%FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 X.X.X.X:0 on zone-pair ZONE-PAIR class class-default due to DROP action found in policy-map with ip ident 0
Good day all,
Just thought I post this discussion to help somebody that may run into this issue in future. This is how I resolved this problem, may or may not apply to all but worth a shot.
I have a Cisco 2951 ISR running Zone Based Firewall. I kept seeing the unknown Layer 4 error even though the ACL was set to allow all IP traffic (permit IP any any) between the zones and policy-maps were inspecting the resulting packets. However even simple TCP packets were marked as unknown and were getting dropped. Spent hours trying to fix it. At the end it turned out to be a bug in the version of IOS I was running (c2951-universalk9-mz.SPA.152-3.T3.bin). Upgraded the IOS to latest one from Cisco (c2951-universalk9-mz.SPA.155-3.M7.bin) and immediately the router started to identify packets correctly and issue was resolved.
Re: %FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 X.X.X.X:0 on zone-pair ZONE-PAIR class class-default due to DROP action found in policy-map with ip ident 0
Thanks for posting about your experience with this issue. I hope it will be helpful to other readers in the forum. It does remind us that sometimes when we are dealing with a problem and the config seems right that we should consider the possibility of bug in the software. +5 for this.
1. Log into CLI of DNAC:
ssh maglev@< DNAC appliance IP> -p 2222
2. Run this curl command to get token to get member id:
curl -X POST -u admin:<admin user password> -H -V https://<CLUSTER-IP>/api/system/v1/identitymgmt/token
Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee...
Do you currently have hands-on networking experience? If you do, we'd love to hear from you!
Your feedback will be reviewed and analyzed by our team to directly influence a networking management and monitoring product.
Take the 20-min or les...