Stateful Firewalling, Reply Traffic is getting denied

[ray-faizan]

I'm configuring stateful ACL behavior of VPP version 25.06 but the problem is traffic is getting denied in the reverse path.

here is description of the setup.

eth2 is my LAN Interface
eth3 is WAN Interface
Basic function not NAT is involved.

I want to make sure that traffic from LAN to WAN + Reply of the traffic generated from LAN to WAN is allowed everything else is dropped.

here is my configuration.

vpp# show interface address
eth2 (up):
L3 192.168.2.1/24
eth3 (up):
L3 192.168.3.1/24
local0 (dn):
tap4096 (up):
tap4097 (up):
tap4098 (up):
tap4099 (up):

Here is ACL Configuration

WAN SIDE DENY ANY

acl-index 0 count 1 tag {cli}
0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 3
used in lookup context index: 1

LAN SIDE ALLOW TCP/UDP/ICMP ANY

acl-index 1 count 4 tag {cli}
0: ipv4 permit+reflect src 192.168.2.0/24 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535
1: ipv4 permit+reflect src 192.168.2.0/24 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 0-65535
2: ipv4 permit+reflect src 192.168.2.0/24 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535
3: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 2
used in lookup context index: 0
vpp#

vpp# show acl-plugin interface
sw_if_index 0:
sw_if_index 1:
sw_if_index 2:
input acl(s): 1
sw_if_index 3:
input acl(s): 0

I'm pinging from 192.168.2.200 (LAN) ==> to 192.168.3.200 (WAN)

When I take packet capture on wan side 192.168.3.200 it is receiving traffic and as well as it is replying but show trace at vpp shows it is getting denied.

Packet 919

00:34:23:037265: dpdk-input
eth2 rx queue 0
buffer 0x8ff33: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x396
ext-hdr-valid
PKT MBUF: port 1, nb_segs 1, pkt_len 74
buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x23fcd40
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: d4:81:d7:be:cc:62 -> 28:b7:7c:e0:f1:d7
ICMP: 192.168.2.200 -> 192.168.3.200
tos 0x00, ttl 128, length 60, checksum 0x11eb dscp CS0 ecn NON_ECN
fragment id 0xa0f5
ICMP echo_request checksum 0xbf0f id 5
00:34:23:037269: ethernet-input
frame: flags 0x3, hw-if-index 2, sw-if-index 2
IP4: d4:81:d7:be:cc:62 -> 28:b7:7c:e0:f1:d7
00:34:23:037272: ip4-input-no-checksum
ICMP: 192.168.2.200 -> 192.168.3.200
tos 0x00, ttl 128, length 60, checksum 0x11eb dscp CS0 ecn NON_ECN
fragment id 0xa0f5
ICMP echo_request checksum 0xbf0f id 5
00:34:23:037273: acl-plugin-in-ip4-fa
acl-plugin: lc_index: -1, sw_if_index 2, next index 1, action: 3, match: acl -1 rule 43 trace_bits 80000000
pkt info 0000000000000000 0000000000000000 0000000000000000 c803a8c0c802a8c0 0002030100000008 0200ffff00000000
lc_index 0 l3 ip4 192.168.2.200 -> 192.168.3.200 l4 lsb_of_sw_if_index 2 proto 1 l4_is_input 1 l4_slow_path 1 l4_flags 0x03 port 8 -> 0 tcp flags (invalid) 00 rsvd 0
00:34:23:037274: ip4-lookup
fib 0 dpo-idx 22 flow hash: 0x00000000
ICMP: 192.168.2.200 -> 192.168.3.200
tos 0x00, ttl 128, length 60, checksum 0x11eb dscp CS0 ecn NON_ECN
fragment id 0xa0f5
ICMP echo_request checksum 0xbf0f id 5
00:34:23:037275: ip4-rewrite
tx_sw_if_index 3 dpo-idx 22 : ipv4 via 192.168.3.200 eth3: mtu:9000 next:8 flags:[] b4a9fc7b1faa28b77ce0f1d80800 flow hash: 0x00000000
00000000: b4a9fc7b1faa28b77ce0f1d808004500003ca0f500007f0112ebc0a802c8c0a8
00000020: 03c80800bf0f00058e476162636465666768696a6b6c6d6e6f707172
00:34:23:037279: eth3-output
eth3 flags 0x0018000d
IP4: 28:b7:7c:e0:f1:d8 -> b4:a9:fc:7b:1f:aa
ICMP: 192.168.2.200 -> 192.168.3.200
tos 0x00, ttl 127, length 60, checksum 0x12eb dscp CS0 ecn NON_ECN
fragment id 0xa0f5
ICMP echo_request checksum 0xbf0f id 5
00:34:23:037282: eth3-tx
eth3 tx queue 0
buffer 0x8ff33: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x396
ext-hdr-valid
l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 1, nb_segs 1, pkt_len 74
buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x23fcd40
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: 28:b7:7c:e0:f1:d8 -> b4:a9:fc:7b:1f:aa
ICMP: 192.168.2.200 -> 192.168.3.200
tos 0x00, ttl 127, length 60, checksum 0x12eb dscp CS0 ecn NON_ECN
fragment id 0xa0f5
ICMP echo_request checksum 0xbf0f id 5

Packet 920

00:34:23:037880: dpdk-input
eth3 rx queue 0
buffer 0x7ed49: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x397
ext-hdr-valid
PKT MBUF: port 2, nb_segs 1, pkt_len 74
buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x1fb52c0
packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8
ICMP: 192.168.3.200 -> 192.168.2.200
tos 0x00, ttl 64, length 60, checksum 0x3fc4 dscp CS0 ecn NON_ECN
fragment id 0xb31c
ICMP echo_reply checksum 0xc70f id 5
00:34:23:037882: ethernet-input
frame: flags 0x3, hw-if-index 3, sw-if-index 3
IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8
00:34:23:037884: ip4-input-no-checksum
ICMP: 192.168.3.200 -> 192.168.2.200
tos 0x00, ttl 64, length 60, checksum 0x3fc4 dscp CS0 ecn NON_ECN
fragment id 0xb31c
ICMP echo_reply checksum 0xc70f id 5
00:34:23:037884: acl-plugin-in-ip4-fa
acl-plugin: lc_index: 1, sw_if_index 3, next index 0, action: 0, match: acl 0 rule 0 trace_bits 00000000
pkt info 0000000000000000 0000000000000000 0000000000000000 c802a8c0c803a8c0 0003030100000000 0200ffff00000001
lc_index 1 l3 ip4 192.168.3.200 -> 192.168.2.200 l4 lsb_of_sw_if_index 3 proto 1 l4_is_input 1 l4_slow_path 1 l4_flags 0x03 port 0 -> 0 tcp flags (invalid) 00 rsvd 0
00:34:23:037887: error-drop
rx:eth3
00:34:23:037888: drop
acl-plugin-in-ip4-fa: ACL deny packets

Also Session are also getting created

show acl-plugin sessions show acl-plugin sessions
vpp# show acl-plugin sessions tcp
Sessions total: add 1188 - del 1168 = 20
Sessions active: add 1188 - deact 1168 = 20
Sessions being purged: deact 1168 - del 1168 = 0
now: 605218056738198 clocks per second: 2200007214

Per-thread data:
Thread #0:
connection add/del stats:
sw_if_index 0: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 1: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 2: add 1188 - del 1168 = 20; epoch chg: 0
sw_if_index 3: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 4: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 5: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 6: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 7: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 8: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 9: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 10: add 0 - del 0 = 0; epoch chg: 0
sw_if_index 11: add 0 - del 0 = 0; epoch chg: 0
connection timeout type lists:
fa_conn_list_head[0]: -1
fa_conn_list_head[1]: 543
last active time: 603389960494866
link enqueue time: 604693236139736
fa_conn_list_head[2]: -1
fa_conn_list_head[3]: 726
last active time: 605047598584268
link enqueue time: 605146537079024
fa_conn_list_head[4]: -1
Next expiry time: 0
Requeue until time: 0
Current time wait interval: 0
Count of deleted sessions: 1168
Delete already deleted: 0
Session timers restarted: 1448
Swipe until this time: 0
sw_if_index serviced bitmap: 4
pending clear intfc bitmap :
clear in progress: 0
interrupt is pending: 0
interrupt is needed: 0
interrupt is unwanted: 0
interrupt generation: 3479
received session change requests: 0
sent session change requests: 0

Conn cleaner thread counters:
2: delete_by_sw_index events
2: delete_by_sw_index handled ok
0: unknown events received
0: session idle timers restarted
3479: event wait with timeout called
1: event wait w/o timeout called
3479: total event cycles
Interrupt generation: 3480
Sessions per interval: min 1 max 100 increment: 100 ms current: 500 ms
Reclassify sessions: 0

IPv6 Session lookup hash table:
Hash table 'ACL plugin FA IPv6 session bihash'
empty, uninitialized

IPv4 Session lookup hash table:
Hash table 'ACL plugin FA IPv4 session bihash'
40 active elements 40 active buckets
0 free lists
0 linear search buckets
heap: 1 chunk(s) allocated
bytes: used 6.50m, scrap 0

what could be the issue can anyone help me?

[ayourtch]

Hi,The state is maintained on a per-interface basis. https://s3-docs.fd.io/vpp/25.06/aboutvpp/featurelist.html#acls-for-security-groupsIn your mental model, think of it as if each interface can have a “lightweight firewall”, and they do not talk to each other. So you probably want to move that permit+reflect to be outbound ACL on the wan side.--aOn 4 Sep 2025, at 12:40, ray-faizan ***@***.***> wrote: I'm configuring stateful ACL behavior of VPP version 25.06 but the problem is traffic is getting denied in the reverse path. here is description of the setup. eth2 is my LAN Interface eth3 is WAN Interface Basic function not NAT is involved. I want to make sure that traffic from LAN to WAN + Reply of the traffic generated from LAN to WAN is allowed everything else is dropped. here is my configuration. vpp# show interface address eth2 (up): L3 192.168.2.1/24 eth3 (up): L3 192.168.3.1/24 local0 (dn): tap4096 (up): tap4097 (up): tap4098 (up): tap4099 (up): Here is ACL Configuration WAN SIDE DENY ANY acl-index 0 count 1 tag {cli} 0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535 applied inbound on sw_if_index: 3 used in lookup context index: 1 LAN SIDE ALLOW TCP/UDP/ICMP ANY acl-index 1 count 4 tag {cli} 0: ipv4 permit+reflect src 192.168.2.0/24 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535 1: ipv4 permit+reflect src 192.168.2.0/24 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 0-65535 2: ipv4 permit+reflect src 192.168.2.0/24 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 3: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535 applied inbound on sw_if_index: 2 used in lookup context index: 0 vpp# vpp# show acl-plugin interface sw_if_index 0: sw_if_index 1: sw_if_index 2: input acl(s): 1 sw_if_index 3: input acl(s): 0 I'm pinging from 192.168.2.200 (LAN) ==> to 192.168.3.200 (WAN) When I take packet capture on wan side 192.168.3.200 it is receiving traffic and as well as it is replying but show trace at vpp shows it is getting denied. Packet 919 00:34:23:037265: dpdk-input eth2 rx queue 0 buffer 0x8ff33: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x396 ext-hdr-valid PKT MBUF: port 1, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x23fcd40 packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: d4:81:d7:be:cc:62 -> 28:b7:7c:e0:f1:d7 ICMP: 192.168.2.200 -> 192.168.3.200 tos 0x00, ttl 128, length 60, checksum 0x11eb dscp CS0 ecn NON_ECN fragment id 0xa0f5 ICMP echo_request checksum 0xbf0f id 5 00:34:23:037269: ethernet-input frame: flags 0x3, hw-if-index 2, sw-if-index 2 IP4: d4:81:d7:be:cc:62 -> 28:b7:7c:e0:f1:d7 00:34:23:037272: ip4-input-no-checksum ICMP: 192.168.2.200 -> 192.168.3.200 tos 0x00, ttl 128, length 60, checksum 0x11eb dscp CS0 ecn NON_ECN fragment id 0xa0f5 ICMP echo_request checksum 0xbf0f id 5 00:34:23:037273: acl-plugin-in-ip4-fa acl-plugin: lc_index: -1, sw_if_index 2, next index 1, action: 3, match: acl -1 rule 43 trace_bits 80000000 pkt info 0000000000000000 0000000000000000 0000000000000000 c803a8c0c802a8c0 0002030100000008 0200ffff00000000 lc_index 0 l3 ip4 192.168.2.200 -> 192.168.3.200 l4 lsb_of_sw_if_index 2 proto 1 l4_is_input 1 l4_slow_path 1 l4_flags 0x03 port 8 -> 0 tcp flags (invalid) 00 rsvd 0 00:34:23:037274: ip4-lookup fib 0 dpo-idx 22 flow hash: 0x00000000 ICMP: 192.168.2.200 -> 192.168.3.200 tos 0x00, ttl 128, length 60, checksum 0x11eb dscp CS0 ecn NON_ECN fragment id 0xa0f5 ICMP echo_request checksum 0xbf0f id 5 00:34:23:037275: ip4-rewrite tx_sw_if_index 3 dpo-idx 22 : ipv4 via 192.168.3.200 eth3: mtu:9000 next:8 flags:[] b4a9fc7b1faa28b77ce0f1d80800 flow hash: 0x00000000 00000000: b4a9fc7b1faa28b77ce0f1d808004500003ca0f500007f0112ebc0a802c8c0a8 00000020: 03c80800bf0f00058e476162636465666768696a6b6c6d6e6f707172 00:34:23:037279: eth3-output eth3 flags 0x0018000d IP4: 28:b7:7c:e0:f1:d8 -> b4:a9:fc:7b:1f:aa ICMP: 192.168.2.200 -> 192.168.3.200 tos 0x00, ttl 127, length 60, checksum 0x12eb dscp CS0 ecn NON_ECN fragment id 0xa0f5 ICMP echo_request checksum 0xbf0f id 5 00:34:23:037282: eth3-tx eth3 tx queue 0 buffer 0x8ff33: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x396 ext-hdr-valid l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 1, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x23fcd40 packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: 28:b7:7c:e0:f1:d8 -> b4:a9:fc:7b:1f:aa ICMP: 192.168.2.200 -> 192.168.3.200 tos 0x00, ttl 127, length 60, checksum 0x12eb dscp CS0 ecn NON_ECN fragment id 0xa0f5 ICMP echo_request checksum 0xbf0f id 5 Packet 920 00:34:23:037880: dpdk-input eth3 rx queue 0 buffer 0x7ed49: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x397 ext-hdr-valid PKT MBUF: port 2, nb_segs 1, pkt_len 74 buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x1fb52c0 packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8 ICMP: 192.168.3.200 -> 192.168.2.200 tos 0x00, ttl 64, length 60, checksum 0x3fc4 dscp CS0 ecn NON_ECN fragment id 0xb31c ICMP echo_reply checksum 0xc70f id 5 00:34:23:037882: ethernet-input frame: flags 0x3, hw-if-index 3, sw-if-index 3 IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8 00:34:23:037884: ip4-input-no-checksum ICMP: 192.168.3.200 -> 192.168.2.200 tos 0x00, ttl 64, length 60, checksum 0x3fc4 dscp CS0 ecn NON_ECN fragment id 0xb31c ICMP echo_reply checksum 0xc70f id 5 00:34:23:037884: acl-plugin-in-ip4-fa acl-plugin: lc_index: 1, sw_if_index 3, next index 0, action: 0, match: acl 0 rule 0 trace_bits 00000000 pkt info 0000000000000000 0000000000000000 0000000000000000 c802a8c0c803a8c0 0003030100000000 0200ffff00000001 lc_index 1 l3 ip4 192.168.3.200 -> 192.168.2.200 l4 lsb_of_sw_if_index 3 proto 1 l4_is_input 1 l4_slow_path 1 l4_flags 0x03 port 0 -> 0 tcp flags (invalid) 00 rsvd 0 00:34:23:037887: error-drop rx:eth3 00:34:23:037888: drop acl-plugin-in-ip4-fa: ACL deny packets Also Session are also getting created show acl-plugin sessions show acl-plugin sessions vpp# show acl-plugin sessions tcp Sessions total: add 1188 - del 1168 = 20 Sessions active: add 1188 - deact 1168 = 20 Sessions being purged: deact 1168 - del 1168 = 0 now: 605218056738198 clocks per second: 2200007214 Per-thread data: Thread #0: connection add/del stats: sw_if_index 0: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 1: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 2: add 1188 - del 1168 = 20; epoch chg: 0 sw_if_index 3: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 4: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 5: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 6: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 7: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 8: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 9: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 10: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 11: add 0 - del 0 = 0; epoch chg: 0 connection timeout type lists: fa_conn_list_head[0]: -1 fa_conn_list_head[1]: 543 last active time: 603389960494866 link enqueue time: 604693236139736 fa_conn_list_head[2]: -1 fa_conn_list_head[3]: 726 last active time: 605047598584268 link enqueue time: 605146537079024 fa_conn_list_head[4]: -1 Next expiry time: 0 Requeue until time: 0 Current time wait interval: 0 Count of deleted sessions: 1168 Delete already deleted: 0 Session timers restarted: 1448 Swipe until this time: 0 sw_if_index serviced bitmap: 4 pending clear intfc bitmap : clear in progress: 0 interrupt is pending: 0 interrupt is needed: 0 interrupt is unwanted: 0 interrupt generation: 3479 received session change requests: 0 sent session change requests: 0 Conn cleaner thread counters: 2: delete_by_sw_index events 2: delete_by_sw_index handled ok 0: unknown events received 0: session idle timers restarted 3479: event wait with timeout called 1: event wait w/o timeout called 3479: total event cycles Interrupt generation: 3480 Sessions per interval: min 1 max 100 increment: 100 ms current: 500 ms Reclassify sessions: 0 IPv6 Session lookup hash table: Hash table 'ACL plugin FA IPv6 session bihash' empty, uninitialized IPv4 Session lookup hash table: Hash table 'ACL plugin FA IPv4 session bihash' 40 active elements 40 active buckets 0 free lists 0 linear search buckets heap: 1 chunk(s) allocated bytes: used 6.50m, scrap 0 what could be the issue can anyone help me? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ray-faizan]

Correct, I have to allow same sessions to be read and acted upon on wan interface as well.

Like Allow on wan if session already existed same way we were doing in iptables to allow ctstate (connection tracking).

I'm reading the related documents from a day now but I could not able to find how to allow that on wan if session is already exists.

as you told permit+reflact on wan can be done. but the problem this introduces is it also allowes WAN-LAN communication.
I only want is to reply packets from the session can be read and allowed. a Stateful behavior.

[ray-faizan]

@ayourtch Thanks for your help. your input helped me to solve this issue.

Just Added same rule in oubound direction to create a session for the matching traffic. and it allowed replies as well.