[c-nsp] Need help with policy-based firewall (IOS 12.4T)

Ivan Poddubnyy ivan_poddubnyy at symantec.com
Mon Nov 23 20:57:04 EST 2009 

Hi,

I have two 2821 routers with policy-based firewall configured on them.
There's IPSec GRE tunnel configured between the routers.

The problem is traffic can't pass through the tunnel (even though the tunnel
is established). Here is message from the logs:

===========
Nov 23 17:36:43 10.0.80.252 24385: rtr02.sj: [syslog at 9 s_sn="22618"
s_id="rtr02.sj:514" s_tc="1309483" s_dc="28318"]: 033999: .Nov 23
17:36:42.608 PST: %FW-6-DROP_PKT: Dropping Unknown-l4 session
207.211.80.190:0 143.127.138.34:0 on zone-pair sdm-zp-out-self class
class-default due to  DROP action found in policy-map with ip ident 0
===========

Router-A has IP address 207.211.80.190
Router-B has IP address 143.127.138.34

At the same time, I see messages like this in the logs:

============
Nov 23 17:45:01 10.0.80.252 24410: rtr02.sj: [syslog at 9 s_sn="22643"
s_id="rtr02.sj:514" s_tc="1309542" s_dc="28318"]: 034024: .Nov 23
17:45:00.681 PST: %FW-6-PASS_PKT: (target:class)-(sdm-zp-out-self:sdmgre)
Passing Unknown-l4 pkt 143.127.138.34:0 => 207.211.80.190:0 with ip ident 0
============

Now, parts of the config from router-A (router-B is a mirror image of
router-A):

-------------
rtr02.sj#show runn | sec zone
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
-------------
rtr02.sj#show runn | sec policy-map
policy-map type inspect sdm-permit
 class type inspect sdmgre
  pass log
 class type inspect SDM_VPN
  pass log
 class type inspect sdmself
  pass log
 class class-default
  drop log
-------------
rtr02.sj#show runn | sec class-map
class-map type inspect match-all sdmgre
 match access-group 101
class-map type inspect match-all SDM_VPN
 match access-group name SDM_VPN
-------------
rtr02.sj#show access-lists 101
Extended IP access list 101
    10 permit ip host 143.127.138.34 any (1132063 matches)
    20 permit gre host 143.127.138.34 any
    30 permit esp host 143.127.138.34 any
    40 permit ahp host 143.127.138.34 any
    50 permit udp host 143.127.138.34 eq isakmp any
--------------
rtr02.sj#show access-lists SDM_VPN
Extended IP access list SDM_VPN
    10 permit gre any any
    20 permit ahp any any
    30 permit esp any any
--------------

So, the DROP log message above is generated by this part of the config from
policy-map: 

class class-default
  drop log

At the same time, policy passes some traffic as can be seen from second log
message. And if I replace 'drop' with 'pass' in 'class-default' everything
works fine. For obvious reasons I don't want to do it.

My first question is, what is 'ip ident 0'?

My second question is, why router-A is skipping (for most part) ACLs 101 and
SDM_VPN and hitting 'class-default' when traffic is coming from router-B?

Any help is appreciated!

Thank you!

   --ivan

More information about the cisco-nsp mailing list