Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1422
Views
35
Helpful
4
Replies

%FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 X.X.X.X:0 on zone-pair ZONE-PAIR class class-default due to DROP action found in policy-map with ip ident 0

Ricky Sandhu
Level 1
Level 1

‎03-23-2018 06:23 AM - edited ‎03-08-2019 02:22 PM

Good day all,

Just thought I post this discussion to help somebody that may run into this issue in future.  This is how I resolved this problem,  may or may not apply to all but worth a shot.  

I have a Cisco 2951 ISR  running Zone Based Firewall.  I kept seeing the unknown Layer 4 error even though the ACL was set to allow all IP traffic (permit IP any any) between the zones and policy-maps were inspecting the resulting packets.  However even simple TCP packets were marked as unknown and were getting dropped.  Spent hours trying to fix it.  At the end it turned out to be a bug in the version of IOS I was running (c2951-universalk9-mz.SPA.152-3.T3.bin).  Upgraded the IOS to latest one from Cisco (c2951-universalk9-mz.SPA.155-3.M7.bin) and immediately the router started to identify packets correctly and issue was resolved.

 

Cheers!!

1 person had this problem
Labels:
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎03-23-2018 07:55 AM

Thanks for posting about your experience with this issue. I hope it will be helpful to other readers in the forum. It does remind us that sometimes when we are dealing with a problem and the config seems right that we should consider the possibility of bug in the software. +5 for this.

 

HTH

 

Rick

HTH

Rick
0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Richard Burts

‎05-01-2020 12:06 AM

008825: *May 1 06:46:54.279 utc: %FW-6-PASS_PKT: (target:class)-(self2internet:self-out-pass) Passing Unknown-l4 pkt XXX.XXX.XXX.XXX:0 => YYY.YYY.YYY.YYY:0 with ip ident 58035
rtr-ca-v-cayug-01#sho ver | i 15\.
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.7(3)M4a, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

Georg Pauwen
VIP
VIP
In response to andy!doesnt!like!uucp

‎05-01-2020 12:45 AM

Hello,

 

interesting. It is not listed as a bug. 

 

Recommended release is 15.7.3M6 MD...curious to know if the dropped packets occur in that release as well...could you try and upgrade and report the results ?

0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Georg Pauwen

‎05-01-2020 12:56 AM - edited ‎05-01-2020 12:58 AM

this box is in annual patch list with its colleagues :0)
This Unknown-l4 is ESP between 2 IPSec peers (this rtr & remote another). as u may expect ESP obviously is passed under its class but platform doesnt recognize it in the logs :0)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card