06-09-2016 12:30 PM - edited 03-03-2019 08:15 AM
I've got an ISR4431 running "Cisco IOS XE Software, Version 03.16.01a.S" at a remote office. IPSec over GRE tunnels for corporate traffic, regular ISP off a gigabit interface for all Internet traffic.
We've got a simple ZBFW setup with:
Policy Map type inspect Trusted_to_Outside
Class FW-in-to-out
Inspect
Class class-default
Drop log
And Class FW-in-to-out is just:
Class Map type inspect match-any FW-in-to-out (id 1)
Match protocol tcp
Match protocol udp
Match protocol icmp
Match protocol h323
Match protocol ftp
The Outside_to_Trusted zone-pair just allows our GRE traffic from corporate, and deny log the rest. But with the outbound being inspected, that allows the return, established TCP traffic to come back through, without specific rules for it in the Outside_to_Trusted rule set.
Our logging buffer is completely filled with tcp pkt drops that appear to be return HTTP(S) traffic (source port 80 and 443 from the Internet):
0000381951172484032 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/1 132.245.41.34:443 => 10.5.214.45:37272 (target:class)-(Outside->Trusted:class-default)
.Jun 9 2016 13:33:23.876 EST: %IOSXE-6-PLATFORM:cpp_cp: QFP:0.0 Thread:003 TS:00000381981172577392 %FW-6-LOG_SUMMARY: 5 tcp packets were dropped from GigabitEthernet0/0/1 162.208.22.39:443 => 10.5.218.185:65241 (target:class)-(Outside->Trusted:class-default)
Now, we're not getting any complaints regarding web browsing from this office, so it's safe to say that return HTTP(S) traffic is not getting blocked.
Seems to me, there's two explanations of what's going on here.
Is anyone else seeing anything like this?
06-09-2016 01:06 PM
I think I would try upgrading to the gold star release 3.16.2S and see if the issue still happens.
06-09-2016 04:24 PM
Heh, I was afraid that might be the answer. I was hoping to hear if anyone else has this issue. I'll see what we can do about a maintenance upgrade.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide