https://community.cisco.com/t5/network-security/dropping-unknown-session-firewall/m-p/2221740#M349452 <HTML><HEAD></HEAD><BODY><P> The traffic is getting dropped because it's matching the "class-default" class-map which acts as a catchball for all the packets that didn't match previous class-maps.</P><P></P><P>It's default action is to DROP everything.</P><P></P><P>That UDP traffic uses port 0, this is not normal traffic and shouldn't be seen under normal circumstances.</P><P></P><P>So, it's a good thing the firewall it's dropping it.</P></BODY></HTML> Wed, 29 May 2013 23:23:34 GMT Favaloro. 2013-05-29T23:23:34Z https://community.cisco.com/t5/network-security/dropping-unknown-session-firewall/m-p/2221739#M349451 <P>Dear Team, I am facing trouble to find out the problem. I am getting the alrms below</P><P></P><P>May 22 17:21:02.447: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to&nbsp; DROP action found in policy-map with ip ident 0</P><P>May 22 17:21:32.519: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to&nbsp; DROP action found in policy-map with ip ident 0</P><P></P><P>I I could understand is that the session is being dropped due to something related with ident 0,</P><P></P><P>someone could help me ?</P><P></P><P>Below I put some config lines which could help me to clarify it,</P><P></P><P>thanks,</P><P></P><P>pbjs1468#show policy-map type inspect zone-pair E_FW_ZON_PAIR_SLF_TO_WAN sessions</P><P>policy exists on zp E_FW_ZON_PAIR_SLF_TO_WAN<BR />Zone-pair: E_FW_ZON_PAIR_SLF_TO_WAN</P><P>&nbsp; Service-policy inspect : E_FW_POLICY_MAP_SLF_TO_WAN</P><P>&nbsp;&nbsp;&nbsp; Class-map: E_FW_CL_MAP_PROTOCOL_SLF_TO_WAN_98 (match-any)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: access-group name E_FW_SLF_TO_WAN_ACL_98<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 33901576 packets, 6137009389 bytes<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 second rate 0 bps<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pass<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 33901576 packets, 6137009389 bytes</P><P>&nbsp;&nbsp;&nbsp; Class-map: class-default (match-any)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: any<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Drop<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 696394 packets, 19500766 bytes</P><P>pbjs1468#show class-map class-default<BR />Class Map match-any class-default (id 0)<BR />&nbsp;&nbsp; Match any</P><P>-------</P><P>policy-map type inspect E_FW_POLICY_MAP_LAN_TO_WAN<BR />class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_00<BR />&nbsp; inspect E_FW_GLOBAL_PARAMETERS<BR />class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_01<BR />&nbsp; inspect E_FW_GLOBAL_PARAMETERS<BR />class type inspect E_FW_CL_MAP_PROTOCOL_LAN_TO_WAN_0E<BR />&nbsp; drop log<BR />class class-default<BR />&nbsp; drop log</P> Tue, 12 Mar 2019 01:47:33 GMT https://community.cisco.com/t5/network-security/dropping-unknown-session-firewall/m-p/2221739#M349451 Onildo Ricardo Ribeiro 2019-03-12T01:47:33Z https://community.cisco.com/t5/network-security/dropping-unknown-session-firewall/m-p/2221740#M349452 <HTML><HEAD></HEAD><BODY><P> The traffic is getting dropped because it's matching the "class-default" class-map which acts as a catchball for all the packets that didn't match previous class-maps.</P><P></P><P>It's default action is to DROP everything.</P><P></P><P>That UDP traffic uses port 0, this is not normal traffic and shouldn't be seen under normal circumstances.</P><P></P><P>So, it's a good thing the firewall it's dropping it.</P></BODY></HTML> Wed, 29 May 2013 23:23:34 GMT https://community.cisco.com/t5/network-security/dropping-unknown-session-firewall/m-p/2221740#M349452 Favaloro. 2013-05-29T23:23:34Z