cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
0
Helpful
1
Replies

IOS Zone Firewall -- randomly lose remote SNMP to WLCM through firewall?

greg.fuller
Level 5
Level 5

I've got a 3825 running 12.4(24)T with a WLCM module installed in it. We are currently configuring this device for deployment (very soon!).

I have some zone based firewall rules setup. Basically so our WCS server at our main campus can talk to the WLCM.

There is a VPN crypto-map applied to my outside interface (gig0/0) which connects back to our main campus network (129.3.0.0/16). VPN connectivity appears to be working without any issues.

IP address of my WCS server on my main campus is 129.3.108.7.

My WLCM's local IP address is 10.2.1.5 (global is 129.3.5.5).

The problem is on initial boot of the 3825, SNMP/ICMP/HTTP/HTTPS connectivity to the WLCM from my WCS server works fine. But, what will randomly happen after 10 minutes to several hours (it is random) SNMP connectivity will cease to the WLCM from my WCS server-- but I can still ping/HTTP/HTTPS to the WLCM from the WCS server.

All syslog is reporting when connectivity ceases is:

%FW-6-DROP_PKT: Dropping udp session 129.3.108.7:40869 10.2.1.5:161 with ip ident 0

I have changed the policy-maps for OUTSIDE-TO-VLAN1 and VLAN1-TO-OUTSIDE zone-pairs to "inspect" instead of "pass log" and still experience the same problem.

I'll paste relevant portions of the configuration file to look at. I don't understand why I'm seeing this behavior, as the MAN-NETS ACL contains all the correct IP's to communicate.

If I turn of the zone based firewall, everything works fine without any problems.

I've also tried downgrading to 12.4(22)T1 and experience the same issue.

Thanks for any suggestions you guys can provide!

1 Reply 1

greg.fuller
Level 5
Level 5

For anyone else that experiences this problem, it is a known bug in 12.2(22)T1 and 12.2(24)T (only ones I tested it with) when the VPN feature is enabled on an interface.

We are working with cisco on a debug image to fix the problem. When they fix it I'll post the bug ID # for those interested.

Review Cisco Networking for a $25 gift card