Global Counters Show Flow_fwd_zonechange" Packets Incrementing"

A vpn tunnel goes down and comes back up. A look at the global counters show that the flow_fwd_zonechange counter is incrementing.

> show counter global

Packets are dropped due to a route change. The flow_fwd_zonechange counter increments when a packet is to be forwarded, but the zone of egress interface does not match the egress zone in the session due to a route change because the tunnel is not up. To verify global counter increments please refer to to the following knowledge base How to Check Global Counters for Specific Source and Destination IP Address

In this scenario, the initial routing table is as follows:

• 0.0.0.0/0 metric 10 untrust zone.
• A tunnel route to 10.10.10.10/24 through 1.1.1.1 metric 5 tunnelzone.
• When the tunnel goes down, the tunnel route is removed from the table and the default route is used for the 10.10.10.10 network in the untrust zone.
• When the tunnel comes back up, it considers this a zone change and drops the packts incrementing the flow_fwd_zonechange counter.

The flow_fwd_zonechange counter indicates that the egress zone of a packet does not match the egress zone of the matching session. For this reason, the packet is dropped and the flow_fwd_zonechange counter is incremented.