08-19-2008 04:51 AM - edited 03-11-2019 06:32 AM
Hello,
recently I have upgraded Cisco 871 router with IOS version 12.4(20). From upgrade on DHCP server on router is not working if Zone Based Firewall is enabled. Does any body knows what rule I have to insert into firewall to allow DHCP traffic?
Thank you and kind regards,M
Solved! Go to Solution.
09-05-2008 02:25 PM
I have the same problem. It's very frustrating to say the least. Here is what I have to do to fix it...
Once you have the firewall created go to advanced. If you created it using the SDM wizard then there should be the top zone policy - sdm-permit-icmpreply (self to out-zone). Insert a rule. The rule should be
source/destination ANY
service name - I named it "dhcp-self-to-out"
services to add - bootps
action - Permit ACL
That should fix it.
Now to try and get PPTP to work. Having issues with GRE being allowed through.
I'm not at all impressed with the new zone based firewall to say the least.
I upgraded the image on my 871 from 12.4.15 to 12.4.20 and my router completely stopped working...seems to happen everytime I upgrade my IOS.
Anyone know how to go back to the ACL based IOS firewall in the higher 12.4 releases? I really have not experienced the "simplicity" of the zone based firewall, and I am not a novice.
Rate this Post if it does also fix your problem. It will help others with the same problem find quickly resolve their same issue as well.
Thanks and good luck.
08-19-2008 08:11 AM
Hi Marko,
I would recommend to start by configuring 'ip inspect log drop' and a syslog server on the router. Then, test the DHCP traffic and examine your logs which should show you why this traffic is being dropped. You can then take this information and adjust your firewall policies accordingly.
-Mike
08-20-2008 10:41 PM
Hi Mike,
when I debug firewall I receive following messages:
********************************************
000059: *Aug 20 19:07:19.263 CET: FIREWALL*: NEW PAK 83D29C7C (0:0.0.0.0:68) (0:255.255.255.255:67) udp
000060: *Aug 20 19:07:19.263 CET: FIREWALL*: INSPECT feature object found
000061: *Aug 20 19:07:19.263 CET: FIREWALL*: Searching for session in cls 0x84D6D7A0 clsgrp 0x10000000, target 0xA000000D, cce clstype 0x2B
000062: *Aug 20 19:07:19.263 CET: FIREWALL*: Session not found
000063: *Aug 20 19:07:19.263 CET: FIREWALL*: FSO not valid
*******************************************
I have noticed that ARP table is not updated. It looks like FW is blocking ARP messages when, clients are not configured with static IP:
debug ARP:
********************************************
000051: Aug 20 23:14:02.612 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
000052: Aug 20 23:14:03.616 CET: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to down
000053: Aug 20 23:14:03.616 CET: ARP STATIC: walk all static entries associated with FastEthernet2
000054: Aug 20 23:14:05.964 CET: IP ARP STATIC: periodic adj update #4, attempt to update 0 entries
000055: Aug 20 23:14:07.599 CET: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
000056: Aug 20 23:14:07.599 CET: ARP STATIC: walk all static entries associated with FastEthernet2
000057: Aug 20 23:14:07.599 CET: ARP STATIC: walk all static entries
000058: Aug 20 23:14:08.599 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to up
000059: Aug 20 23:14:08.599 CET: ARP STATIC: walk all static entries
C871>
000096: Aug 20 23:19:24.644 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to up
000097: Aug 20 23:19:35.919 CET: IP ARP STATIC: periodic adj update #2, attempt to update 0 entries
000098: Aug 20 23:19:50.917 CET: IP ARP STATIC: periodic adj update #3, attempt to update 0 entries
000099: Aug 20 23:20:05.915 CET: IP ARP STATIC: periodic adj update #4, attempt to update 0 entries
000100: Aug 20 23:20:20.912 CET: IP ARP STATIC: periodic adj update #1, attempt to update 0 entries
000101: Aug 20 23:20:35.910 CET: IP ARP STATIC: periodic adj update #2, attempt to update 0 entries
000102: Aug 20 23:20:50.908 CET: IP ARP STATIC: periodic adj update #3, attempt to update 0 entries
000103: Aug 20 23:21:05.906 CET: IP ARP STATIC: periodic adj update #4, attempt to update 0 entries
000104: Aug 20 23:21:20.904 CET: IP ARP STATIC: periodic adj update #1, attempt to update 0 entries
********************************************
Thank you and kind regards, Marko
08-21-2008 11:58 AM
One more log entry:
FW-6-DROP_PKT: Dropping Other session 0.0.0.0:68 255.255.255.255:67 on zone-pair Lan2Router class 15udp_1707685609 with ip ident 0
09-05-2008 02:25 PM
I have the same problem. It's very frustrating to say the least. Here is what I have to do to fix it...
Once you have the firewall created go to advanced. If you created it using the SDM wizard then there should be the top zone policy - sdm-permit-icmpreply (self to out-zone). Insert a rule. The rule should be
source/destination ANY
service name - I named it "dhcp-self-to-out"
services to add - bootps
action - Permit ACL
That should fix it.
Now to try and get PPTP to work. Having issues with GRE being allowed through.
I'm not at all impressed with the new zone based firewall to say the least.
I upgraded the image on my 871 from 12.4.15 to 12.4.20 and my router completely stopped working...seems to happen everytime I upgrade my IOS.
Anyone know how to go back to the ACL based IOS firewall in the higher 12.4 releases? I really have not experienced the "simplicity" of the zone based firewall, and I am not a novice.
Rate this Post if it does also fix your problem. It will help others with the same problem find quickly resolve their same issue as well.
Thanks and good luck.
12-01-2008 05:26 PM
Hi,
It worked for me, but I have to add the same rule with bootpc protocol to the out-zone to self.
source/destination ANY
service name - I named it "dhcp-out-to-self"
services to add - bootpc
action - Permit ACL
Thank you.
02-19-2009 12:06 PM
Thank you!
I too am looking for that "simplicity" ;) lol
03-06-2009 10:35 PM
When I reboot all the changes are lost and a message comes up on console that the policy map couldn't be applied. This also leaves the router totally exposed. Cisco really needs to fix this or pull SDM from their website until they do.
03-09-2009 12:33 AM
Hi,
Could you elaborate on what happened? Have you tried with Cisco Configuration Professional (CCP)? CCP is the replacement for SDM.
Regards,
Alex Yeung
03-10-2009 02:16 AM
I wasn't aware that it had been replaced, i'll give it a shot and see what happens.
Juggling full time study and work sucks I have no time for fun stuff like networking :(
03-12-2009 01:30 AM
Same issue occurs in CCP, even checking to allow DHCP through the firewall at the prompt when you create the firewall doesn't work.
Exact error message from console
"%Protocol configured in class-map DHCP cannot be configured for the self zone. Please remove the protocol and retry%Protocol configured in class-map DHCP1 cannot be configured for the self zone. Please remove the protocol and retry"
DHCP1 and DHCP are obviously the names I used (with the same settings as above)
03-14-2009 03:34 PM
Did a complete reload and tried again using CCP and the same result, DHCP is blocked (even after telling it to allow it)
If I manually create an ACL and apply it in the console I get the same error message that it needs to be removed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide