Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1547
Views
0
Helpful
7
Replies

VPN Router

mikemanz83
Level 1
Level 1

‎10-30-2021 12:01 PM

Good Day

 

We have in our company a problem with the router-vpn regarding the vpn traffic. Suddenly the router collapse and drop all the traffic from the internet to the company. For now the only temporary way to fix this issue is re-booting the router.

 

I hope some friend of this great community can help me to figure it out, im posting an extract of the log.

 

Also, i dont know why this router had been configured with zone-pairs, why is the utility of this feature on this kind of routers?

 

 

4871418: .Oct 29 16:44:15: %FW-6-LOG_SUMMARY: 1 packet were dropped from 45.155.205.214:43141 => 200.44.111.194:8675 (target:class)-(outside_self:class-default)
4871419: .Oct 29 16:44:25: %FW-6-DROP_PKT: Dropping tcp session 209.141.44.192:51543 200.109.254.218:5555 on zone-pair outside_self class class-default due to  DROP action found in policy-map with ip ident 0
4871420: .Oct 29 16:44:58: %FW-6-DROP_PKT: Dropping icmp session 201.209.161.188:0 172.24.26.3:0 on zone-pair outside_inside class ping   with ip ident 0

M.M.
0 Helpful
7 Replies 7

paul driver
VIP
VIP

‎10-30-2021 02:17 PM

Hello
Looks like an inspection issue, I would guess instead of inspecting that particular traffic and allow it (pass) it would work however that may not be applicable to you.

Can you post you ZBFW configuration


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

mikemanz83
Level 1
Level 1
In response to paul driver

‎10-30-2021 02:43 PM

Hi Paul!

 

class-map type inspect match-all WEB_ACCESS_ASA
 match access-group name WEB_ACCESS_ASA
 match protocol https
class-map type inspect match-all ping
 match access-group name ping
class-map type inspect match-any servicios
 match protocol icmp
 match protocol http
 match protocol https
 match protocol dns
 match protocol ssh
 match protocol telnet
class-map type inspect match-all inside
 match class-map servicios
 match access-group name red_internas
class-map type inspect match-any ping_self
 match access-group name ping_self
class-map type inspect match-all ssh
 match protocol ssh
 match access-group name ssh
class-map type inspect match-all vpn_ins_out
 match access-group name tunnel_ipsec
class-map type inspect match-all vpn_out_ins
 match access-group name tunnel_ipsec_pub_priv
!
!
policy-map type inspect outside_inside
 class type inspect ping
  inspect
 class type inspect vpn_out_ins
  pass
 class type inspect ssh
  inspect
 class type inspect WEB_ACCESS_ASA
  inspect
 class class-default
  drop
policy-map type inspect inside_outside
 class type inspect inside
  inspect
 class type inspect vpn_ins_out
  pass
 class class-default
  drop
policy-map type inspect outside_self
 class type inspect ping_self
  inspect
 class class-default
  drop
!
zone security inside
 description LAN
zone security outside
 description Externa
zone-pair security inside_outside source inside destination outside
 description Inspecciona Trafico inside -> outside
 service-policy type inspect inside_outside
zone-pair security outside_inside source outside destination inside
 description Inspecciona trafico outside -> inside
 service-policy type inspect outside_inside
zone-pair security outside_self source outside destination self
 service-policy type inspect outside_self

M.M.
0 Helpful

paul driver
VIP
VIP
In response to mikemanz83

‎10-31-2021 03:59 PM

Hello

sh ip access-list ping
sh ip access-list ping_self


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

mikemanz83
Level 1
Level 1
In response to paul driver

‎10-31-2021 04:38 PM

Hi Paul! Good night

 


er-vpn#sh ip access-lists ping
Extended IP access list ping
10 permit icmp any host 200.90.28.106
20 permit icmp any host 200.109.104.43
30 permit icmp any host 172.24.26.3 (66864 matches)
er-vpn#

er-vpn#sh ip access-lists ping_self
Extended IP access list ping_self
10 permit icmp any any echo (13829 matches)
20 permit icmp any any packet-too-big
30 permit icmp any any parameter-problem
40 permit icmp any any source-quench

M.M.
0 Helpful

paul driver
VIP
VIP
In response to mikemanz83

‎11-01-2021 01:58 AM - edited ‎11-01-2021 01:59 AM

Your rtr is running an IOS firewall called Zone Base Firewall(ZBFW) and it looks like the logging is reporting icmp traffic is being inspected and then denied, As for the reason why your rtr failed it could be unrelated to ZBFW

What is the rtr you are running,
Could you post in a file the following output:
sh version

sh license
sh processes cpu sorted
sh processes memory sorted
sh logging
dir flash:


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

mikemanz83
Level 1
Level 1
In response to paul driver

‎11-01-2021 04:35 AM

Hi Paul!

Thanks for your help

Im adding the output you ask me in two txt files

M.M.
Preview file
62 KB
Preview file
504 KB
0 Helpful

mikemanz83
Level 1
Level 1
In response to mikemanz83

‎11-01-2021 05:55 AM

My friend!

will u be so kind to explain to me why icmp traffic drop all the incoming traffic?

M.M.
0 Helpful
Customers Also Viewed These Support Documents