Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2568
Views
0
Helpful
5
Replies

ZBF sometimes blocking websites

TCC Service
Beginner
Beginner

‎05-25-2010 02:09 AM - edited ‎03-11-2019 10:50 AM

Hi,

My ZBF configuration on a Cisco 3825 is sometimes blocking websites, but not always. Lets say users browse to Linkedin.com, they click around on the website, accessing several pages and then suddenly they get the IE error saying that the website is unavailable. This is what appears in my ZBF log:

028454: May 25 07:49:48.360 CET: %FW-6-DROP_PKT: Dropping tcp session 64.74.98.80:80 INSIDEIP:49748 on zone-pair OUTSIDE_INSIDE_ZP class class-default due to  DROP action found in policy-map with ip ident 0

028455: May 25 07:50:22.553 CET: %FW-6-LOG_SUMMARY: 5 packets were dropped from 64.74.98.80:80 => INSIDEIP:49748 (target:class)-(OUTSIDE_INSIDE_ZP:class-default)

028456: May 25 07:50:43.677 CET: %FW-6-DROP_PKT: Dropping tcp session 64.74.98.80:80 INSIDEIP:49750 on zone-pair OUTSIDE_INSIDE_ZP class class-default due to  DROP action found in policy-map with ip ident 0

028457: May 25 07:51:21.214 CET: %FW-6-DROP_PKT: Dropping tcp session 64.74.98.80:80 INSIDEIP:49754 on zone-pair OUTSIDE_INSIDE_ZP class class-default due to  DROP action found in policy-map with ip ident 0

028458: May 25 07:51:22.554 CET: %FW-6-LOG_SUMMARY: 3 packets were dropped from 64.74.98.80:80 => INSIDEIP:49750 (target:class)-(OUTSIDE_INSIDE_ZP:class-default)

028459: May 25 07:51:22.554 CET: %FW-6-LOG_SUMMARY: 4 packets were dropped from 64.74.98.80:80 => INSIDEIP:49754 (target:class)-(OUTSIDE_INSIDE_ZP:class-default)

The packets are being dropped on the OUTSIDE -> INSIDE policy because for some reason they have not been inspected by the INSIDE -> OUTSIDE policy.

This is my ZBF config:

policy-map type inspect INSIDE_OUTSIDE_PM
class type inspect P2P_CM
  drop
class type inspect HTTP_URLFILTER_CM
  inspect
  service-policy urlfilter WEBSENSE_PM
class type inspect COMMON_PROTOCOLS_CM
  inspect
class type inspect TCP_UDP_ICMP_CM
  inspect
class class-default
  drop log

class-map type inspect match-all HTTP_URLFILTER_CM
match protocol http
match access-group name HTTP_URLFILTER_ACL

ip access-list extended HTTP_URLFILTER_ACL
permit ip any any

policy-map type inspect urlfilter WEBSENSE_PM
parameter type urlfpolicy websense WEBSENSE_SERVER_PARMAP
class type urlfilter websense WEBSENSE_CM
  server-specified-action

Can anyone tell me why this happens sometimes? It happend also before implementing Websense so I dont think that thats the problem.

Thanks!

Labels:
0 Helpful
5 Replies 5