Hi,

Has anyone had any issues with these rules allowing traffic they shouldn't be ?  We've had this twice that we know of.  The first time around someone added a rule that wasn't specific enough and didn't enable logging so there were lessons learned there.  

The recent one is that a URL is working from a client and there is no matching allow rule.  From the logs you can see the traffic matching our deny rule but the Dev was certain it was working.  A traffic capture and firewall-engine-debug confirmed this.  What's happening is that some packets are allowed on an application rule in this case (as expected).  The rest of the criteria matches so it allows a few packets to identify the app before reaching a decision, as it does with URLs.  The problem is that during this time the 3 way handshake completes and the data push commences.  Now there is a flow any subsequent packets aren't checked against the ACL (again as expected with stateful FW).  The first time we consulted Cisco they said it was a bug, I assume once it matches a deny rule there should be a routine to clear any flows created while identifying the traffic ?

I will consult Cisco again but just wondering if anyone else has noticed this ?  Like I say difficult to spot as the only logs show the traffic being blocked.