Unexpected IP Policy drops

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Building an IP policy as shown below:

The object GearNetwork is defined as such:


The IP policy is applied:


But in testing traffic from 172.16.70.11 to 172.16.70.12 (both in this Profile) is blocked, when I expect it to be allowed.

Here's the log from the AP:
2013-08-24 20:41:06 info kernel: [fe]: pkt dropped by ingress (from-air) deny IP firewall policy rule (id 27) in group (gear-firewall)

And lastly here's the sh ip-policy on the AP:
AP01#sh ip-policy "gear-firewall"
ID From To Service Action Flag Resolve
------ ------------------------------- ------------------------------- ------------------- ------- ---- -------
1 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 DHCP-Server permit N
2 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 DNS permit N
4 0.0.0.0/0.0.0.0 10.0.0.0/255.0.0.0 any deny N
5 0.0.0.0/0.0.0.0 192.168.0.0/255.255.0.0 any deny N
27 0.0.0.0/0.0.0.0 172.16.70.0/255.255.255.0 any permit N
3 0.0.0.0/0.0.0.0 172.16.0.0/255.240.0.0 any deny N
26 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 BONJOUR permit N
6 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 HTTP permit N
7 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 HTTPS permit N
8 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 ICMP permit N
9 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 IKE permit N
10 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 L2TP permit N
11 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 NTP permit N
12 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 PPTP permit N
13 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 SSH permit N
14 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 FTP permit N
15 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 FTP-DATA permit N
16 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 POP3-TCP permit N
17 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 POPS permit N
18 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 NAT-T permit N
19 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 IMAP-TCP permit N
20 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 IMAPS permit N
21 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 HTTP-8080 permit N
22 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 SMTP-TCP permit N
23 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 SMTPS permit N
24 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 SMTPS-465 permit I N
25 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 any deny D N

What am I missing? I'm nervous about posting this because I feel I must be missing something obvious
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes

Posted 5 years ago

  • 1
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes
5 minutes after I posted, I realized the Deny Default Action probably applied to the To-Access. After allowing local traffic in a To-Access policy, everything worked.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I'm glad you were able to figure this out yourself!