Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1686
Views
0
Helpful
5
Replies

"policy-map class class-default drop log" is not logging

sandstone_awood
Level 1
Level 1

‎04-05-2021 08:26 AM

Wondering if anyone has seen where a policy-map "drop log" doesn't properly log dropped packets.
I am wanting to drop and log all packets on one port of a router and allow all on another.
I've got two networks in a test environment on a 4331: 192.168.1.0/24 (outside) and 10.10.0.0/24 (inside).
I want to drop and log all packets coming in from the outside to a Syslog server.
I am getting some UDP dropped packets in the log:

 

%FW-6-DROP_PKT: Dropping udp pkt from GigabitEthernet0/0/0 192.168.1.253:35247 => 255.255.255.255:10001(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 52686
%FW-6-DROP_PKT: Dropping udp pkt from GigabitEthernet0/0/0 192.168.1.253:40491 => 255.255.255.255:10001(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 30256

 

If I telnet directly to the external interface, or ping it or anything from the 192.168.1.x LAN,
it does not log to the syslog server, but it appears to be dropping the packets (no connection gets made).
Here is the relevant parts of the configuration:

-----------------------------

logging host 10.10.0.1      ! Syslog Server, enabled for all facilities
logging trap debugging

 

parameter-map type inspect global
    log dropped-packets
    alert on

 

policy-map type inspect INET_TO_SELF_POLICY
    class class-default
    drop log

 

policy-map type inspect SELF_TO_INET_POLICY
    class class-default
    drop log

 

policy-map type inspect INET_TO_LAN_POLICY
    class class-default
    drop log

 

policy-map type inspect LAN_TO_INET_POLICY
    class class-default
    pass
!
zone security LAN
    description LAN
zone security INET
    description Internet
zone-pair security INET_TO_SELF source INET destination self
    service-policy type inspect INET_TO_SELF_POLICY
zone-pair security SELF_TO_INET source self destination INET
    service-policy type inspect SELF_TO_INET_POLICY
zone-pair security LAN_TO_INET source LAN destination INET
    service-policy type inspect LAN_TO_INET_POLICY
zone-pair security INET_TO_LAN source INET destination LAN
    service-policy type inspect INET_TO_LAN_POLICY

 

interface GigabitEthernet0/0/0
    description Internet Test
    ip address 192.168.1.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    zone-member security INET

 

interface GigabitEthernet0/0/1
    description LAN
    ip address 10.10.0.2 255.255.255.0
    no ip redirects
    no ip proxy-arp
    ip nat inside
    zone-member security LAN

 

ip nat inside source route-map GE0-NAT interface GigabitEthernet0/0/0 overload

0 Helpful
5 Replies 5

Sheraz.Salim
VIP
VIP

‎04-05-2021 09:49 AM

What is the IOS software you using? plus what is the router model number.

have you check this link might give you a some lead to look at https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/117721-technote-iosfirewall-00.html

please do not forget to rate.
0 Helpful

sandstone_awood
Level 1
Level 1
In response to Sheraz.Salim

‎04-05-2021 10:37 AM

Hi Sheraz.

 

IOS-XE 16.7.1 on an ISR4331.  I have looked at that tech note before.  Strange thing is when I check the counters, I can see packets inbound to 192.168.1.254 are being dropped (as expected), but they don't show up in the syslog (which is wide open, recording everything).  I was wanting to log all packets refused on the Gig0/0/0 but it does not seem to work the way that I would expect based on the documentation.

 

thanks,

Greg.

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to sandstone_awood

‎04-05-2021 11:47 AM

Greg have you tried the method two.

parameter-map type inspect LOG_PARAM
     log dropped-packets
!
policy-map type inspect ZBFW_PMAP
  class type inspect ZBFW_CMAP
   inspect LOG_PARAM

I read the documentation too that strange though.  they have talk about QFP so i guess it should be its not logging it to syslog.

please do not forget to rate.
0 Helpful

sandstone_awood
Level 1
Level 1
In response to Sheraz.Salim

‎04-05-2021 01:44 PM

Unfortunately, inspect can't be used in a class-default class (IOS throws an error).  And drop can't be used with a specific parameter-map.  All that I want here is to be able to log all dropped/rejected packets coming in on one port.  What is even stranger is that some packets (only UDP and only some of them) do get logged, everything else does not.  "show platform hardware qfp active stat drop all" shows lots of packets being dropped as a result of FirewallPolicy (which makes sense), but they aren't getting logged.  I've also tried console and buffered logging instead of syslog with the same results, no joy.

0 Helpful

sandstone_awood
Level 1
Level 1
In response to sandstone_awood

‎04-05-2021 05:59 PM

I did some further investigation on this one. It actually does not appear to be related to the policy-map firewall, but rather the IOS logging facility itself. Regardless of how many packet drops are occurring, it is only logging one event every 30 seconds:

 

4/5/2021,8:16:48 PM,10.10.0.2,???,LOCAL0,INFO,2876: *Apr 6 01:14:30.944: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094843534764601 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:52607 => 192.168.1.254:450(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 60982 tcp flag 0x2, seq 1773800840, ack 0

 

4/5/2021,8:17:18 PM,10.10.0.2,???,LOCAL0,INFO,2877: *Apr 6 01:15:00.954: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094873542778228 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:54900 => 192.168.1.254:2733(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 4932 tcp flag 0x2, seq 2727082226, ack 0

 

4/5/2021,8:17:48 PM,10.10.0.2,???,LOCAL0,INFO,2878: *Apr 6 01:15:30.963: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094903550697828 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:56829 => 192.168.1.254:4650(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 14517 tcp flag 0x2, seq 2099299948, ack 0

 

4/5/2021,8:18:18 PM,10.10.0.2,???,LOCAL0,INFO,2879: *Apr 6 01:16:00.965: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094933551804531 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:58815 => 192.168.1.254:6625(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 24068 tcp flag 0x2, seq 2960609310, ack 0

 

4/5/2021,8:18:48 PM,10.10.0.2,???,LOCAL0,INFO,2880: *Apr 6 01:16:30.978: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094963563140406 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:60541 => 192.168.1.254:8349(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 33657 tcp flag 0x2, seq 3303628542, ack 0

 

4/5/2021,8:19:18 PM,10.10.0.2,???,LOCAL0,INFO,2881: *Apr 6 01:17:00.994: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000094993578071289 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:61693 => 192.168.1.254:9500(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 43257 tcp flag 0x2, seq 2505938759, ack 0

 

4/5/2021,8:19:48 PM,10.10.0.2,???,LOCAL0,INFO,2882: *Apr 6 01:17:31.000: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095023583411387 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:63615 => 192.168.1.254:11421(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 52861 tcp flag 0x2, seq 3770639439, ack 0

 

4/5/2021,8:20:18 PM,10.10.0.2,???,LOCAL0,INFO,2883: *Apr 6 01:18:01.015: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095053597128806 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:49155 => 192.168.1.254:13342(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 62461 tcp flag 0x2, seq 4264897176, ack 0

 

4/5/2021,8:20:48 PM,10.10.0.2,???,LOCAL0,INFO,2884: *Apr 6 01:18:31.022: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095083602640138 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:51854 => 192.168.1.254:16031(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 6529 tcp flag 0x2, seq 1296161984, ack 0

 

4/5/2021,8:21:18 PM,10.10.0.2,???,LOCAL0,INFO,2885: *Apr 6 01:19:01.037: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095113616557397 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:53013 => 192.168.1.254:17185(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 16133 tcp flag 0x2, seq 1558175744, ack 0

 

4/5/2021,8:21:48 PM,10.10.0.2,???,LOCAL0,INFO,2886: *Apr 6 01:19:31.043: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095143621403475 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:55846 => 192.168.1.254:20000(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 25730 tcp flag 0x2, seq 2588849548, ack 0

 

4/5/2021,8:22:18 PM,10.10.0.2,???,LOCAL0,INFO,2887: *Apr 6 01:20:01.058: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095173634742646 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:56871 => 192.168.1.254:21023(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 35329 tcp flag 0x2, seq 3360765261, ack 0

 

4/5/2021,8:22:48 PM,10.10.0.2,???,LOCAL0,INFO,2888: *Apr 6 01:20:31.064: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095203640114363 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:59310 => 192.168.1.254:23455(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 44936 tcp flag 0x2, seq 2113729365, ack 0

 

4/5/2021,8:23:18 PM,10.10.0.2,???,LOCAL0,INFO,2889: *Apr 6 01:21:01.068: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000095233642632642 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet0/0/0 192.168.1.25:60724 => 192.168.1.254:24866(target:class)-(INET_TO_SELF:class-default) due to Policy drop:classify result with ip ident 54537 tcp flag 0x2, seq 3765190019, ack 0

 

I ran a port scan against the drop logged port, scanning all ports and the above list is what I get. I've tried changing the logging rate to 10000 as well as setting the logging queue limit much higher and the same thing happens; every thirty seconds I only get one event logged to the syslog server. Next, I put a protocol scope on the connection between the router and the syslog server and sure enough, I am seeing one message every 30 seconds coming from the router. This appears to be on the IOS side.  Config issue?  Any ideas where I can look?

 

thanks,

Greg.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card