Guest

Preview Tool

Cisco Bug: CSCvu85445 - Cisco IOS XE SD-WAN device ZBFW not blocking amazon-web-services when action item is inspected

Last Modified

Aug 24, 2020

Products (1)

  • Cisco XE SD-WAN Routers

Known Affected Releases

17.2.1r

Description (partial)

Symptom:
Amazon-web services for some flows are not getting detected when traffic is passing through cEdge device

Conditions:
NBAR is classifying the application correctly for some packets, but not for all. User is able to open 

Path Trace
  Feature: IPV4(Input)
    Input       : GigabitEthernet0/0/0
    Output      : <unknown>
    Source      : 192.168.30.30
    Destination : 192.168.10.1
    Protocol    : 6 (TCP)
      SrcPort   : 36506
      DstPort   : 443

  Feature: NBAR
    Packet number in flow: 25
    Classification state: Final
    Classification name: a mazon-web-services
    Classification ID: [CANA-L7:603]
    Classification source: Unknown
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x4
    Is optimize packet: False
    Is allow packet: False


BR3-cEdge-1_Template#show ip nbar protocol-id | in amazon-web
amazon-web-services                                   603           L7 STANDARD

For some flows action is forward:

Summary
  Input     : GigabitEthernet0/0/0
  Output    : GigabitEthernet0/0/1
  State     : FWD
Path Trace
  Feature: IPV4(Input)
    Input       : GigabitEthernet0/0/0
    Output      : <unknown>
    Source      : 192.168.30.30
    Destination : 192.168.20.1
    Protocol    : 6 (TCP)
      SrcPort   : 44516
      DstPort   : 443

 Feature: NBAR
    Packet number in flow: 1
    Classification state: Not final                     << NBAR unable to classify this flow
    Classification name: unknown
    Classification ID: [CANA-L7:1]                  
    Classification source: Unknown
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
    Is optimize packet: False
    Is allow packet: False
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.