Cisco Bug: CSCvu34381 - Packets are not dropped as expected in selfzone to zone vpn 0 firewall config
Sep 10, 2020
- Cisco XE SD-WAN Routers
Known Affected Releases
17.3 17.3.1 Amsterdam-17.2.1r
Symptom: Usecase: Allow only UDP packets (overlay) from Self to Zone0 (vpn 0) (with action inspect for packets coming back for overlay connection). No other protocol packets should be allowed from Zone0 to Self. Config Used: Rule1 - Match UDP - Action Inspect (To allow sdwan Control packets and bfd packets) Default action - Drop ZonePair: Self to Zone0 with the above policy rules. (No zonepair configured for Zone0 to Self) With the above config, ping should be dropped by cEdge for Zone0 to Self zone. By when trying ping, packets are allowed with random drops. Conditions: IOS XE router running an SDWAN image where Zone-based firewall is configured with Zonepair for Self to Zone 0 (Global vpn) configured and no zone pair created for Zone 0 (global vpn) to Self.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases