Hi, I have two 2821 routers with policy-based firewall configured on them. There's IPSec GRE tunnel configured between the routers.
The problem is traffic can't pass through the tunnel (even though the tunnel is established). Here is message from the logs: =========== Nov 23 17:36:43 10.0.80.252 24385: rtr02.sj: [sys...@9 s_sn="22618" s_id="rtr02.sj:514" s_tc="1309483" s_dc="28318"]: 033999: .Nov 23 17:36:42.608 PST: %FW-6-DROP_PKT: Dropping Unknown-l4 session 207.211.80.190:0 143.127.138.34:0 on zone-pair sdm-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0 =========== Router-A has IP address 207.211.80.190 Router-B has IP address 143.127.138.34 At the same time, I see messages like this in the logs: ============ Nov 23 17:45:01 10.0.80.252 24410: rtr02.sj: [sys...@9 s_sn="22643" s_id="rtr02.sj:514" s_tc="1309542" s_dc="28318"]: 034024: .Nov 23 17:45:00.681 PST: %FW-6-PASS_PKT: (target:class)-(sdm-zp-out-self:sdmgre) Passing Unknown-l4 pkt 143.127.138.34:0 => 207.211.80.190:0 with ip ident 0 ============ Now, parts of the config from router-A (router-B is a mirror image of router-A): ------------- rtr02.sj#show runn | sec zone zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit ------------- rtr02.sj#show runn | sec policy-map policy-map type inspect sdm-permit class type inspect sdmgre pass log class type inspect SDM_VPN pass log class type inspect sdmself pass log class class-default drop log ------------- rtr02.sj#show runn | sec class-map class-map type inspect match-all sdmgre match access-group 101 class-map type inspect match-all SDM_VPN match access-group name SDM_VPN ------------- rtr02.sj#show access-lists 101 Extended IP access list 101 10 permit ip host 143.127.138.34 any (1132063 matches) 20 permit gre host 143.127.138.34 any 30 permit esp host 143.127.138.34 any 40 permit ahp host 143.127.138.34 any 50 permit udp host 143.127.138.34 eq isakmp any -------------- rtr02.sj#show access-lists SDM_VPN Extended IP access list SDM_VPN 10 permit gre any any 20 permit ahp any any 30 permit esp any any -------------- So, the DROP log message above is generated by this part of the config from policy-map: class class-default drop log At the same time, policy passes some traffic as can be seen from second log message. And if I replace 'drop' with 'pass' in 'class-default' everything works fine. For obvious reasons I don't want to do it. My first question is, what is 'ip ident 0'? My second question is, why router-A is skipping (for most part) ACLs 101 and SDM_VPN and hitting 'class-default' when traffic is coming from router-B? Any help is appreciated! Thank you! --ivan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/