Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
1
Replies

ZBF: Logging of drops because of inspects

Johannes Luther
Level 4
Level 4

‎06-30-2009 03:58 AM - edited ‎03-11-2019 08:49 AM

Hi all,

It's all about zone-based firewalling on an IOS router with 12.4(T) image.

is there a possibility to log drops, that are caused by an inspect action? For example a packet with the tcp-flag "ACK" is dropped, because there was no initial "SYN" - so the packet is out of state and dropped.

From a configuration point of view, it would look like the following:

I have a policy-map with different class-maps. One class-map for tcp-traffic inspection, one for udp inspection and one class-default with a drop action.

If there is an out-of-state TCP packet, it would match the tcp-traffic class-map and is dropped, due to inspection. But there is no logging event for that.

I use 12.4(11)T4 with adv. IP services.

Edit:

When doing a "debug ip packet", I can that the packet is dropped, because of the inspection. But a debugging output won't help me. Especially a debug ip packet in a live environment :-))

REMOTE-LBR1# debug ip packet detail

REMOTE-LBR1#

000331: *Jun 30 15:51:09.759 MESZ: IP: tableid=0, s=172.16.1.100 (FastEthernet0/1), d=10.134.128.1 (FastEthernet0/0), routed via FIB

000332: *Jun 30 15:51:09.763 MESZ: IP: s=172.16.1.100 (FastEthernet0/1), d=10.134.128.1 (FastEthernet0/0), len 40, dropped by inspect

Labels:
0 Helpful
1 Reply 1

Alex Yeung
Cisco Employee
Cisco Employee

‎06-30-2009 02:52 PM

Try 'ip inspect log drop-pkt', it works in both classic IOS FW config and Zone-based FW config.

Alex Yeung

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card