Preview Tool

Cisco Bug: CSCvv21721 - With data-policy config. sdwan fwding api returns wrong ingress vpn to FW leading to drop pkt

Last Modified

Sep 03, 2020

Products (1)

  • Cisco XE SD-WAN Routers

Known Affected Releases


Description (partial)

The packet trace shows "FirewallInvalidZone" and "Input VPN ID           : 65535" which is Invalid VPN ID

Feature: ZBFW
    Action  : Drop
    Reason  : Firewall invalid zone
    Zone-pair name         : N/A
    Class-map name         : N/A
    Input interface        : Tunnel1
    Egress interface       : Vlan301
    Input VPN ID           : 65535
    Ouput VPN ID           : 1
    AVC Classification ID  : 0
    AVC Classification name: N/A

This only happens if the ZBFW policy is in place along with the BACKHAUL Data Policy
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.