02-03-2022 04:32 AM
Hello and thank you in advance for taking your time to read this (I hope this is the right board for this question)
This alarm is flooding the syslog of a Cisco CGR 2010 running Version 15.8(3)M.
%FW-6-DROP_PKT: Dropping icmp session xx.xxx.174.12:0 yy.yyy.9.44:0 on zone-pair PUB_PRIVATE class PUBLIC due to Internal Error with ip ident 44797
The service is running correctly without any issues, but this alarm flooding the Syslog is unpractical and I am trying to understand why. I have been trying to understand it, with no success. Maybe someone here can elucidate me.
The configuration on the equipment is this:
class-map type inspect match-all PUBLIC
match access-group name TRAFFIC_RULES_PUBLIC
!
policy-map type inspect PUB_PRIVATE
class type inspect PUBLIC
inspect
class class-default
drop
!
zone-pair security PUB_PRIVATE source PUBLIC destination PRIVATE
service-policy type inspect PUB_PRIVATE
!
ip access-list extended TRAFFIC_RULES_PUBLIC
permit ip xx.xxx.174.8 0.0.0.7 yy.yyy.9.40 0.0.0.7
!
And yes, I have both zone security defined and applied correctly to desired interfaces.
Has anyone crossed with something similar to this?
Thank you
02-03-2022 09:19 AM
Do you config any HTTP Server in the Router?
02-03-2022 10:04 AM
No, I don't have HTTP Server in the Router.
Thank you for your reply!
02-07-2022 03:04 PM
https://netoops.net/2018/02/12/cisco-zbf-and-icmp-inspect-drops/
you see there are many monitoring depend on ICMP and I think the Zone FW drop it.
the link above to clear my point.
02-08-2022 01:47 AM
Thank you for your reply, I've read the article https://netoops.net/2018/02/12/cisco-zbf-and-icmp-inspect-drops/
The solution they give is:
class-map type inspect match-any CM-UNTRUST-TO-TRUST-ICMP-ALLOW match protocol icmp
! policy-map type inspect PM-UNTRUST-TO-TRUST class type inspect CM-UNTRUST-TO-TRUST-ICMP-ALLOW pass class type inspect CM-UNTRUST-TO-TRUST-ALLOW inspect class class-default
but if I'm doing:
policy-map type inspect PUB_PRIVATE
class type inspect PUBLIC
inspect
class class-default
drop
!
class-map type inspect match-all PUBLIC
match access-group name TRAFFIC_RULES_PUBLIC
!
ip access-list extended TRAFFIC_RULES_PUBLIC
permit ip xx.xxx.174.8 0.0.0.7 yy.yyy.9.40 0.0.0.7
!
Shouldn't my configuration do the same job as the solution you sent? I am permiting any IP Protocol inside the Access List, I don't see why it would block ICMP packets.
Thank you and best regards,
Tiago
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide