Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2641
Views
0
Helpful
5
Replies

%FW-6-DROP_PKT: Dropping icmp session

sdawson14
Level 1
Level 1

‎04-29-2015 07:26 AM - edited ‎03-11-2019 10:51 PM

Hi All,

 

I am getting an error message on a Cisco 887 - *Apr 29 13:47:39.901: %FW-6-DROP_PKT: Dropping icmp session 37.157.53.34:0 192.168.1.58:0 on zone-pair ZP_WAN>LAN class class-default due to  DROP action found in policy-map with ip ident 0

 

Unfortunately I don't know much about the zone based firewall which seems to be the problem, the firewall configuration is below:

zone security LAN
zone security WAN
zone-pair security ZP_LAN>WAN source LAN destination WAN
 service-policy type inspect PM_LAN>WAN
zone-pair security ZP_WAN>LAN source WAN destination LAN
 service-policy type inspect PM_WAN>LAN

What is going wrong? I am unable to SSH onto the device as well!

Any help would be amazing! Thank you all!

 

Simon

Labels:
0 Helpful
5 Replies 5

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-29-2015 07:38 AM

Hi,

I think as per the ICMP not working through the ZBF policies , you need to either inspect the ICMP traffic or Pass this traffic through both the Inbound policies on both the interfaces.

As per the SSH not working , do you have any self zone ? If not , check the Line configuration and related SSH configuration.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni

‎04-29-2015 07:40 AM

Hi

you have a policy applied to the wan and lan , this policy must be blocking those specific services , you need to check exactly what the policy is at and tweak it to allow what you want or disable zone of the interface by removing the service-policy

0 Helpful

Andre Neethling
Level 4
Level 4

‎04-30-2015 04:39 AM

HI. Can you please post the following output from your config?

These 2 policy maps:

  • PM_LAN>WAN
  • PM_WAN>LAN

And the Class Maps that are configured under those policy maps

 

0 Helpful

sdawson14
Level 1
Level 1
In response to Andre Neethling

‎04-30-2015 08:26 AM

class-map type inspect match-any CM_LAN_TRAFFIC
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all CM_WAN_TRAFFIC
 match access-group name ACL_WAN>LAN
!
policy-map type inspect PM_WAN>LAN
 class type inspect CM_WAN_TRAFFIC
  inspect
 class class-default
  drop log
policy-map type inspect PM_LAN>WAN
 class type inspect CM_LAN_TRAFFIC
  inspect
 class class-default
  drop log

0 Helpful

Andre Neethling
Level 4
Level 4
In response to sdawson14

‎04-30-2015 10:32 AM

Hi. It's quite possible that you are nit allowing ICMP from your WAN to LAN service policy.  That is a good thing, unless you need to allow ping from the WAN interface.  Are you aware of any icmp traffic coming in from the WAN? If not then someone is trying to ping your router. If you need to allow icmp then all you need to do is add a permit icmp line to the access list ACL_WAN>LAN

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card