err1: policy not found for packet on Zones
Hi,
I have a case open with support, but since others have posted about this, or a very similar error, I figured I'd post here as well to see if anyone is familiar.
On Tuesday (3 days ago) our HA pair of 4600s both rebooted unexpectedly. When they came back up, we're seeing thousands of the error:
"err1: policy not found for packet on Zones (zone1 -> zone2)
We're also seeing packets dropped where there are explicit allow rules in place associated with these errors. What we're seeing is FQDNs to windows update being blocked, and servers have been unable to get updates since the firewalls rebooted.
I have a separate case for the firewalls rebooting which is a considerable concern, but it's more of a concern that they came back blocking "allowed" traffic, and we haven't been able to resolve it yet.
Any ideas or suggestions, other than rebooting both firewalls simultaneously would be appreciated.
Answers
Hi @shultis ,
Which firmware are you using in 4600? Make sure to use latest version firmware.
If there any unused FQDN address object remove it.
the firewall is running: SonicOS Enhanced 6.5.4.8-86n--HFGEN6-2470-1n
There are 2 domains that are not resolving that I'm removing from that group, however a non-resolving FQDN shouldn't generate a policy not found error, should it?
Hi @shultis ,
That I am not aware but it was recommended by sonicwall support when i was faced the same issue.
Once you removed the unused FQDN, observe the logs & unit health.
I've done some digging into this, and I have a theory, based on the evidence I've collected, which I'm hoping someone can confirm. It took longer than it should have to figure this out, because support had said this error should only be seen when the firewall reboots. What i should have done is read the actual error, and thought about it for more than 2 seconds. I also checked the resolution for all of the FQDNs and found that while there are similar IPs none of the FQDNs resolved to the IPs that were being dropped.
err1: policy not found for packet on Zones (zone1 -> zone2)
So "policy not found" sounds like the firewall can't find a policy that fits the packet, and doesn't know what to do with the traffic. I know, that kind of goes without saying.
I checked zone1 --> zone2 and found, there isn't actually a policy between those zones that applies to those packets (note, we've turned off automatic rule creation because we wanted to only have rules that we specifically create, so there is no deny all ). So I searched our syslog for more examples of err1, and found there are quite a few of them, and in in some cases there are no policies between those zones, and no more general policy that would apply to the packets.
So my theory is the error means exactly what it says. "You haven't told me what to do with this traffic, so I'm going to drop it". Which implies that the Sonicwall's default where there is no rule, is to drop the packet, which is what I'd expect.
For testing, we added an allow HTTPS to WAN-Any from that zone, and the errors went away.
Since I have never had experience with a zone with no default deny rule, I had never seen this error before. I also wasn't certain what the firewall would do in a no policy situation, although I had assumed it would drop the traffic.
Can anyone confirm this is the case? It seems pretty straightforward once I stepped back and looked at it.
I am seeing the same error for UDP traffic but its going from X0 (LAN) to the ISP IP of X1 so it like its going out but its not?
a loopback? not sure what is going on here... but UDP traffic is free to flow from LAN to WAN so why this error?
SOURCE DEST
15:17:26 Jan 26 174 Network Notice UDP packet from LAN dropped 172.xxx.xxx.134, 16403, X0 170.xxx.xxx.xxx, 20511, X1
udp err1: policy not found for packet on Zones(LAN -> WAN)