Re: Viewing IOS ZBF inspect drops from Piotr Matusiak on 2012-02-04 (Ccielab archives 02/2012)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Sat, 4 Feb 2012 22:27:07 +0100

Hi,

The command is 'ip inspect log drop-pkt'. In addition to that it is very
useful to enable Audit-Trail via parameter-map and apply it to your policy.

Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2012/2/4 Bogdan Sass <bogd.no.spam_at_gmail.com>
>    I've been working on some ZBF labs, and I was wondering - is there a
> show or debug command that can allow me to see why a packet is being
> dropped by inspection?
>
>    For example, in my case, I was trying to troubleshoot a scenario where
> I couldn't ping the router due to inspection being activated.
>
>    R1-------R2
>
>    On R2, I had inspection configured for icmp traffic going from the self
> zone to inside (R1), but nothing for the inside to self zone (which means
> that all traffic is allowed). However, when pinging from R1 to R2, I could
> see the pings going to R2 and the replies being generated, but those
> replies never made it back to R1.
>    I assumed that this was because the icmp inspection was seeing replies
> without first seeing the corresponding requests - and sure enough, once I
> changed the "inspect" to "pass", the pings started working.
>
>    This brings me back to my original question - is there a way to monitor
> this? I miss the detailed logging on the ASA, where I can see every single
> packet drop (and the reason) :)
>
>    Thank you,
>
> --
> Bogdan Sass
> CCSP,LPIC-1,VCP5,CCIE #22221 (RS)
> Information Systems Security Professional
> "Curiosity was framed - ignorance killed the cat"
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________**______________________________**
> ___________
> Subscription information may be found at: http://www.groupstudy.com/**
> list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
Blogs and organic groups at http://www.ccie.net

Received on Sat Feb 04 2012 - 22:27:07 ART

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART