: Zone Firewall Dropping traffic out-self

If https access is ok then the logs that you see are not worth worrying.

If you close a connection legitimately with FIN-ACK, FIN-ACK and ACK, and the last ACK is delayed a little, or if there is a RST sent by the client just to confirm the conn closure, they might be dropped generating that log simply because the ZBF had already tore down the conn when it saw the FINs, so the last RST or ACK didn't match an existing conn.

So if this does not relate to https isssues, that is probably why you see the log.

I hope it helps.


Cisco Employee

Re: Zone Firewall Dropping traffic out-self


Panos is right. Consider the amount of connections on HTTP, HTTPs that a single host can do opening hyperlinks, downloading applets, and so on only going to a single website, even if you get the page displayed right, the firewall wont expect a packet to come late, or expect the final ACK when already saw the FIN-ACK packets agreeing the closure of the connection.  Thats why you can see that the Class default is dropping it.

Imagine this as in the ASA, in an ASA firewall you should be able to see a log that would say deny tcp "no connection" when any of these situations happens.

I think you should worry if the traffic does not work and you see any of the following messages

If you have any doubts please let me know.


CreatePlease to create content