cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

VSX Drop Debugs

Hello Everyone,

We are having CP 23k chassis and running VSX on it. We are also having 3 layer security architecture. Since last 2-3 days users are complaining about major access (intranet or internet etc.) not working and problem is growing further and further. When i performed fw ctl drop debugs on DMZ-VS i encountered below error messages:

 

;[vs_7];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 <ip>:64062 -> ,ip>:80 dropped by fw_send_log_drop Reason: Rulebase - ERROR;
;[vs_7];[tid_0];[fw4_0];[ERROR]: up_rulebase_should_drop_possible_on_SYN: conn dir 0, <ip>:52193 -> ,<ip>:80, IPP 6 required_4_match = 0x100200, not expected required_4_match = 0x100000;


VS-7 is our DMZ VS. I have tried to google for this error message but there is no useful information available. I have already raised TAC case with Diamond support. But wondering if someone has encountered this kind of issue and can advise what root cause and solution can be?

Any help or information is much appreciated.

Regards,

Ashish

Tags (3)
0 Kudos
1 Reply
Employee++
Employee++

Re: VSX Drop Debugs

Hi Ashish,

I suspect you may have some legacy 'domain' (DNS based) objects that could do with some optimization...

Some options that come to mind:
- Switch to FQDN objects
- Remove the legacy 'Domain' objects
- Revist the rule order

Please continue investigations with TAC and advise regarding the final resolution accordingly - thanks.

Hope this helps.

Regards,
Chris

0 Kudos