%FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 X.X.X.X:0 on zone-pair ZONE-PAIR class class-default due to DROP action found in policy-map with ip ident 0
Good day all,
Just thought I post this discussion to help somebody that may run into this issue in future. This is how I resolved this problem, may or may not apply to all but worth a shot.
I have a Cisco 2951 ISR running Zone Based Firewall. I kept seeing the unknown Layer 4 error even though the ACL was set to allow all IP traffic (permit IP any any) between the zones and policy-maps were inspecting the resulting packets. However even simple TCP packets were marked as unknown and were getting dropped. Spent hours trying to fix it. At the end it turned out to be a bug in the version of IOS I was running (c2951-universalk9-mz.SPA.152-3.T3.bin). Upgraded the IOS to latest one from Cisco (c2951-universalk9-mz.SPA.155-3.M7.bin) and immediately the router started to identify packets correctly and issue was resolved.
Re: %FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 X.X.X.X:0 on zone-pair ZONE-PAIR class class-default due to DROP action found in policy-map with ip ident 0
Thanks for posting about your experience with this issue. I hope it will be helpful to other readers in the forum. It does remind us that sometimes when we are dealing with a problem and the config seems right that we should consider the possibility of bug in the software. +5 for this.
Enterprise Routing Business Unit is glad to announce Beta release 16.12.2 for all Routing Platforms such as ASR1K, ISR1K, ISR4K, ISRv, CSR1K Platforms. This release is made available to allow users to test, evaluate and share fee...
Meet the Authors Event - Peter Paluch, Co-author of CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1
(Live event – Wednesday, October 30th, 2019 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris)
This will have place on Wednesday 30...
ENCS 5400 is a purpose built compute platform for branch networking. Multiple VNFs (virtual network functions) can be hosted in the ENCS platform with flexible connectivity options.
There are multiple Layer2 software and hardware entities in a typi...
Cisco SD-Access fabric provides many optimizations to improve unicast traffic flow, and to reduce the unnec...
how do we restrict a router interfaces from directly connected to Some vlans? can any one help me to figureout?the question is Router should not have interfaces directly connected to Vlan 30 and Vlan 40