Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Policy not matching actual traffic

L1 Bithead

Hi All,


I have a security rule to allow ip "A" to ssh to ip "B". I can see the traffic actually hitting the fw but it gets dropped with interzone-default. The test policy match also verifies that it matches the traffic.


IP "B" is actually the firewall. And IP "B" is nated like this: original packet source IP "C", original packet dest  ip "A", translated packet source ip "B".


How can this happen? So the traffic hitting the firewall has an explicit allow rule but still missed.


IP "A" is on the other end of the IPSec tunnel and when this traffic comes, it successfully creates a child SA. Routing is also set up for IP "A"




Who Me Too'd this topic