Hi Sheraz.

IOS-XE 16.7.1 on an ISR4331.  I have looked at that tech note before.  Strange thing is when I check the counters, I can see packets inbound to 192.168.1.254 are being dropped (as expected), but they don't show up in the syslog (which is wide open, recording everything).  I was wanting to log all packets refused on the Gig0/0/0 but it does not seem to work the way that I would expect based on the documentation.

thanks,

Greg.

Greg have you tried the method two.

parameter-map type inspect LOG_PARAM
     log dropped-packets
!
policy-map type inspect ZBFW_PMAP
  class type inspect ZBFW_CMAP
   inspect LOG_PARAM

I read the documentation too that strange though.  they have talk about QFP so i guess it should be its not logging it to syslog.

Unfortunately, inspect can't be used in a class-default class (IOS throws an error).  And drop can't be used with a specific parameter-map.  All that I want here is to be able to log all dropped/rejected packets coming in on one port.  What is even stranger is that some packets (only UDP and only some of them) do get logged, everything else does not.  "show platform hardware qfp active stat drop all" shows lots of packets being dropped as a result of FirewallPolicy (which makes sense), but they aren't getting logged.  I've also tried console and buffered logging instead of syslog with the same results, no joy.

I did some further investigation on this one. It actually does not appear to be related to the policy-map firewall, but rather the IOS logging facility itself. Regardless of how many packet drops are occurring, it is only logging one event every 30 seconds:

4/5/2021,8:16:48 PM,10.10.0.2,???,LOCAL0,INFO,2876: *Apr 6 01:14:30.944: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094843534764601 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:52607 => 192.168.1.254:450(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 60982 tcp flag 0x2, seq 1773800840, ack 0

4/5/2021,8:17:18 PM,10.10.0.2,???,LOCAL0,INFO,2877: *Apr 6 01:15:00.954: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094873542778228 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:54900 => 192.168.1.254:2733(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 4932 tcp flag 0x2, seq 2727082226, ack 0

4/5/2021,8:17:48 PM,10.10.0.2,???,LOCAL0,INFO,2878: *Apr 6 01:15:30.963: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094903550697828 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:56829 => 192.168.1.254:4650(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 14517 tcp flag 0x2, seq 2099299948, ack 0

4/5/2021,8:18:18 PM,10.10.0.2,???,LOCAL0,INFO,2879: *Apr 6 01:16:00.965: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094933551804531 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:58815 => 192.168.1.254:6625(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 24068 tcp flag 0x2, seq 2960609310, ack 0

4/5/2021,8:18:48 PM,10.10.0.2,???,LOCAL0,INFO,2880: *Apr 6 01:16:30.978: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094963563140406 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:60541 => 192.168.1.254:8349(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 33657 tcp flag 0x2, seq 3303628542, ack 0

4/5/2021,8:19:18 PM,10.10.0.2,???,LOCAL0,INFO,2881: *Apr 6 01:17:00.994: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094993578071289 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:61693 => 192.168.1.254:9500(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 43257 tcp flag 0x2, seq 2505938759, ack 0

4/5/2021,8:19:48 PM,10.10.0.2,???,LOCAL0,INFO,2882: *Apr 6 01:17:31.000: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095023583411387 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:63615 => 192.168.1.254:11421(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 52861 tcp flag 0x2, seq 3770639439, ack 0

4/5/2021,8:20:18 PM,10.10.0.2,???,LOCAL0,INFO,2883: *Apr 6 01:18:01.015: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095053597128806 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:49155 => 192.168.1.254:13342(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 62461 tcp flag 0x2, seq 4264897176, ack 0

4/5/2021,8:20:48 PM,10.10.0.2,???,LOCAL0,INFO,2884: *Apr 6 01:18:31.022: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095083602640138 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:51854 => 192.168.1.254:16031(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 6529 tcp flag 0x2, seq 1296161984, ack 0

4/5/2021,8:21:18 PM,10.10.0.2,???,LOCAL0,INFO,2885: *Apr 6 01:19:01.037: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095113616557397 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:53013 => 192.168.1.254:17185(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 16133 tcp flag 0x2, seq 1558175744, ack 0

4/5/2021,8:21:48 PM,10.10.0.2,???,LOCAL0,INFO,2886: *Apr 6 01:19:31.043: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095143621403475 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:55846 => 192.168.1.254:20000(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 25730 tcp flag 0x2, seq 2588849548, ack 0

4/5/2021,8:22:18 PM,10.10.0.2,???,LOCAL0,INFO,2887: *Apr 6 01:20:01.058: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095173634742646 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:56871 => 192.168.1.254:21023(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 35329 tcp flag 0x2, seq 3360765261, ack 0

4/5/2021,8:22:48 PM,10.10.0.2,???,LOCAL0,INFO,2888: *Apr 6 01:20:31.064: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095203640114363 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:59310 => 192.168.1.254:23455(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 44936 tcp flag 0x2, seq 2113729365, ack 0

4/5/2021,8:23:18 PM,10.10.0.2,???,LOCAL0,INFO,2889: *Apr 6 01:21:01.068: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095233642632642 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:60724 => 192.168.1.254:24866(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 54537 tcp flag 0x2, seq 3765190019, ack 0

I ran a port scan against the drop logged port, scanning all ports and the above list is what I get. I've tried changing the logging rate to 10000 as well as setting the logging queue limit much higher and the same thing happens; every thirty seconds I only get one event logged to the syslog server. Next, I put a protocol scope on the connection between the router and the syslog server and sure enough, I am seeing one message every 30 seconds coming from the router. This appears to be on the IOS side.  Config issue?  Any ideas where I can look?

thanks,

Greg.