Random denial

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Random denial

L4 Transporter

What would cause traffic that is allowed through one rule to be denied by a rule below it. Shouldn't it just go through the rule allowing it and not even go any further.

Odder even still is that traffic is not always denied sometimes it does pass through the rule it is allowed.

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

 

denied one is UDP to 146 and also from port 8070 to port 8070 while allowed one is to different IP and from different port and it is TCP, last but not the least (why?) on the denied one there is no destination interface (are you missing the route for this IP address from the firewall?)

 

So, check your custom service8070 does it include both udp and tcp ports, and check if you can ping that IP address from the IP that is on the ethernet1/15.237 (ping source _ip_from_1/15.237_ host 136.176.237.146) or do "show routing route" to check routes to that ip....

 

Rgds

View solution in original post

16 REPLIES 16

L5 Sessionator

Hi Jprovine,

 

In my experience so far, such things will happen most often when there is a change to AppID or less often when there is an issue with UserID. Does your traffic suddenly change to other policy or it sometimes misses expected policy? Can you share details of what is evaluated in the policy? If your first policy that is missed sometimes is set for "any" app, could it be that you have UserID active and your users sometimes come from wired sometimes from wireless network, and one of them doesn't have UserID mapping?

 

If you'd describe policy that is missed (what are you evaluating) it'd be easier to guess...

 

Best regards

 

Luciano

 

p.s. sorry for coming off so wrong in the other thread, that was certainly not my intention, I didn't re-read what I wrote and adjust my tone once I typed out the response. Apologies for that.

Apology accepted, let me gather some details for you and some screenshots

tucor1.jpg

 

 

tucor2.jpg

I have attached the following

 

The first  pic shows that tcp8070 is being denying access fomr 192.152.126 to 136.175.237.201

The second pic show the rule that allows that same traffic

 

 

 

 

Hi,

 

I think you uploaded the same allow pic twice, it is the same timestamps and session ID. Also, I would rather see the sec. policy that does not match sometimes, and just crop around it, no need for the rest of the screen. Maybe remove previous pics as they show some info on your network and we don't need them here for the troubleshooting 🙂

 

Rgds.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!