Guest

Preview Tool

Cisco Bug: CSCvs43170 - [vManage] Firewall inspect/drop stat values are incorrect on device dashboard

Last Modified

Sep 29, 2020

Products (20)

  • Cisco Cloud Services Router 1000V Series
  • Cisco ASR 1000 Series IOS XE SD-WAN
  • Cisco 4221 Integrated Services Router
  • Cisco 1101 Industrial Integrated Services Router
  • Cisco 4331 Integrated Services Router
  • Cisco 4431 Integrated Services Router
  • Cisco ASR 1002-X Router
  • Cisco 4321 Integrated Services Router
  • Cisco ASR 1001-X Router
  • Cisco 4461 Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

16.12.3 17.2

Description (partial)

Symptom:
[vManage] Firewall inspect/drop stat values are incorrect on device dashboard

Conditions:
The Firewall stats for Inspect session vManage is:

tcp                   icmp                  udp
38934              7362                  3531

But the stats on device CLI is :
vm5#show policy-map type inspect zone-pair          
  Zone-pair: ZP_zone1_zone1_fw_policy 
  Service-policy inspect : fw_policy

    Class-map: fw_policy-seq-1-cm_ (match-all)  
      Match: access-group name fw_policy-seq-1-acl_
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [0:22]
        udp packets: [0:2]
        icmp packets: [0:6]

        Session creations since subsystem startup or last reset 3
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [3:0:0]
        Last session created 00:00:22
        Last statistic reset 00:01:36
        Last session creation rate 16
        Last half-open session total 0

    Class-map: class-default (match-any)  
      Match: any 
      Drop
        0 packets, 0 bytes

-----     Findings from xml (Fwall-zonepair-stats-1578603336.xml) , the pkt count and byte count fields seems to be reversed, potentially causing stats issue on vManage.
<record>
    <entry_time>1578603088908</entry_time>
    <type>
        zonepair
    </type>
    <zp_name>
        ZP_zone1_zone1_fw
    </zp_name>
    <src_zone_name>
        zone1
    </src_zone_name>
    <dst_zone_name>
        zone1
    </dst_zone_name>
    <policy_name>
        fw
    </policy_name>
    <zp_aggr_pkt_counts>241</zp_aggr_pkt_counts>
    <zp_aggr_byte_counts>2</zp_aggr_byte_counts>
</record>
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.