Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
5
Helpful
4
Replies

%FW-6-DROP_PKT flooding Syslog

tcatanho
Level 1
Level 1

‎02-03-2022 04:32 AM

Hello and thank you in advance for taking your time to read this (I hope this is the right board for this question)

 

This alarm is flooding the syslog of a Cisco CGR 2010 running Version 15.8(3)M.

%FW-6-DROP_PKT: Dropping icmp session xx.xxx.174.12:0 yy.yyy.9.44:0 on zone-pair PUB_PRIVATE class PUBLIC due to Internal Error with ip ident 44797

 

The service is running correctly without any issues, but this alarm flooding the Syslog is unpractical and I am trying to understand why. I have been trying to understand it, with no success. Maybe someone here can elucidate me.

 

The configuration on the equipment is this:

 

class-map type inspect match-all PUBLIC

match access-group name TRAFFIC_RULES_PUBLIC

!

policy-map type inspect PUB_PRIVATE

class type inspect PUBLIC

inspect

class class-default

drop

!

zone-pair security PUB_PRIVATE source PUBLIC destination PRIVATE

service-policy type inspect PUB_PRIVATE

!

ip access-list extended TRAFFIC_RULES_PUBLIC

permit ip xx.xxx.174.8 0.0.0.7 yy.yyy.9.40 0.0.0.7

!

 

 

And yes, I have both zone security defined and applied correctly to desired interfaces.

 

Has anyone crossed with something similar to this?

Thank you

1 person had this problem
Labels:
4 Replies 4

MHM Cisco World
VIP
VIP

‎02-03-2022 09:19 AM

Do you config any HTTP Server in the Router?

0 Helpful

tcatanho
Level 1
Level 1

‎02-03-2022 10:04 AM

No, I don't have HTTP Server in the Router.

 

 

Thank you for your reply!

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to tcatanho

‎02-07-2022 03:04 PM

https://netoops.net/2018/02/12/cisco-zbf-and-icmp-inspect-drops/
you see there are many monitoring depend on ICMP and I think the Zone FW drop it. 
the link above to clear my point.

0 Helpful

tcatanho
Level 1
Level 1
In response to MHM Cisco World

‎02-08-2022 01:47 AM

Thank you for your reply, I've read the article https://netoops.net/2018/02/12/cisco-zbf-and-icmp-inspect-drops/

 

The solution they give is:

class-map type inspect match-any CM-UNTRUST-TO-TRUST-ICMP-ALLOW
 match protocol icmp
!
policy-map type inspect PM-UNTRUST-TO-TRUST
 class type inspect CM-UNTRUST-TO-TRUST-ICMP-ALLOW
  pass
 class type inspect CM-UNTRUST-TO-TRUST-ALLOW
  inspect
 class class-default

 

but if I'm doing:

policy-map type inspect PUB_PRIVATE
 class type inspect PUBLIC
  inspect 
 class class-default
  drop
! 
class-map type inspect match-all PUBLIC
 match access-group name TRAFFIC_RULES_PUBLIC
!
ip access-list extended TRAFFIC_RULES_PUBLIC
 permit ip xx.xxx.174.8 0.0.0.7 yy.yyy.9.40 0.0.0.7
!

 

Shouldn't my configuration do the same job as the solution you sent? I am permiting any IP Protocol inside the Access List, I don't see why it would block ICMP packets.

 

 

Thank you and best regards,

Tiago

0 Helpful
Customers Also Viewed These Support Documents