Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
5
Helpful
1
Replies

Dropping unknown session - Firewall

Onildo Ricardo Ribeiro
Level 1
Level 1

‎05-22-2013 10:53 AM - edited ‎03-11-2019 06:47 PM

Dear Team, I am facing trouble to find out the problem. I am getting the alrms below

May 22 17:21:02.447: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to  DROP action found in policy-map with ip ident 0

May 22 17:21:32.519: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to  DROP action found in policy-map with ip ident 0

I I could understand is that the session is being dropped due to something related with ident 0,

someone could help me ?

Below I put some config lines which could help me to clarify it,

thanks,

pbjs1468#show policy-map type inspect zone-pair E_FW_ZON_PAIR_SLF_TO_WAN sessions

policy exists on zp E_FW_ZON_PAIR_SLF_TO_WAN
Zone-pair: E_FW_ZON_PAIR_SLF_TO_WAN

  Service-policy inspect : E_FW_POLICY_MAP_SLF_TO_WAN

    Class-map: E_FW_CL_MAP_PROTOCOL_SLF_TO_WAN_98 (match-any)
      Match: access-group name E_FW_SLF_TO_WAN_ACL_98
        33901576 packets, 6137009389 bytes
        30 second rate 0 bps
      Pass
        33901576 packets, 6137009389 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        696394 packets, 19500766 bytes

pbjs1468#show class-map class-default
Class Map match-any class-default (id 0)
   Match any

-------

policy-map type inspect E_FW_POLICY_MAP_LAN_TO_WAN
class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_00
  inspect E_FW_GLOBAL_PARAMETERS
class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_01
  inspect E_FW_GLOBAL_PARAMETERS
class type inspect E_FW_CL_MAP_PROTOCOL_LAN_TO_WAN_0E
  drop log
class class-default
  drop log

Labels:
0 Helpful
1 Reply 1

Favaloro.
Level 1
Level 1

‎05-29-2013 04:23 PM

The traffic is getting dropped because it's matching the "class-default" class-map which acts as a catchball for all the packets that didn't match previous class-maps.

It's default action is to DROP everything.

That UDP traffic uses port 0, this is not normal traffic and shouldn't be seen under normal circumstances.

So, it's a good thing the firewall it's dropping it.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card