Guest

Preview Tool

Cisco Bug: CSCvv78486 - IOS Zone-based Firewall configuration causing Crashes

Last Modified

Oct 12, 2020

Products (1)

  • Cisco 2600 Series Multiservice Platforms

Known Affected Releases

15.7(3.0z)M6

Description (partial)

Symptom:
Cisco 2951 observing repeated crashes after enabling zone-based Firewall configuration.

Symptoms: 2951 router crashes running IOS version 15.7(3)M6 after enabling zone based firewall configuration. Device crashes repeatedly. With each crash a crashinfo file is generated. during Crash we see the following logs and tracebacks.

May 13 02:40:05: %FW-6-DROP_PKT: Dropping tcp session 67.133.56.2:22 173.11.2.93:60580 on zone-pair ccp-zp-self-out class ccp-icmp-access due to  Invalid Flags with ip ident 18602 
May 13 02:40:36: %FW-6-DROP_PKT: Dropping tcp session 10.20.0.8:42945 52.216.171.179:80  due to  Stray Segment with ip ident 0 
May 13 02:41:06: %FW-6-DROP_PKT: Dropping tcp session 172.16.0.65:443 192.168.23.227:63360  due to  Stray Segment with ip ident 0 
May 13 02:41:37: %FW-6-DROP_PKT: Dropping udp session 73.96.98.129:63775 67.133.56.2:443    with ip ident 0 
May 13 02:42:07: %FW-6-DROP_PKT: Dropping tcp session 10.20.21.120:49932 10.10.10.78:7680  due to  No zone-pair between zones with ip ident 54571 
May 13 02:42:37: %FW-6-DROP_PKT: Dropping tcp session 10.10.10.5:46696 146.112.255.155:443 on zone-pair ccp-zp-pf-out class ccp-protocol-http due to  Stray Segment with ip ident 41375 
May 13 02:43:07: %FW-6-DROP_PKT: Dropping udp session 10.10.10.78:60844 172.16.0.21:161 on zone-pair PFtoRMI class class-default due to  DROP action found in policy-map with ip ident 59120 
May 13 02:43:37: %FW-6-DROP_PKT: Dropping tcp session 192.168.23.227:63684 172.16.0.41:443 on zone-pair sdm-zp-VPNOutsideToInside-1 class sdm-cls-VPNOutsideToInside-1 due to  Stray Segment with ip ident 3146 
May 13 02:44:07: %FW-6-DROP_PKT: Dropping udp session 10.10.10.78:60844 172.16.0.21:161 on zone-pair PFtoRMI class class-default due to  DROP action found in policy-map with ip ident 59123 
May 13 02:44:38: %FW-6-DROP_PKT: Dropping tcp session 10.10.10.69:62919 10.20.21.153:7680  due to  No zone-pair between zones with ip ident 28227 
May 13 02:45:08: %FW-6-DROP_PKT: Dropping udp session 172.16.1.184:58390 10.20.21.45:65516 on zone-pair StafftoAgent class class-default due to  DROP action found in policy-map with ip ident 5960 
May 13 02:45:38: %FW-6-DROP_PKT: Dropping udp session 172.16.1.184:58404 10.20.21.45:65516 on zone-pair StafftoAgent class class-default due to  DROP action found in policy-map with ip ident 6012 
May 13 02:46:08: %FW-6-DROP_PKT: Dropping tcp session 192.168.23.227:64264 172.16.5.201:8080 on zone-pair sdm-zp-VPNOutsideToInside-1 class sdm-cls-VPNOutsideToInside-1 due to  Stray Segment with ip ident 59480 
May 13 02:46:15: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 68.185.14.90' to manually clear IPSec SA's covered by this IKE SA.
May 13 02:46:39: %FW-6-DROP_PKT: Dropping udp session 10.10.10.84:58896 172.16.0.21:161 on zone-pair PFtoRMI class class-default due to  DROP action found in policy-map with ip ident 42434 
May 13 02:47:09: %FW-6-DROP_PKT: Dropping udp session 172.16.1.184:58488 10.20.21.45:65516 on zone-pair StafftoAgent class class-default due to  DROP action found in policy-map with ip ident 6191 
May 13 02:47:39: %FW-6-DROP_PKT: Dropping tcp session 172.27.0.151:80 172.16.0.72:62308  due to  RST inside current window with ip ident 0 
May 13 02:48:10: %FW-6-DROP_PKT: Dropping udp session 172.16.1.184:61683 10.20.21.45:65516 on zone-pair StafftoAgent class class-default due to  DROP action found in policy-map with ip ident 6297 
May 13 02:48:40: %FW-6-DROP_PKT: Dropping udp session 172.16.1.184:61725 10.20.21.45:65516 on zone-pair StafftoAgent class class-default due to  DROP action found in policy-map with ip ident 6357 
May 13 02:49:11: %FW-6-DROP_PKT: Dropping udp session 172.16.2.241:53948 10.10.10.21:161 on zone-pair RMItoPF class class-default due to  DROP action found in policy-map with ip ident 61408 
May 13 02:49:42: %FW-6-DROP_PKT: Dropping tcp session 10.20.0.76:63628 172.16.1.58:7680 on zone-pair AgenttoStaff class class-default due to  DROP action found in policy-map with ip ident 62613 
May 13 02:50:12: %FW-6-DROP_PKT: Dropping tcp session 10.10.10.69:62950 10.20.21.158:7680  due to  No zone-pair between zones with ip ident 51739 
May 13 02:50:42: %FW-6-DROP_PKT: Dropping udp session 172.16.1.184:63607 10.20.21.45:65516 on zone-pair StafftoAgent class class-default due to  DROP action found in policy-map with ip ident 6587 
May 13 02:51:12: %FW-6-DROP_PKT: Dropping udp session 10.10.10.15:61289 172.16.0.27:161 on zone-pair PFtoRMI class class-default due to  DROP action found in policy-map with ip ident 14275 
May 13 02:51:42: %FW-6-DROP_PKT: Dropping tcp session 10.20.0.76:63634 172.16.1.13:7680 on zone-pair AgenttoStaff class class-default due to  DROP action found in policy-map with ip ident 34410 
May 13 02:52:12: %FW-6-DROP_PKT: Dropping udp session 10.10.10.15:61289 172.16.0.27:161 on zone-pair PFtoRMI class class-default due to  DROP action found in policy-map with ip ident 14390 
May 13 02:52:43: %FW-6-DROP_PKT: Dropping tcp session 10.10.10.83:51995 10.20.0.62:7680  due to  No zone-pair between zones with ip ident 24676 
May 13 02:53:13: %FW-6-DROP_PKT: Dropping icmp session 209.166.137.205:0 172.16.0.61:0 on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to  DROP action found in policy-map with ip ident 19217 
May 13 02:53:43: %FW-6-DROP_PKT: Dropping udp session 172.16.1.184:62159 10.20.21.45:65516 on zone-pair StafftoAgent class class-default due to  DROP action found in policy-map with ip ident 6922 
May 13 02:54:13: %FW-6-DROP_PKT: Dropping tcp session 192.168.122.80:48238 172.16.0.61:8080 on zone-pair sdm-zp-VPNOutsideToInside-1 class sdm-cls-VPNOutsideToInside-1 due to  Invalid Flags with ip ident 37942 
CMD: 'system_profiler SPSoftwareDataType SPHardwareDataType SPNetworkLocationDataType -xml' 02:54:19 Pacific Wed May 13 2020
CMD: 'exit' 02:54:19 Pacific Wed May 13 2020
May 13 02:54:43: %FW-6-DROP_PKT: Dropping tcp session 172.16.1.173:49421 10.10.10.84:7680 on zone-pair RMItoPF class class-default due to  DROP action found in policy-map with ip ident 30531 

 02:54:48 Pacific Wed May 13 2020: Unexpected exception to CPU: vector 300, PC = 0x4155D78 , LR = 0x4155D10 

-Traceback= 0x4155D78z 0x4152EA8z 0x4150B44z 0xB086910z 0xB0D6464z 0xB097020z 0xB07DB64z 0xB075664z 0xB082564z 0x609B73Cz 0x40D7BFCz 0x4AE870Cz 0x4AD4E3Cz 0x4A1C31Cz 0x4AD4014z 0x4A1AAE8z

Conditions:
Running config on the device has zone based firewall configuration enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.