Unexpected IP Policy drops

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Building an IP policy as shown below:

The object GearNetwork is defined as such:

The IP policy is applied:

But in testing traffic from to (both in this Profile) is blocked, when I expect it to be allowed.

Here's the log from the AP:
2013-08-24 20:41:06 info kernel: [fe]: pkt dropped by ingress (from-air) deny IP firewall policy rule (id 27) in group (gear-firewall)

And lastly here's the sh ip-policy on the AP:
AP01#sh ip-policy "gear-firewall"
ID From To Service Action Flag Resolve
------ ------------------------------- ------------------------------- ------------------- ------- ---- -------
1 DHCP-Server permit N
2 DNS permit N
4 any deny N
5 any deny N
27 any permit N
3 any deny N
26 BONJOUR permit N
6 HTTP permit N
7 HTTPS permit N
8 ICMP permit N
9 IKE permit N
10 L2TP permit N
11 NTP permit N
12 PPTP permit N
13 SSH permit N
14 FTP permit N
15 FTP-DATA permit N
16 POP3-TCP permit N
17 POPS permit N
18 NAT-T permit N
19 IMAP-TCP permit N
20 IMAPS permit N
21 HTTP-8080 permit N
22 SMTP-TCP permit N
23 SMTPS permit N
24 SMTPS-465 permit I N
25 any deny D N

What am I missing? I'm nervous about posting this because I feel I must be missing something obvious
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes

Posted 5 years ago

  • 1
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes
5 minutes after I posted, I realized the Deny Default Action probably applied to the To-Access. After allowing local traffic in a To-Access policy, everything worked.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I'm glad you were able to figure this out yourself!