Hello,
Zone Based Firewall is dropping packets from one interface to another and I cannot understand why.
1) There is a zone-pair between both interfaces
2) All IP traffic is allowed
3) In the log says (target:class) - (none:none). Not event class-default is detected. Why?
Config:
zone security VPN
zone security USUARIOS
!------------------------
!VPN=>USUARIOS
!------------------------
ip access-list extended VPN-TO-USUARIOS
permit ip any any
!
!
class-map type inspect match-all VPN-TO-USUARIOS-CLASS
match access-group name VPN-TO-USUARIOS
!
!
policy-map type inspect VPN-TO-USUARIOS-POLICY
class type inspect VPN-TO-USUARIOS-CLASS
inspect
class class-default
drop log
!
zone-pair security VPN-TO-USUARIOS source VPN destination USUARIOS
service-policy type inspect VPN-TO-USUARIOS-POLICY
!
int Vlan35
zone-member security VPN
int Gi0/0/1.2
zone-member security USUARIOS
Ip Address
GigabitEthernet0/0/1.2 : 10.65.48.1
Vlan35 : 10.68.168.1
Drop Log
002001: Sep 12 07:29:33.212 BRASIL: %IOSXE-6-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00000084879874157576 %FW-6-LOG_SUMMARY: 1 udp packet was dropped from Vlan35 10.5.0.64:53 => 10.65.48.15:61404 (target:class)-(none:none)
Why ZBFW cannot identify target:class? Why is it dropping packets from this source and destination?
Thank you.