I've been working on some ZBF labs, and I was wondering - is there
a show or debug command that can allow me to see why a packet is being
dropped by inspection?
For example, in my case, I was trying to troubleshoot a scenario
where I couldn't ping the router due to inspection being activated.
R1-------R2
On R2, I had inspection configured for icmp traffic going from the
self zone to inside (R1), but nothing for the inside to self zone (which
means that all traffic is allowed). However, when pinging from R1 to R2,
I could see the pings going to R2 and the replies being generated, but
those replies never made it back to R1.
I assumed that this was because the icmp inspection was seeing
replies without first seeing the corresponding requests - and sure
enough, once I changed the "inspect" to "pass", the pings started working.
This brings me back to my original question - is there a way to
monitor this? I miss the detailed logging on the ASA, where I can see
every single packet drop (and the reason) :)
Thank you,
-- Bogdan Sass CCSP,LPIC-1,VCP5,CCIE #22221 (RS) Information Systems Security Professional "Curiosity was framed - ignorance killed the cat" Blogs and organic groups at http://www.ccie.netReceived on Sat Feb 04 2012 - 23:21:25 ART
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART