Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
2
Replies

IOS-XE ZBFW logging lots of dropped packets (erroneously?)

jp.briggs
Level 1
Level 1

‎06-09-2016 12:30 PM - edited ‎03-03-2019 08:15 AM

I've got an ISR4431 running "Cisco IOS XE Software, Version 03.16.01a.S" at a remote office. IPSec over GRE tunnels for corporate traffic, regular ISP off a gigabit interface for all Internet traffic.

We've got a simple ZBFW setup with:

Policy Map type inspect Trusted_to_Outside
  Class FW-in-to-out
    Inspect
  Class class-default
    Drop log

And Class FW-in-to-out is just:

 Class Map type inspect match-any FW-in-to-out (id 1)
 Match protocol tcp
 Match protocol udp
 Match protocol icmp
 Match protocol h323
 Match protocol ftp

The Outside_to_Trusted zone-pair just allows our GRE traffic from corporate, and deny log the rest. But with the outbound being inspected, that allows the return, established TCP traffic to come back through, without specific rules for it in the Outside_to_Trusted rule set.

Our logging buffer is completely filled with tcp pkt drops that appear to be return HTTP(S) traffic (source port 80 and 443 from the Internet):

0000381951172484032 %FW-6-LOG_SUMMARY: 1 tcp packet was dropped from GigabitEthernet0/0/1 132.245.41.34:443 => 10.5.214.45:37272 (target:class)-(Outside->Trusted:class-default)
.Jun  9 2016 13:33:23.876 EST: %IOSXE-6-PLATFORM:cpp_cp: QFP:0.0 Thread:003 TS:00000381981172577392 %FW-6-LOG_SUMMARY: 5 tcp packets were dropped from GigabitEthernet0/0/1 162.208.22.39:443 => 10.5.218.185:65241 (target:class)-(Outside->Trusted:class-default)

Now, we're not getting any complaints regarding web browsing from this office, so it's safe to say that return HTTP(S) traffic is not getting blocked.

Seems to me, there's two explanations of what's going on here.

  • Even though the ZBFW is allowing the established traffic back through, it's somehow hitting the Deny log statement, creating log entiries (bug?)
  • There's some kind of ongoing established-tcp-spoofing attack happening (unlikely)

Is anyone else seeing anything like this?

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-09-2016 01:06 PM

I think I would try upgrading to the gold star release 3.16.2S and see if the issue still happens.

0 Helpful

jp.briggs
Level 1
Level 1
In response to Philip D'Ath

‎06-09-2016 04:24 PM

Heh, I was afraid that might be the answer. I was hoping to hear if anyone else has this issue. I'll see what we can do about a maintenance upgrade.

0 Helpful
Customers Also Viewed These Support Documents