Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
1
Replies

Dropped Packets with Zone Based Firewall

kyle.heath
Level 1
Level 1

‎12-24-2010 04:47 AM - edited ‎03-11-2019 12:27 PM

I have several Cisco 877 that I use at branch offices with IPSEC tunnels to our head office and I am trouble shooting through the syslogs when using the "ip inspect log drop" command so I can see if any traffic is being dropped over the tunnels.

Although my tunnels are up and I can pass traffic across them in the sense that all my users are working and I have no complaints I do find that I see this type of message  in the syslogs quite often

%FW-6-DROP_PKT: Dropping tcp session 192.168.148.200:8059 192.168.137.93:55413  due to  policy match failure with ip ident 6048 tcpflags 0x8012 seq.no 3042221804 ack 3404684539

In the above example the IP 192.168.148.200:8059 is a Server running Trend Micro Office Scan which communicates witha client at the remote site using port 8059.  The client is working and the application is functioning so is this type of packet drop to be expected or should I be looking to the cause of these dropped packets?

Thanks


Kyle

Labels:
0 Helpful
1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-24-2010 06:38 AM

Policy match failure usually means that there is something incomplete between the zone config between the two(zones) interfaces involved.

Are you sure this flow is being matched in an acl and inspected?

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card