Guest

Preview Tool

Cisco Bug: CSCvu34381 - Packets are not dropped as expected in selfzone to zone vpn 0 firewall config

Last Modified

Sep 10, 2020

Products (1)

  • Cisco XE SD-WAN Routers

Known Affected Releases

17.3 17.3.1 Amsterdam-17.2.1r

Description (partial)

Symptom:
Usecase: Allow only UDP packets (overlay) from Self to Zone0 (vpn 0) (with action inspect for packets coming back for overlay connection).   No other protocol packets should be allowed from Zone0 to Self.

Config Used:
Rule1 - Match UDP - Action Inspect (To allow sdwan Control packets and bfd packets)
Default action - Drop
ZonePair:  Self to Zone0 with the above policy rules.   (No zonepair configured for Zone0 to Self)

With the above config, ping should be dropped by cEdge for Zone0 to Self zone. By when trying ping, packets are allowed with random drops.

Conditions:
IOS XE router running an SDWAN image where Zone-based firewall is configured with Zonepair for Self to Zone 0 (Global vpn) configured and no zone pair created for Zone 0 (global vpn) to Self.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.