Theme

Welcome · log in · join

Cisco → [HELP] Packets drop with ZBF

uniqs
2674

« WAP321 and WDS • Kind of funny EOL announcement. »

Angralitux join:2004-05-20 DO	Angralitux Member 2014-Aug-5 4:16 pm [HELP] Packets drop with ZBF Hi, before calling cisco support, i'd like someone more knowledgeable than us take a look at our issue, which is, a router we have configured Zone based firewall is giving these weird "%FW-6-DROP_PKT" logs. The problem is, that is impacting an application that goes to a SQL database, and the packets being dropped are causing (my impression) errors. This happens randomly, I have looked around the web, and seems like this is related to virtual-reassembly or IOS version, and we don't have virtual-reassembly on this router and IOS version is more or less recent [Version 15.2(4)M3, RELEASE SOFTWARE (fc2)]
	· actions · 2014-Aug-5 4:16 pm ·
HELLFIRE MVM join:2009-11-25	HELLFIRE MVM 2014-Aug-5 4:47 pm Able to share the full config (minus passwords and such) with us for review Angralitux ? Regards
	· actions · 2014-Aug-5 4:47 pm ·
tired_runner Premium Member join:2000-08-25 CT	tired_runner to Angralitux Premium Member 2014-Aug-5 5:13 pm to Angralitux DROP_PKT can mean any dropped packet based on existing policy constructs. Does the log indicate if the firewall is indeed blocking traffic from where you're expecting to receive it?
	· actions · 2014-Aug-5 5:13 pm ·
Angralitux join:2004-05-20 DO	Angralitux to HELLFIRE Member 2014-Aug-5 6:09 pm to HELLFIRE hellfire, network guy: I'm working now, to sanitize what I need to show..
	· actions · 2014-Aug-5 6:09 pm ·
tired_runner Premium Member join:2000-08-25 CT	tired_runner Premium Member 2014-Aug-6 8:58 am Omit any passwords, IP addresses, and IKE pre-shared keys in the config, if applicable.
	· actions · 2014-Aug-6 8:58 am ·
Angralitux join:2004-05-20 DO	Angralitux Member 2014-Aug-6 11:49 am this is the config: Current configuration : 15278 bytes ! version 15.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xxx ! boot-start-marker boot-end-marker ! ! logging buffered 1000000 notifications enable secret 5 xxx ! aaa new-model ! ! aaa group server radius ADAUTH server-private 172.16.xxx.xxx key 7 xxx ! aaa authentication login default local group ADAUTH aaa authorization exec default local group ADAUTH ! ! ! ! ! aaa session-id common clock timezone UTC-4 -4 0 ! ip cef ! ! ! ip vrf xxxfrom_xxxto rd 1:1 ! no ip dhcp use vrf connected ! ! ! ip flow-cache timeout active 1 ip domain name xxx.local ip multicast-routing ip inspect log drop-pkt no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 spoofed-acker off multilink bundle-name authenticated ! ! ! crypto pki trustpoint TP-self-signed-3047563694 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3047563694 revocation-check none rsakeypair TP-self-signed-3047563694 ! ! crypto pki certificate chain TP-self-signed-3047563694 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33303437 35363336 3934301E 170D3133 30363131 31393531 31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30343735 36333639 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D605 D66FEC94 90EB2243 8110091A 476E76E7 1FF02056 611F215A 37E684F6 686294E8 95B2C58B 5B2B0A91 8FF99E49 AFE23232 9FE1B8A6 82737759 9EA17EF5 2DF0A751 6B40A4BB 0C934828 3410C56F 5C3E665D CA7B5D88 F9D73AB4 B6B9720A FB23F921 1ADF0971 99BEFFF4 5C871BA1 0D6AD758 FDC756A2 A4B69C46 B8E71933 02190203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14E549EA AC0EB78D 80362BAB 66CB5C3A 5570AEA0 E8301D06 03551D0E 04160414 E549EAAC 0EB78D80 362BAB66 CB5C3A55 70AEA0E8 300D0609 2A864886 F70D0101 05050003 818100BA 3409DDF5 753BEFFD 6DD9DC21 4BD4FE0F 0CF6BE97 8E63C90B DF6DDD4B 0BBC6ABA 8D8E7753 ACA97B76 B07977ED D865C36C AB9F39D1 6F0B342F 27BF3543 8EB74482 D9680A74 AE9F9898 F465C736 8FC73AC4 3F433FAD FF7BAAAD 7F906542 0B41C64E 9860D283 01CF6744 0B7BCC15 E2F4834E A3A9DE9B 73686EEF 40593A8C 1E4443 quit license udi pid C3900-SPE200/K9 sn xxx ! ! archive log config hidekeys object-group service ActiveSyncObject tcp eq 443 tcp eq www ! object-group network CallManagers host 172.16.x.18 host 172.16.x.34 ! object-group network FromLifeServer ! object-group network FtpLifeServer host 172.16.x.11 host 172.16.x.10 host 172.16.x.34 ! object-group network LifeDNS host 172.16.x.10 host 172.16.x.60 ! object-group network LifeSQL host 172.16.x.15 host 172.16.x.18 host 172.16.x.26 host 172.16.x.33 host 172.16.x.14 host 172.16.x.12 host 172.16.x.17 host 10.10.x.16 host 10.10.x.19 host 172.16.x.13 host 172.16.x.13 ! object-group network LifeServer host 172.16.x.10 host 172.16.x.11 host 172.16.x.12 host 172.16.x.13 host 172.16.x.34 host 172.16.x.14 host 172.16.x.15 host 172.16.x.16 ! object-group service LifeServerPublicServices tcp eq smtp tcp eq www tcp eq 443 tcp eq pop3 tcp eq 143 ! object-group service LifeServer_SMB tcp eq 139 tcp eq 445 udp eq netbios-ns udp eq netbios-dgm tcp eq 135 tcp eq 136 tcp eq 137 tcp eq 138 udp eq 135 udp eq 136 udp eq netbios-ss udp eq 445 tcp eq 3268 tcp eq 3269 tcp eq 636 tcp eq 88 tcp eq 389 tcp eq 464 udp eq 88 udp eq 389 udp eq 464 ! object-group network LifeServer_SMTP host 172.16.39.21 ! object-group service LifeServer_SMTP_Services tcp eq www tcp eq 443 tcp eq 50636 tcp eq 389 tcp eq smtp ! object-group network ObjectFromServer host 10.10.x.16 host 10.10.x.19 host 10.10.x.20 host 172.16.x.35 host 172.16.x.11 ! object-group network xloc_H323 host 172.16.x.128 ! object-group network SharingServer host 172.16.x.27 host 172.16.x.11 host 172.16.x.13 ! object-group network internalPermitted 172.16.0.0 255.254.0.0 ! username xxx privilege 15 secret 4 xxx ! redundancy ! ! ! ! ! ! class-map type inspect match-any DMZInterface match protocol echo match protocol ntp class-map type inspect match-any InternalToLIFE match access-group name ToLifeServer class-map type inspect match-any LIFEToInternal match access-group name FromLifeServer class-map match-any VOICE-CONTROL match protocol skinny match protocol mgcp match protocol sip match dscp cs3 match access-group name ac_xloc_h323 class-map match-all CONTROL-PLANE match dscp cs6 class-map type inspect match-all LifeServerFTP match access-group name ToLifeServerFTP match protocol ftp class-map match-any TCP match access-group name tcp class-map match-any VOICE match protocol rtp match ip dscp ef class-map match-any cm-backup-devices match access-group name ac-backup-devices ! policy-map type inspect InternalToLIFE class type inspect InternalToLIFE inspect class type inspect LifeServerFTP inspect class class-default drop log policy-map pm-backup-devices class cm-backup-devices bandwidth percent 50 queue-limit 200 ms class class-default queue-limit 200 ms policy-map VoiceChild class VOICE priority percent 30 set dscp ef class VOICE-CONTROL bandwidth percent 5 set dscp cs3 class CONTROL-PLANE bandwidth percent 5 set dscp cs6 class TCP bandwidth percent 55 random-detect dscp-based queue-limit 1500 packets service-policy pm-backup-devices class class-default fair-queue policy-map type inspect DMZInterface_Self class type inspect DMZInterface pass class class-default drop policy-map PM-Tunnel-DR class class-default bandwidth percent 95 shape average percent 100 queue-limit 300 ms service-policy VoiceChild policy-map type inspect ftp policy-map type inspect LIFEToInternal class type inspect LIFEToInternal inspect class class-default drop log ! zone security Internal zone security Null zone security net-Colo zone security LIFE zone-pair security DMZInterface_Self source LIFE destination self service-policy type inspect DMZInterface_Self zone-pair security InternalToLIFE source Internal destination LIFE service-policy type inspect InternalToLIFE zone-pair security LIFEToInternal source LIFE destination Internal service-policy type inspect LIFEToInternal ! crypto keyring kr-netC_netA vrf netC_netA pre-shared-key address 172.16.x.1 key xxx crypto logging session ! crypto isakmp policy 50 encr aes 256 authentication pre-share group 5 crypto isakmp key xxx address 172.16.x.1 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 30 ! ! crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile netC_RT1_A_to_netA_RT1_A set transform-set AES256-SHA set pfs group5 ! crypto ipsec profile SecureTunnel set transform-set AES256-SHA set pfs group5 ! ! ! ! ! ! ! interface Tunnel3004 description Secure tunnel between ST_netC_RT1_A and ST_netA_RT_A bandwidth 100000 ip address 172.16.xxx.18 255.255.255.252 ip mtu 1410 ip nbar protocol-discovery ip flow ingress ip flow egress ip pim sparse-dense-mode zone-member security Internal ip tcp adjust-mss 1350 qos pre-classify tunnel source 172.16.xxx.4 tunnel mode ipsec ipv4 tunnel destination 172.16.xxx.1 tunnel vrf netC_netA tunnel protection ipsec profile netC_RT1_A_to_netA_RT1_A ! interface GigabitEthernet0/0 description Upstream to internal nets no ip address ip flow ingress zone-member security Null duplex auto speed auto ! interface GigabitEthernet0/0.45 shutdown ! interface GigabitEthernet0/0.232 description wepa net encapsulation dot1Q 232 ip address 172.16.x.8 255.255.255.128 ip nbar protocol-discovery ip flow ingress zone-member security Internal ! interface GigabitEthernet0/0.239 description description srv DMZLIFE encapsulation dot1Q 239 ip address 172.16.39.2 255.255.255.0 zone-member security LIFE ! interface GigabitEthernet0/0.308 description Link 1 to xloc Call Center encapsulation dot1Q 308 ip address 172.16.xxx.9 255.255.255.248 ip nbar protocol-discovery ip flow ingress ip pim sparse-dense-mode zone-member security Internal delay 308 ! interface GigabitEthernet0/0.310 description Link do xloc Office PtP encapsulation dot1Q 310 ip address 172.16.xxx.25 255.255.255.248 ip nbar protocol-discovery ip flow ingress ip pim sparse-dense-mode zone-member security Internal ! interface GigabitEthernet0/1 description Upstream to netA bandwidth 100000 no ip address ip flow ingress zone-member security Null load-interval 30 duplex auto speed auto service-policy output PM-Tunnel-DR ! interface GigabitEthernet0/1.300 description Endpoints Tunnel 3004 bandwidth 100000 encapsulation dot1Q 300 ip vrf forwarding netC_netA ip address 172.16.xxx.4 255.255.255.248 ip flow ingress zone-member security net-Colo ! interface GigabitEthernet0/2 no ip address zone-member security Null duplex auto speed auto ! interface GigabitEthernet0/3 no ip address zone-member security Null duplex auto speed auto ! ! router eigrp 220 network 172.16.x.0 0.0.0.127 network 172.16.x.0 0.0.0.255 network 172.16.x.0 0.0.0.255 network 172.16.x.0 0.0.0.255 network 172.16.x.8 0.0.0.7 network 172.16.x.16 0.0.0.3 network 172.16.x.24 0.0.0.7 passive-interface default no passive-interface GigabitEthernet0/0.232 no passive-interface GigabitEthernet0/0.308 no passive-interface GigabitEthernet0/0.310 no passive-interface Tunnel3004 ! ip forward-protocol nd ! no ip http server ip http authentication local ip http secure-server ip flow-export source GigabitEthernet0/0.232 ip flow-export version 9 ip flow-export destination 172.16.x.106 2055 ip flow-export destination 172.16.x.18 9996 ip flow-top-talkers top 20 sort-by bytes cache-timeout 20000 ! ip route 4.x.x.1 255.255.255.255 172.16.x.26 ! ip access-list extended AL_Tun3004_In permit esp host 172.16.xxx.1 host 172.16.xxx.4 permit udp host 172.16.xxx.1 host 172.16.xxx.4 eq isakmp permit udp host 172.16.xxx.1 host 172.16.xxx.4 eq non500-isakmp permit tcp host 172.16.xxx.1 host 172.16.xxx.4 eq telnet permit tcp host 172.16.xxx.1 host 172.16.xxx.4 eq 22 permit icmp host 172.16.xxx.1 host 172.16.xxx.4 permit gre host 172.16.xxx.1 host 172.16.xxx.4 ip access-list extended AL_Tun3004_Out permit esp host 172.16.xxx.4 host 172.16.xxx.1 permit udp host 172.16.xxx.4 host 172.16.xxx.1 eq isakmp permit udp host 172.16.xxx.4 host 172.16.xxx.1 eq non500-isakmp permit tcp host 172.16.xxx.4 eq telnet host 172.16.xxx.1 permit tcp host 172.16.xxx.4 eq 22 host 172.16.xxx.1 permit icmp host 172.16.xxx.4 host 172.16.xxx.1 permit gre host 172.16.xxx.4 host 172.16.xxx.1 ip access-list extended FromLifeServer permit tcp object-group LifeServer object-group LifeSQL eq 1433 permit tcp object-group LifeServer host 172.16.xxx.3 eq 1433 permit udp object-group LifeServer object-group LifeDNS eq domain permit tcp object-group LifeServer object-group LifeDNS eq domain permit tcp object-group LifeServer any eq smtp permit tcp object-group LifeServer_SMTP object-group LifeDNS eq domain permit tcp object-group LifeServer_SMTP any eq smtp permit tcp object-group LifeServer host 172.16.xxx.14 eq 49420 permit tcp object-group LifeServer any eq www permit tcp object-group LifeServer host 172.16.xxx.35 eq 8060 permit tcp object-group LifeServer object-group ObjectFromServer eq 8060 permit tcp object-group LifeServer object-group ObjectFromServer eq 8083 permit tcp object-group LifeServer host 172.16.xxx.17 eq 8083 permit tcp object-group LifeServer object-group ObjectFromServer eq www permit tcp object-group LifeServer host 172.16.xxx.13 eq 8060 permit tcp object-group LifeServer host 172.16.xxx.50 eq 9080 permit tcp object-group LifeServer host 172.16.xxx.14 eq 49364 permit tcp object-group LifeServer any eq 990 permit object-group LifeServer_SMB object-group SharingServer object-group LifeServer permit object-group LifeServer_SMB host 172.16.xxx.13 object-group LifeServer permit tcp object-group LifeServer host 172.16.xxx.29 eq www permit tcp object-group LifeServer_SMTP any eq domain permit icmp object-group LifeServer_SMTP any permit udp object-group LifeServer_SMTP any eq domain permit tcp object-group LifeServer host 172.16.x.13 eq 1433 permit tcp object-group LifeServer host 10.10.x.16 eq 1433 permit tcp object-group LifeServer host 10.10.x.10 eq www permit object-group ActiveSyncObject object-group internalPermitted object-group LifeServer_SMTP ip access-list extended FtpLifeServer ip access-list extended ToLifeServer permit object-group LifeServerPublicServices any object-group LifeServer permit tcp object-group internalPermitted object-group LifeServer eq 3389 permit icmp object-group internalPermitted object-group LifeServer echo permit icmp any object-group LifeServer unreachable permit object-group LifeServer_SMTP_Services any object-group LifeServer_SMTP permit tcp any object-group LifeServer eq 990 permit tcp any object-group LifeServer eq 8080 permit tcp any object-group LifeServer eq 8081 permit tcp object-group internalPermitted object-group LifeServer_SMTP eq 3389 permit icmp object-group internalPermitted object-group LifeServer_SMTP echo permit icmp any object-group LifeServer_SMTP unreachable permit object-group LifeServer_SMB any object-group LifeServer ip access-list extended ToLifeServerFTP permit tcp any object-group FtpLifeServer ip access-list extended ac-backup-devices permit tcp host 172.16.xx.25 host 172.16.xx.25 eq 8888 permit tcp any host 172.16.xx.59 eq 31031 ip access-list extended ac_xloc_h323 permit ip object-group xloc_H323 object-group CallManagers ip access-list extended ms-rdp ip access-list extended tcp permit tcp any any ! kron occurrence backup at 19:10 Sun recurring policy-list backup ! kron policy-list backup cli show run \| redirect tftp://172.16.xxx.26/172.16.xxx.8-ST_netC_RT1_A.txt ! logging trap debugging logging facility local2 logging host 172.16.xxx.9 ! ! snmp-server community notshared RO snmp-server community notshared RO snmp-server ifindex persist snmp-server location net thislocation snmp-server contact itmanagement@nodaomain.com snmp-server enable traps entity-sensor threshold ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 exec-timeout 30 0 logging synchronous transport input telnet ssh line vty 5 15 exec-timeout 30 0 logging synchronous transport input telnet ssh ! scheduler allocate 20000 1000 ntp update-calendar ntp server 172.16.x.1 ! end Hope to not forgot to sanitize something essential, this is the config, and this is one of the events we are seeing on the log: 346943: Aug 4 22:08:26.810 UTC-4: %FW-6-DROP_PKT: Dropping tcp session 172.16.39.10 [More Information] :62783 172.16.33.26 [More Information] :1433 on zone-pair LIFEToInternal class LIFEToInternal due to Invalid Flags with ip ident 0
	· actions · 2014-Aug-6 11:49 am ·
Angralitux	Angralitux Member 2014-Aug-6 11:55 am We're talking with the devs so they make sure, in their methods they try more than one time, before giving up with the connection. We all know network conditions can vary from time to time, but it's difficult to explain this to a guy who thinks you want to blame him for these errors; so I want to make sure errors and false positives are down to a insignificant minimum.
	· actions · 2014-Aug-6 11:55 am ·
HELLFIRE MVM join:2009-11-25	HELLFIRE to Angralitux MVM 2014-Aug-6 1:08 pm to Angralitux Just breaking things down here, so you've got 4 zones within the router as follows : zone security Internal zone security Null zone security net-Colo zone security LIFE and the following zone pairings zone-pair security DMZInterface_Self source LIFE destination self service-policy type inspect DMZInterface_Self policy-map type inspect DMZInterface_Self class type inspect DMZInterface pass class class-default drop zone-pair security InternalToLIFE source Internal destination LIFE service-policy type inspect InternalToLIFE class type inspect InternalToLIFE inspect zone-pair security LIFEToInternal source LIFE destination Internal service-policy type inspect LIFEToInternal class-map type inspect match-any LIFEToInternal match access-group name FromLifeServer ip access-list extended FromLifeServer permit tcp object-group LifeServer object-group LifeSQL eq 1433 permit tcp object-group LifeServer host 172.16.xxx.3 eq 1433 permit udp object-group LifeServer object-group LifeDNS eq domain permit tcp object-group LifeServer object-group LifeDNS eq domain permit tcp object-group LifeServer any eq smtp permit tcp object-group LifeServer_SMTP object-group LifeDNS eq domain permit tcp object-group LifeServer_SMTP any eq smtp permit tcp object-group LifeServer host 172.16.xxx.14 eq 49420 permit tcp object-group LifeServer any eq www permit tcp object-group LifeServer host 172.16.xxx.35 eq 8060 permit tcp object-group LifeServer object-group ObjectFromServer eq 8060 permit tcp object-group LifeServer object-group ObjectFromServer eq 8083 permit tcp object-group LifeServer host 172.16.xxx.17 eq 8083 permit tcp object-group LifeServer object-group ObjectFromServer eq www permit tcp object-group LifeServer host 172.16.xxx.13 eq 8060 permit tcp object-group LifeServer host 172.16.xxx.50 eq 9080 permit tcp object-group LifeServer host 172.16.xxx.14 eq 49364 permit tcp object-group LifeServer any eq 990 permit object-group LifeServer_SMB object-group SharingServer object-group LifeServer permit object-group LifeServer_SMB host 172.16.xxx.13 object-group LifeServer permit tcp object-group LifeServer host 172.16.xxx.29 eq www permit tcp object-group LifeServer_SMTP any eq domain permit icmp object-group LifeServer_SMTP any permit udp object-group LifeServer_SMTP any eq domain permit tcp object-group LifeServer host 172.16.x.13 eq 1433 permit tcp object-group LifeServer host 10.10.x.16 eq 1433 permit tcp object-group LifeServer host 10.10.x.10 eq www permit object-group ActiveSyncObject object-group internalPermitted object-group LifeServer_SMTP Is my understanding correct so far? Can you also clarify what zone(s) the source and desintation are in, so we can follow the policy? said by Angralitux: 346943: Aug 4 22:08:26.810 UTC-4: %FW-6-DROP_PKT: Dropping tcp session 172.16.39.10 [More Information] :62783 172.16.33.26 [More Information] :1433 on zone-pair LIFEToInternal class LIFEToInternal due to Invalid Flags with ip ident 0 As for your error message here, my immediate thoughts are as follows : a) what's the exact issue the SQL database is experiencing? Slow transfer speeds? Complete disconnect? Something else? b) is anyone recording the EXACT date / timestamps of these occurrences? Especially the DB guys? I see that your router's NTP sync'd, so so long as the DB guys have their stuff NTP sync'd, it should be trivial to match up the timeframe they have a problem to the timestamp reported by the router logs. c) offhand, the error message indicates ZBFW dropped a TCP packet due to an issue with the flags, ie. the 6 bits within TCP to indicate state. If you know HEX, it should be trivial to determine what flags were in the TCP packet based on this _ _ _ _ \| _ _ _ _ \| _ _ _ _ R R R N \| C E U A \| P R S F S S S S \| W C R C \| S S Y I V V V \| R E G K \| H T N N d) two possible troubleshooting steps is 1) set up end to end sniffers, preferably on the hosts themselves, 2) remove ZBFW to rule it out as a culprit... though given you have ZBFW present, something tells me there's a deliberate need for zone seperation between the hosts. My 00000010bits Regards
	· actions · 2014-Aug-6 1:08 pm ·
tired_runner Premium Member join:2000-08-25 CT ·Frontier Communi..	tired_runner to Angralitux Premium Member 2014-Aug-6 1:55 pm to Angralitux When using an object group, I would write the construct like this: permit object-group SQL object-group LifeServer object-group LifeSQL And add an object group service like this: object-group service SQL tcp eq 1433 The way I read the constructs you have going on, you're sourcing traffic from LifeServer behind LIFE destined for LifeSQL behind Internal. Since this particular traffic is crossing zones, any reason you want to place an ACL between zones?
	· actions · 2014-Aug-6 1:55 pm ·
Angralitux join:2004-05-20 DO	Angralitux Member 2014-Aug-6 2:23 pm a) the exact issue, is that the application is failing completely, DB is good, is the application connecting to the database what's having issues. b) We have everything sync'ed with ntp, and we wrote a little program to open-close a connection to the database from the app server, and there's a coincidence of time of the occurrence of the problem with the occurrence of the log entry. c) This could be done, I believe I can get something like wireshark running to analyze the packets; but these are production servers and I'd have to ask for a change request. d)I cant disable ZBF, that would require to rewrite a lot of the config in place in this router, and would cause downtime. I'm not too familiar with ZBF, the only thing I can remember that resembles a FW on a cisco router is CBAC; I'm also learning, so I was looking for advice to see if there is something that isn't correct that could led me to a solution, but I believe this is likely a bug for what I have read on other forums.
	· actions · 2014-Aug-6 2:23 pm ·
Angralitux	Angralitux to tired_runner Member 2014-Aug-6 2:38 pm to tired_runner the ACL that allows this traffic is: permit tcp object-group LifeServer object-group LifeSQL eq 1433 I believe your way is cleaner: permit object-group SQL object-group LifeServer object-group LifeSQL But is essentially the same. I believe that with ZBF you have to explicit allow the traffic btw zones, or it will be implicit denied, if I understood your question well. The real reason why this is there, is because it's necessary to allow traffic from the app server to DB server. We use layered security for access to DB servers. We place the web, app, and DB servers on different perimeters protected by firewalls, something like this: »securityintelligence.com ··· yers.png
	· actions · 2014-Aug-6 2:38 pm ·

HELLFIRE MVM join:2009-11-25	HELLFIRE to Angralitux MVM 2014-Aug-6 2:52 pm to Angralitux said by Angralitux: the ACL that allows this traffic is: permit tcp object-group LifeServer object-group LifeSQL eq 1433 object-group network LifeServer host 172.16.x.10 host 172.16.x.11 host 172.16.x.12 host 172.16.x.13 host 172.16.x.34 host 172.16.x.14 host 172.16.x.15 host 172.16.x.16 object-group network LifeSQL host 172.16.x.15 host 172.16.x.18 host 172.16.x.26 host 172.16.x.33 host 172.16.x.14 host 172.16.x.12 host 172.16.x.17 host 10.10.x.16 host 10.10.x.19 host 172.16.x.13 host 172.16.x.13 Just quoting this stuff for future reference... Thanks for answering my questions. If the log msg is syncing exactly when you have a problem, then what I explained is happening pretty much explains what ZBFW is doing -- basically the firewall mechanism that's keeping track of the state of the connection between the two hosts saw what it thinks is an illegal flag state. I don't recall whether CBAC and ZBFW send a RST to both ends or simply drop the packet entirely or something else... hence why I suggested sniffers running on each endhost. After that, not sure how much further you can drill down into IOS itself... TCP flag state is set by the endhosts, not IOS, and IIRC, there's no documentation that I'm aware of about what flags CBAC and ZBFW consider "illegal." said by Angralitux: I believe that with ZBF you have to explicit allow the traffic btw zones, or it will be implicit denied Yes, that's how ZBFW differs from CBAC. My 00000010bits Regards
	· actions · 2014-Aug-6 2:52 pm ·
tired_runner Premium Member join:2000-08-25 CT ·Frontier Communi..	tired_runner to Angralitux Premium Member 2014-Aug-6 3:19 pm to Angralitux What I meant is, if you have traffic between LifeServers and LifeSQL and that traffic is indeed crossing zones between LIFE and Internal, there's no need for an ACL between them if the ACL constructs are filtering in the session level in the same manner that you have your class maps inspecting this traffic.
	· actions · 2014-Aug-6 3:19 pm ·
Angralitux join:2004-05-20 DO	Angralitux Member 2014-Aug-6 3:52 pm Man, bear with me, I'm not too familiar with ZBF! I'm not following exactly what you mean that the ACL is not needed ... can you elaborate on that? What I know from my limited experience is that if hosts are on different zones, I have to create an ACL in the direction it'll be happening, and I dont need to create a "wayback" ACL in the contrary sense because the FW "knows" it has to allow traffic back. In this specific case, the flow of information is that the app server which belongs to zone "LIFE" is trying to reach the DB server wich is on "Internal" zone. Please forgive my english, is not my native language!
	· actions · 2014-Aug-6 3:52 pm ·
tired_runner Premium Member join:2000-08-25 CT ·Frontier Communi..	tired_runner Premium Member 2014-Aug-6 4:13 pm No worries man. I'm here to help if I can. Based on your log entry, the firewall kicked your packet to the bit bucket coming in from LIFE to Internal based on what it says here: Dropping tcp session 172.16.39.10 [More Information] :62783 172.16.33.26 [More Information] :1433 on zone-pair LIFEToInternal class LIFEToInternal due to Invalid Flags with ip ident 0 That tells me that the "offending" packet came from your gi0/0.239 interface you described as srv DMZLIFE. Looking at the ZBFW policies, you have a pair from LIFE to Internal here: zone-pair security LIFEToInternal source LIFE destination Internal service-policy type inspect LIFEToInternal The LIFEToInternal service policy uses class map LIFEToInternal, and the policy is inspecting the traffic. This means the firewall should dynamically allow return traffic if it matches the criteria in the class map. Since the traffic is crossing zones based on this configuration, I would instead modify the class map LIFEToInternal so that it matches packets destined or meant for your SQL boxes. Something like this: class-map type inspect match-any LIFEToInternal match protocol sqlsrv
	· actions · 2014-Aug-6 4:13 pm ·

Forums → Equipment Support → Hardware By Brand → Cisco	« WAP321 and WDS • Kind of funny EOL announcement. »