Solved: Encapsulation Failed error with ZBFW

tresdodi · ‎10-24-2019

Can you guys help me figure this out?

Inter-zone communication is interrupted with "encapsulation failed". This is a minimal proof of concept simulation in Packet Tracer to start getting into ZBF. One router with two interfaces, each on one zone: LAN and WAN. A host on each side. The policy map inspects traffic entering through the LAN interface. My intention is to only allow interzone packets for traffic originated in the LAN. Debugging failed pings LAN->WAN shows:

IP: tableid=0, s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), routed via RIB

IP: s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), g=10.0.1.2, len 128, forward

IP: s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), len 128, encapsulation failed

Router#sh run
Building configuration...

Current configuration : 1099 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
class-map type inspect match-all LAN->WAN_CMAP
 match input-interface FastEthernet0/0
!
policy-map type inspect LAN->WAN_PMAP
 class type inspect LAN->WAN_CMAP
  inspect
!
!
!
zone security WAN
zone security LAN
zone-pair security LAN->WAN source LAN destination WAN
 service-policy type inspect LAN->WAN_PMAP
!
!
interface FastEthernet0/0
 description LAN
 ip address 10.0.0.1 255.255.255.0
 zone-member security LAN
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description WAN
 ip address 10.0.1.1 255.255.255.0
 zone-member security WAN
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Thanks a lot!

EDIT:

Inspecting the packet encapsulation in Packet Tracer it shows: "Zone-Based Policy Firewall does not find a zone pair." I only have one zone pair LAN->WAN. Isn't ZBF NAT-aware?

tresdodi · ‎10-26-2019

So I configured this on a real router (1941) and it works as expected. The problem with Packet Tracer may be due to the IOS/device difference or a bug.

View solution in original post

Marius Gunnerud · ‎10-25-2019

Have you tried matching an ACL instead of the input interface? Might be that packet tracer is having issues with the match.

--
Please remember to select a correct answer and rate helpful posts

tresdodi · ‎10-25-2019

It get's interesting. Changing the class map from

class-map type inspect match-all LAN->WAN_CMAP
 match input-interface FastEthernet0/0

to

class-map type inspect match-all LAN->WAN_CMAP
 match protocol icmp

fixes the problem but when PAT is configured it breaks similarly. Pinging from the LAN zone to the WAN zone fails with "encapsulation failed" for the incoming reply and Packet Tracer also says that the ZBF cannot find a zone pair. I just don't get it.:

Router#debug ip packet 
Packet debugging is on
Router#
!--- Outgoing packet has no problem ---
IP: tableid=0, s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), routed via RIB

IP: s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), g=10.0.1.2, len 128, forward

!--- Incoming packet cannot be encapsulated, due to ZBF not finding a zone pair (according the Packet Tracer) ---
IP: tableid=0, s=10.0.1.2 (FastEthernet0/1), d=10.0.0.2 (FastEthernet0/0), routed via RIB

IP: s=10.0.1.2 (FastEthernet0/1), d=10.0.0.2 (FastEthernet0/0), g=10.0.0.2, len 128, forward

IP: s=10.0.1.2 (FastEthernet0/1), d=10.0.0.2 (FastEthernet0/0), len 128, encapsulation failed

Router#sh run
Building configuration...

Current configuration : 1112 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
class-map type inspect match-all LAN->WAN_CMAP
 match protocol icmp
!
policy-map type inspect LAN->WAN_PMAP
 class type inspect LAN->WAN_CMAP
  inspect
!
!
!
zone security WAN
zone security LAN
zone-pair security LAN->WAN source LAN destination WAN
 service-policy type inspect LAN->WAN_PMAP
!
!
interface FastEthernet0/0
 description LAN
 ip address 10.0.0.1 255.255.255.0
 zone-member security LAN
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description WAN
 ip address 10.0.1.1 255.255.255.0
 zone-member security WAN
 ip nat outside
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
!
ip flow-export version 9
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

tresdodi · ‎10-26-2019

So I configured this on a real router (1941) and it works as expected. The problem with Packet Tracer may be due to the IOS/device difference or a bug.

Marius Gunnerud · ‎10-27-2019

AS i mentioned om my previous post, this is most likely an issue with packet tracer. Perhaps there was something hanging in the vitrual device or just not supported.

--
Please remember to select a correct answer and rate helpful posts