Symptom

This is an enhancement request to bypass Zone-based firewall for NHRP packets arriving over mGRE/IPSec tunnel and destined to the self zone. Currently such packets require explicit "pass" action to be configured for GRE (protocol 47) in the firewall policy between outside zone and self zone.

Conditions

This issue is specific to IOS-XE Zone-based firewall implementation. Explicit "pass" action is required only if traffic to self zone is controlled by firewall policies.

Workaround

Configure "pass" action for GRE in the policy-map attached to the outside_zone -> self zone pair.

Further Problem Description