Cisco :: Getting Messages In ZBFW Logs On Test Router?
Apr 2, 2013
I'm getting below msgs in my ZBFW logs on my test router. .Apr 2 23:09:43: %FW-6-DROP_PKT: Dropping icmp session 115.186.192.153:0 10.40.2.100:0 on zone-pair ZP-OUTSIDE-INSIDE class class-default due to DROP action found in policy-map with ip ident 0
The bit I'm curious about is that I am NOT NAT-ting any ICMP. Hence why is the ZBFW even triggering against the LAN IP? It should only activate after NAT according to order of operations (and hence why unlike CBAC you put the inside local IP not the outside global IP).....
If the ICMP was directed at the WAN interface (not the 10.40.2.100 internal IP) then it is allowed, but morever even if blocked it should be logged against my WAN IP (which is publicly routable not a 10.x internal).
We use C2950G switches with IOS 12.1(22)EA12 . Switches are set up to send logs to a server (informationnal level). On this server, we receive many of logs from those switches, but none about interfaces errors (even if interfaces statistics show interfaces errors). On C3548 switches it's work fine.How should I be sure the set up of switches is correct ? Why do I never receive messages as %LINK-4-ERROR:[char] is experiencing errors ?
Aug 12 15:30:57.127 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected Aug 12 15:31:02.175 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected Aug 12 15:31:08.219 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected Aug 12 15:31:10.239 IST: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected
there is no error messages related to PSU in "show env all " log .
here is show version - ------------------ show version ------------------
Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA13, RELEASE SOFTWARE (fc2) Technical Support: [URL] Copyright (c) 1986-2009 by cisco Systems, Inc. [Code] ....
Question re: DIR-655; Hardware ver A4; Firmware version 1.32NA
During bandwidth tests to several sites (principally speedtest.net) I get ping times of 10-11 ms, download speeds of 12+ to 17+ mbps but failure on upload tests using my DIR-655.
When I bypass the 655 and test directly with my cable modem, all (including upload) tests work reliably and consistently.
I have swapped the two ethernet cables involved as well as replacing both with new cables but the results are the same (uploads fail with 655 and work without it)
I have seen several postings over the the last year with this same problem but have never seen any comment from D-Link, or a solution from any reader.
Not that it should have any bearing, but I have TA785GE-128M motherboard and am running Windows 7 (patch current) on COMCAST
is this problem acknowledged by D-Link and is there a solution?
I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.
I have 3 zones, internet, local, and ssl-vpn.The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).
After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.
I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.
Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.
I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network.
My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protocol matching, I can't really get this to pass properly. What is the new IOS versions support SCTP? Any options to pass this traffic through the firewall?
OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
I have noticed poe log messages in my cisco 857 router, looking around there is mention of a cosmetic ios bug pertaining to 877 router but not the 857. BUG - CSCsd68389. Why i am getting these errors on my 857?
001586: Oct 5 11:25:06.499 NZST: esw_dtc_ltc4258_reg_write: no acknowlege from POE 001587: Oct 5 11:25:06.499 NZST: esw_mrvl_pdc_hardware_config failed on slot 0/0 001601: Oct 5 13:06:29.879 NZST: esw_dtc_ltc4258_reg_write: no acknowlege from POE 001602: Oct 5 13:06:29.879 NZST: esw_mrvl_pdc_hardware_config failed on slot 0/0 001603: Oct 5 13:06:31.387 NZST: esw_dtc_ltc4258_reg_write: no acknowlege from POE 001604: Oct 5 13:06:31.387 NZST: esw_mrvl_pdc_hardware_config failed on slot 0/0
provide input on what these Traceback messages are and how they are caused:
*Mar 15 23:07:57.250: %SERVICE_MODULE-4-WICNOTREADY: Unit Serial0/1/0 not ready for next command -Traceback= 0x41173B5C 0x40371894 0x40371928 0x40371CE0 0x40372794 0x40369AF0 0x40382908 0x4037FEB4 0x4037FF80 0x41EF56B4 0x41EF95E4 0x41EEA51C 0x41F12B00 0x42183F44 0x42183F28*Mar 15 23:08:00.250: %SERVICE_MODULE-4-WICNOTREADY: Unit Serial0/1/0 not ready for next command -Traceback= 0x41173B5C 0x40371894 0x40371928 0x40371CE0 0x40372794 0x40369AF0 0x40382908 0x4037FEB4 0x4037FF80 0x41EF56B4 0x41EF95E4 0x41EEA51C 0x41F12B00 0x42183F44 0x42183F28*Mar 15 23:08:03.250: %SERVICE_MODULE-4-WICNOTREADY: Unit Serial0/1/0 not ready for next command -Traceback= 0x41173B5C 0x40371894 0x40371928 0x40371CE0 0x40372794 0x40369AF0 0x40382908 0x4037FEB4 0x4037FF80 0x41EF56B4 0x41EF95E4 0x41EEA51C 0x41F12B00 0x42183F44 0x42183F28.... and so on.
We recieved this for one of our routers. Rebooting it worked, so it's likely a software bug and we will upgrade the IOS soon, but I would like to understand what these log messages.
I have a Cisco 2901 which terminates a Class C address pool. I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25) in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27) private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has: any any udp/tcp inspect any any icmp inspect unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
I purchased an ea6500 to replace a ea4500 about a week ago and in summary, I will be exercising the 30 return policy at the retailer, and probably never buy a cisco router again.not connected to router, and router not found messages appear alot.
Internet connectivity stops, unable to log into ea6500 completely frozen, but still routes to other LAN devices (like the SPI firewall i have the monitors network usage). then ranomdly comes back, and goes. can switch AP, and other will work, non-stop. is DEFINATELY ea6500.
sometimes I have to power cycle 6-7 times before it will maintain a wireless network that doesnt drop every 15-30 seconds.otherwise when i connect to the wireless, it log on for 10-15 seconds, then drops off and "Attempts" to reconnect.often stalls out, and crashs when USB external drive is connected at first. (again, power cycle 6-7 times to get to work properly)windows 7, and OS X 10.8 on 3 differant machines.
seems to connect better on the windows machines, and sometimes connecting with a windows machine allows apple ones to connect properly after... weird (OS X bugging up DHCP server? bacisally, when it goes down. it can take an hour to get my wireless back up, power cycle, and then see if its working proplerly, it usually isn't, try again... etc.
I am running two ASA 5520 routers synched up with eachother. I had a massive connectivity issue this weekend that I am investigating. Now I have figured out how to get the live logging but I need to know how to get the old logs from my router.
I have configured an Cisco 881 router in our lab with netflow commands and pointed to our network monitoring tool and I want to check if the tool can collect valid traffic statistics from this router (eg. utilization). The problem this router has nothing plugged into a production LAN that would potentially generate traffic to measure using this tool.
Is there a way to configure a Cisco router (ex. Cisco 881 router) to artificially generate network traffic to test that I have setup the monitoring tool correct to capture future utilization statistics?
I've noticed in the mornings lately when I get up around 6 am my internet will not work. Not on wireless or on my desktop. I decided I'd log into the router to see if there was a firmware update or anything. I had checked the logs and there are quite a few entries relating to DoS. I googled around and saw that it could be some sort of packet loss and the router is mistaking it for some sort of DoS attack. And that due to it not showing up multiple times every second it likely isn't a DoS attack. Here is a few from the logs:
I currently have a 802.11 G router of 54mbps (its claims its a super G 108 mbps tough). My notebooks have 802.11 N built in. Im thinking of upgrading my router to a 802.11 N 300mbps.However, I know that this may be irrelevant unless I have a internet conection that can achieve such speeds. So how do I test my internet speed to see if G is bottlenecking?
When I tried with Security disabled, I could FTP and see my drive from an external network. However, once I rite & Security is enabled with write and read "" granted with a user profile created, the FTP Client has some error message; Could it be due to mode in FTP settings? (passive is set)
I am trying to create a Script to reload my cisco 1941 router when a ping test has failed.I am using IP SLA to ping and tracking snmp oid. What I want to do is to stop the router from reloading after 4 times if the ping test is still failing . But when the ping are successful again to restart the applet. I have the reload configured but cannot figure out how to do the rest. [code]
I have got a l2 link of 512 kbps from two different ISP. I want to aggegrate the bandwidth of this connection so that I can feel like having 1 mbps connection. I am not actually talking about load balancing, but bandwidth/link aggegration. Can we have the solution of failover with different vlan from different isp ? Can we be able to make the link as a single link.
I have hardware version 2 and firmware 3.0.2.01 (latest firmware available for this hardware version I believe) and I cannot get it to email me logs. I have entered my outlook address and our SMTP server.
We are planning on moving towards MPLS. I want to test a MPLS capability with Cisco 1841 Router and a HWIC-4ESW. Is it possible to use the MPLS withe mentioned devices?
I am using Solawinds syslog and trying to get our Cisco routers send syslogs to our syslog server. I followed the procedure on Configuring Cisco Devices to Use a Syslog Server from [URL] Our Cisco swtches are all sending syslog messages but not the routers. I compared the config with our access switches but can't seem to find the problem:
Have a localhost site to test PayPal IPN which apparently requires router configuration to use port forwarding (or redirection) to send TCP traffic on public port 80 to my test machines private IP at a specified port.
A typical configuration might look like this:
Router NAT Port Redirection Rule TCP Public Port 80 --> 192.168.1.2 (Port 8888)
Where can I find reference to this in online documentation and where do I put this instruction?
I've a problem with the internet speed of my ADSL line(20Mega). Now I've the following components: D-link DSL-320 B (modem)+Cisco Linksys EA6500. If I start a Speed test the result its only 4M in download, while i remove the router and i connect my Pc directly to modem, the speed test results its 13-14M.
I did a simple speed test comparing my EA3500 and Linksys WRT54GL. I used DSL Reports for the test. I was quite shocked and am wondering if the difference is due to the poor wireless driver in the Classic firmware that was updated in the Cloud firmware. Here are my numbers: EA3500, Classic firmware Download average 475 kb/s Upload average 725 kb/sLinksys WRT54GL Ver 1.1 (latest firmware) Download average 3250 kb/s Upload 725 kb/s
Needless to say I have gone back to my trusty WRT54GL until Cisco decides if it will update the Classic firmware and give us 2nd class Cisco customers the same hardware the 1st class Cloud customers have. Time will tell.
I installed an E1200 router today. It automatically upgraded the firmware to the latest when I did this. Everything went smoothly.
I connected my desktop wired and my laptop wireless. I ran three different speed tests: Xfinity, speedtest, and cnet. All three showed 25-35 Mbps download and 4-5 Mbps upload. That is what my old router had too. So far, so good.
I ran the speed test that came with the E1200 router. It showed 0.30- 0.66 Mbps download and 0.58 - 2.09 Mbps upload. Note the decimal points!
Bottom line: The E1200 seems to be working fine, except that its internal speed test seems to be broken, at least when testing from a wired machine.
