• RELEVANCY SCORE 3.99

    DB:3.99:Fwsm Upgradation x8





    Hi,

    I have one 7613 Chasssis running IOS trail 12.4(SRC1) with Fwsm in slot 1 running ver (3.2.2).My query is that does Chassis support 12.4(SRC10 will support FWSM after upgrading FWSM with ver 4.x.Also let me know which ver in 4.x for FWSM is more stable and least bug.Here i am attaching show version of Chassis and FWSM.Please do the needfull

    Regards,

    Himanshu

  • RELEVANCY SCORE 3.95

    DB:3.95:Fwsm With 4.1(1) Takes More Time To Compile Acl. 11





    Hello.

    We are using a service module with 4.1(1) that takes more more time to compile ACL.

    So we need to wait more time to permit and capture traffic.

    Many thanks for help.

    Regards.

    Andrea

    DB:3.95:Fwsm With 4.1(1) Takes More Time To Compile Acl. 11


    Andrea,

    Can you give the except numbers for comparison?

    Are you using ACL optimization by any chance? The only bug that I can spot based on a short serach is this one CSCte71019, but it should affect standby only.

    Marcin

  • RELEVANCY SCORE 3.89

    DB:3.89:Just Wanted To Check Liscensing For Fwsm 2.1 9x





    What is the situation with regards to liscensing when upgrading form FWSM v1.1(3) to 2.1(1)?

    DB:3.89:Just Wanted To Check Liscensing For Fwsm 2.1 9x


    You should consider upgrading to 2.2(1) since 2.1(1) was not officially released.

    From the release notes:

    "With the default software license, you can run up to two security contexts in addition to an admin context. For more contexts, you must purchase a license."

    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/overvw.htm

    Hope this helps,

    peter

  • RELEVANCY SCORE 3.77

    DB:3.77:Firewall Services Module (Fwsm) With Sup1a Plus Msfc-2 Pfc (Catos 7.5+) pp



    Is it possible to install a FWSM on a C6509 with SUP1A?

    Release Notes for FWSM version 1-1-2(http://www.cisco.com/en/US/partner/products/hw/switches/ps708/prod_release_note09186a008015851e.html#43499) states that FWSM is supported with CatOS 7.5 with a Supervisor Engine 1a, and an MSFC 2 or a Supervisor Engine2 and an MSFC 2.

    However, Cisco Configuration Tool gives the following message when you try to configure FWSM with SUP1A:

    Configuration Guide

    Errors

    1. --The selection of one or more WS-SVC-FWM-1-K9 firewall modules requires the selection of a Supervisor2 with MSFC from Cat6500 Primary Supervisor Option. Please adjust your selections.--

    DB:3.77:Firewall Services Module (Fwsm) With Sup1a Plus Msfc-2 Pfc (Catos 7.5+) pp


    It's probably a bug in the configurator tool. It is supported with Sup1

    Console (enable) sh mod

    Mod Slot Ports Module-Type Model Sub Status

    --- ---- ----- ------------------------- ------------------- ---

    --------

    1 1 2 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok

    15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok

    2 2 6 Firewall Module WS-SVC-FWM-1 no ok

    3 3 8 1000BaseX Ethernet WS-X6408-GBIC no ok

    5 5 48 10/100BaseTX Ethernet WS-X6248-RJ-45 no ok

    Mod Module-Name Serial-Num

    --- -------------------- -----------

    1 SAD044505P9

    15 SAD04420LM7

    2 SAD071903GJ

    3 SAD03070279

    5 SAD041500VP

    Mod MAC-Address(es) Hw Fw Sw

    --- -------------------------------------- ------ ----------

    -----------------

    1 00-01-63-d0-6c-d8 to 00-01-63-d0-6c-d9 7.0 5.3(1) 7.6(1)

    00-01-63-d0-6c-d6 to 00-01-63-d0-6c-d7

    00-02-17-77-98-00 to 00-02-17-77-9b-ff

    15 00-04-4d-47-bd-c0 to 00-04-4d-47-bd-ff 1.1 12.1(11b)E

    12.1(11b)E11

    2 00-0c-85-3f-f5-80 to 00-0c-85-3f-f5-ff 2.0 7.2(1) 1.1(2)

    3 00-50-54-6c-92-b0 to 00-50-54-6c-92-b7 1.9 5.4(2) 7.6(1)

    5 00-01-97-49-8b-10 to 00-01-97-49-8b-3f 1.2 5.1(1)CSX 7.6(1)

    Mod Sub-Type Sub-Model Sub-Serial Sub-Hw

    Sub-Sw

    --- ----------------------- ------------------- ----------- ------

    ------

    1 L3 Switching Engine WS-F6K-PFC SAD04440FFV 1.1

  • RELEVANCY SCORE 3.62

    DB:3.62:Fwsm Failover p9



    What is the failover time between active and standby FWSM ?

    1- If they are installed on the same 6500 Chassis ?

    2- If they are installed on different Cat-6500 Chassis ?

    Regards

    Mohamed

    DB:3.62:Fwsm Failover p9


    Hi AK,

    thanks for your reply

    Is this mean that failover poll = Failover-time if there is no congestion ?

    What about network traffic during this time ?

    will I get session disconnect on some application ?

    Regards

    Mohamed

  • RELEVANCY SCORE 3.32

    DB:3.32:The Concurrent Connections On The Fwsm c9



    I have a question about the concurrent connections on the FWSM.

    yesterday,our FWSM is down beacues too many of concurrent connections.

    so we reset the FWSM.

    before that we check the number of concurrent connections is 19765160 !!!

    But the capacities of the FWSM is 1 million. why ?? the concurrent connections can pile up to 20 million??

    ------------------ show resource usage ------------------

    Resource Current Peak Limit Denied Context

    Conns 8 3460 unlimited 0 CA

    Xlates 8 159 unlimited 0 CA

    Hosts 8 159 unlimited 0 CA

    Conns 19765160 19830563 500000 137285 OA

    Xlates 192 261902 131072 1688 OA

    Hosts 191 261902 131072 10856 OA

    Conns 21031 99304 unlimited 0 Server

    Xlates 319 2259 unlimited 0 Server

    Hosts 296 2259 unlimited 0 Server

    Telnet 1 4 5 0 system

    Capacities

    5.5 Gbps throughput per service module

    Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis with static VLAN or IOS Policy-based Routing

    2.8 Mpps

    1 million concurrent connections

    100,000 connection setups and teardowns per second

    256,000 concurrent NAT and 256,000 concurrent PAT translations

    Jumbo Ethernet packets (8500 bytes) supported

    DB:3.32:The Concurrent Connections On The Fwsm c9


    It might be inactive sessions but still shown in the show output. So, total concurrent sessions crosses the maximum capacity.

  • RELEVANCY SCORE 3.28

    DB:3.28:Pdm And Fwsm 2.2(1) s3



    Does PDM 2.1(1) support FWSM version 2.2(1) or i must use PDM version 4.0 beta??

    Thanks

    Marco

    DB:3.28:Pdm And Fwsm 2.2(1) s3


    I remember trying this combination 2.1(1) PDM and 2.2(1) with no luck.

    No doubt you will need the 4.0 version to support the new features in 2.2(1), but would test this 4.0 version first in your lab since it is still beta.

    peter

  • RELEVANCY SCORE 3.26

    DB:3.26:Csm 3.01 Doesnt Support Fwsm 3.1.(4) Sw Release kz



    Hi to all,

    I have to load FWSM 3.1.(4) service module into CSM 3.01., but the max software release supported is 2.3.(1).

    Where I can find the patch?

    Thanks

    Leonardo

    DB:3.26:Csm 3.01 Doesnt Support Fwsm 3.1.(4) Sw Release kz


    I don't currently have a FWSM running 3.1 to test, so I am going off old service request data that indicates this should work per my previous instructions. However, if you're still having problems, you might try either asking on Security Firewalling board, or moving to CSM 3.1 Professional which has full support.

  • RELEVANCY SCORE 3.24

    DB:3.24:Fwsm Dhcp Issue 7s



    Hi,

    I am having issue with forwarding DHCP on FWSM. I have the following setup:

    1. DHCP server on OUTSIDE interface

    2. Client machine on TEST-PUB interface

    dhcprelay server DHCP4.XYZ.COM OUTSIDE

    dhcprelay enable TEST-PUB

    DB:3.24:Fwsm Dhcp Issue 7s


    Hello,

    There is no need for the ACL, your configuration is good.

    Can you share the following debugs:

    debug dhcprelay event—Displays event information that is associated with DHCP relay.debug dhcprelay packet—Displays packet information that is associated with DHCP relay.

    For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/ Cheers, Julio Carvajal Segura

  • RELEVANCY SCORE 3.23

    DB:3.23:Adding More Vlans To The Fwsm After The Initial Setup 9f



    Hi Guys,

    there is a small detail i am not getting right. how do you add more vlans to your FWSM after the initial one you do on the switch.

    e.g

    firewall vlan-group 1 10,15,20,25

    firewall module 1 vlan-group 1

    now i want to add more vlan interfaces to the fwsm,

    what is the way to go about this.

    i am new to fwsm.

    regards,

    DB:3.23:Adding More Vlans To The Fwsm After The Initial Setup 9f


    Akinsola

    If you want to add to the same vlan-group, lets say you want to add vlan 30

    firewall vlan-group 1 30

    Note that this will simply add vlan 30 to the existing vlans in vlan-group 1 ie. it will not overwrite what is already there.

    Jon

  • RELEVANCY SCORE 3.20

    DB:3.20:6513 In Data Center.....How?? dd



    hi,

    We are planning to have 6513 at our data center along with the FWSM , IDSM and DFC modules .

    i have a question regarding the same :

    I plan to use MSFC in front and then fwsm ..

    1.in this case does all of my dfc will be like L2 switches and even the inter vlan communication will happen through passing fwsm...

    2.If yes, do i need to define the rules on fwsm for every vlans ..

    3.considering the msfc is connected to my WAN routers on one end and fwsm on other end ..do i need to connect it to my fwsm outside interface..

    4.if yes, where will i connect my firewall router as firewall router has to be connected to outside interface of the firewall.

    thanks in advance

    DB:3.20:6513 In Data Center.....How?? dd


    Gaurav,

    Please see the FWSM configuration guide below:

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_book09186a0080579a1e.html

    HTH,

    -amit singh

  • RELEVANCY SCORE 3.20

    DB:3.20:Configuring Fwsm On 6509 zc



    Hi Everyone,I have a scenario which I am working on; it is required from myself that on our 6509 FWSM I create  2 or 4 possible VLANs (maybe more) having different security levels; having different IP subnets; and machines connected to these VLANs should be mapped to FWSM outside interface so that inside users/LAN users connecting to these machines cannot know the real IP; meaning like we do the publishing of webserver using FW to internet, same way difference is I am not publishing to internet only to LAN users / users who will belong to inside of FWSM. At present I have configure the 6509 and FWSM as below6509-ECreated 4 VLANs with ofcourse different IPs and named with as below e.g. VLAN 1 = 172.21.101.0/24 inside L2VLAN 2 = 172.21.102.0/24 outside L3 (to make is routable on the LAN; servers will be published using this interface)VLAN 3 = 172.21.103.0/24 SVRGRP_1VLAN 4 = 172.21.104.0/24 SVRGRP_2Assigned different ports on 6509 to different VLANs excluding VLAN 2 because it is to be used on FWSM as outside; configured the machines in those VLANs with corresponding IPs. FWSMAs stated above VLAN 1 become inside and VLAN 2 outside; then created access-lists for all interfaces to allow any/any and configured icmp permit any for all interfaces;configured static for hosts in VLAN 3 and VLAN 4 and inside as followingstatic (SVRGRP_1,outside) 172.21.102.200 172.21.103.10 netmask 255.255.255.255static (DVRGRP_2,outside) 172.21.102.201 172.21.104.12 netmask 255.255.255.255 static (inside,outside) 172.21.102.65 172.20.101.65 netmask 255.255.255.255Machines in VLAN 3,4 and inside are able to ping to GW and LAN users without any problem vice versa from LAN users to these hosts in different VLANs ( using their mapped IPs and not real IPs this was one of the objectives); yet different VLANs e.g. VLAN 3 cannot ping to VLAN 4 on mapped IPs as well as real IPs; Thus as said before only LAN client machines can ping VLAN 3 and VLAN 4 and inside hosts on their mapped IP.I hope my objective is clear and one of the experts will help find a solution to my problem

    DB:3.20:Configuring Fwsm On 6509 zc


    Follow this forumla:

    source identity nat goes from high to low:

    static (high,low) high_security_net high_security_net netmask 255.255.x.x

    This will provide source address translation for all hosts on the high security subnet e when they go to a lower security interface.

    destination nat goes low to high:

    static (low,high) mapped_ip real_ip_in_low net 255.255.255.255

    This dest nat will receive packets on the high security interface destined to the mapped_ip and send it to the real ip in the lower security interface.

    You can fill in the interface names and IP addresses in the above static lines.

    When you have all diff. interfaces wanting to do this to all other interfaces this could get ugly. This is the reason for mentioning best practice.

    -KS

  • RELEVANCY SCORE 3.19

    DB:3.19:Cant Install Policy On Module Fwsm (In Catalyst 6513) sp



    Hi all,

    I use Catalyst 6513 with a module FWSM. I install more policy on FWSM but I can't do. I don't know why. When I install policy, I see a sentence:

    Direct failover lan unit [primary or secondary] command will be ignored because MC control only active unit

    HTTP error! Make sure the username and password are correct. Otherwise check the network connection status.

    deploy result: 0 commands executed, 1 error(s)!

    Deploy task failed!

    If you know the cause, please answer me early.

    Thank you very much.

    Duy Khang

    DB:3.19:Cant Install Policy On Module Fwsm (In Catalyst 6513) sp


    Dear sir,

    I don't know if Cisco VSM isn't compatible with java?

    Please answer me FWSM v2.3 will be compatible with the version of java?

    Thank you very much

    I am looking forwarding your answer

    Duy Khang

  • RELEVANCY SCORE 3.19

    DB:3.19:Fwsm Dropping Packets Of Permit Rules 91



    Hi

    I'm having a strange issue with a FWSM ,

    it has 4 networks ( inside , outside , dmz 1-2)

    when i try to connect to an inside host from outside , fwsm denies the connection attempt, but the rule configured permits this traffic.

    But when from the inside host I connect to the ouside host , traffic before denied now is permitted. I have modified antispoofing and others but I don't fix it

    DB:3.19:Fwsm Dropping Packets Of Permit Rules 91


    Hi Jon

    yes... there was the command 'nat-control' enabled. I disabled it and now it works

  • RELEVANCY SCORE 3.18

    DB:3.18:Asa/Fwsm Context kk



    do asa or fwsm support context in a way 1 used for routed and the other one for transparent.

    Also do fwsm support DMZ in transparent mode.

    DB:3.18:Asa/Fwsm Context kk


    For your second query

    "do fwsm support DMZ in transparent mode.",

    No, because each bridge group can have only once inside and one outside interface.

    http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwmode_f.html#wp1220271

    Hope this helps.

  • RELEVANCY SCORE 3.17

    DB:3.17:Ospf On Fwsm pm



    What does this signify

    ospf message-digest-key 1 md5 removed

    DB:3.17:Ospf On Fwsm pm


    It is the authentication key for OSPF exchanges. Analogous to a OSPF password. All neighbor routers that wish to exchange OSPF table information will need this key configured. You can have multiple keys for multiple OSPF segments.

    This is considered a best practice and provides a level of security against someone exploiting OSPF packets for DoS or other attacks. However, it can be argued that if they get far enough into your network to exploit OSPF, they already own you.

  • RELEVANCY SCORE 3.16

    DB:3.16:Module From 6500 Shuting Down js



    Hi,

    I have 2 Catalyst 6513 each with FWSM.

    FWSM are configured in failover.

    From few days I exprienced this trouble:

    - Active FWSM shutting down (the secondary promote active in failover and network is OK).

    I just found this message in Catalyst

    "Nov 19 09:53:38.817: %SNMP-5-MODULETRAP: Module 4 [Down] Trap

    Nov 19 09:53:38.817: SP: The PC in slot 4 is shutting down. Please wait ...

    Nov 19 09:53:38.985: SP: PC shutdown completed for module 4"

    and I can't access the module.

    After module reset (hw-module module 4)

    I can access module and if I start a sh ver I see that module is up for days

    (sh ver

    FWSM Firewall Version 2.2(1)

    FWSM Device Manager Version 4.0(1)

    Compiled on Fri 07-May-04 12:32 by dalecki

    FWCAT up 48 days 3 hours)

    Can anyone help me with an advice?

    DB:3.16:Module From 6500 Shuting Down js


    I think it might be a bug in FWSM.Check by removing failover option and doing the same work.I feel at the time it will not restart.

  • RELEVANCY SCORE 3.10

    DB:3.10:Dhcp Relay On Fwsm df



    on our FWSM we use the "dhcprelay server x.x.x.x network" config to allow dhcp relay

    is it possible to add more than 1 server address (need this for dhcp server failover)?

    DB:3.10:Dhcp Relay On Fwsm df


    Yes you can up to four.

    http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/ip.html#wp1155528

    Please rate replies and mark question as "answered" if applicable.

  • RELEVANCY SCORE 3.09

    DB:3.09:Load Balacing For Fwsm sj



    Hello,

    I'm implementing a data center with an Aggregation layer equiped with FWSM-1 which cannot support active/active failover.

    I'm thinking about multi-context to manually divide traffic into the two CAT6500.

    Any comment or suggestion ?

    DB:3.09:Load Balacing For Fwsm sj


    Jon,

    Thank you for the message :)

    Regards,

    Omar

  • RELEVANCY SCORE 3.07

    DB:3.07:Packet Drop Between Fwsm And 6500 ka



    Hi,

    I have packet drop issue between FWSM and 6500, I believe. Packets transiting through a particular vlan are intermittently being dropped. I have taken packet capture on FWSM and it shows that some of the echo requests to a servers does not get response back. At the same time packet capute was taked on the NIC of server and it shows no problems, all echo requests are being replied back properly. So this concludes that the unreplied echo request never reached server.

    'sh np blocks' has all 0's in threshhold values

    Here is the output of the etherchannel beween FWSM and 6500 (of course created automatically)

    DR-KMPLF#sh int po 578 counters etherchannel

    Port                InOctets   InUcastPkts   InMcastPkts   InBcastPkts

    Po578         30043323428709   42076894290     257207347       4018763

    Gi1/2/1                  176             1             0             1

    Gi1/2/2                  176             1             0             1

    Gi1/2/3               850300          7625             0           577

    Gi1/2/4                  176             1             0             1

    Gi1/2/5                  176             1             0             1

    Gi1/2/6            597674383       3552695             0            67

    Port               OutOctets  OutUcastPkts  OutMcastPkts  OutBcastPkts

    Po578         29904465074209   41224244267     388975402       2251786

    Gi1/2/1           7190383150      27868993      21660120         39163

    Gi1/2/2           1062054141       5637578        876883        644905

    Gi1/2/3            738425356          2511       2088658          5327

    Gi1/2/4            408526405          5787       3371754          4085

    Gi1/2/5            649356137          4973       4267284         14212

    Gi1/2/6            351483674        182554       1413610         67163

    This is a VSS setup with latest software on FWSM (4.1[6]) and SUP (12.2(33)SXI3).

    Experts, please advise

    Saif

    DB:3.07:Packet Drop Between Fwsm And 6500 ka


    Hello saifuddin,

    This is too early to predict but i guess you are hitting the bug CSCth04998. If you can try upgrading it to SXI5 or SXJ and let me know if this problem re-appears.

    Thanks,

    Ricky Micky

    *Pls rate useful posts

  • RELEVANCY SCORE 3.07

    DB:3.07:Error While Web Access To Fwsm zp



    Need help to run GUI for FWM.

    I am trying to access the FWM module through https but it respond with the following error message:

    “Cisco PDM 4.1 for FWSM encountered loading errors. If PDM has informed you about a problem in your setup, please fix the problem and try again” see attached for the graphical display.

    1. My FWSM is:

    FWSM Firewall Version 2.3(3)2

    FWSM Device Manager Version 4.1(1)

    FWSM-01 up 2 years 125 days

    Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

    Flash 2.20 TOSHIBA THNCF128MBA @ 0xc321, 20MB

    2. my System running with JRE version 1.6.0_03 Java HotSpot(TM) Client VM

    thanks

    DB:3.07:Error While Web Access To Fwsm zp


    Hi there,

    I have had a similar issue it was a while ago. Rollback to 1.4.02 or 1.5.0.1 Java.

    Hope this helps.

    Jon

  • RELEVANCY SCORE 3.07

    DB:3.07:Reload Fwsm? kz


    I want to create another transparent security context in the my company's FWSM.

    There are already several other security contexts created: 4 - routed 1 - transparent

    recently, we re-partitioned from the default 12 memory partitions to 5 memory partitions

    I just want to create a new transparent security context ... that shouldn't require a FWSM reload, should it?

    thanks,

    DB:3.07:Reload Fwsm? kz


    Hello Kevin,

    There is no need to reload the FWSM when you create the context in multiple context mode.

    Regards,

    Arul

    *Pls rate if it helps*

  • RELEVANCY SCORE 3.07

    DB:3.07:Fwsm Capture The 802.1q Traffic mx



    Hi,

    How I can capture 802.1q traffic on the FWSM ?

    With FWSM Firewall Version 3.1(4) I can only capture ip traffic but on the ASA ver. 7.x I can capture also the 802.1q traffic

    FWSM#

    FWSM# capture test ethernet-type ?

    ip

    ip6

    FWSM#

    FWSM#

    Best regards.

    RT

    DB:3.07:Fwsm Capture The 802.1q Traffic mx


    Hi,

    I've searched on the Bug Toolkit but:

    CSCsf10542 Bug Details

    The bug ID CSCsf10542 does not exist. Please verify the bug ID and try again.

  • RELEVANCY SCORE 3.07

    DB:3.07:Problem Accessing Fwsm From Switch Console sx



    Hi,

    I have a 6509 with FWSM in module 4. FWSM is configured in single context mode. After I configured passwords and authentication on the FWSM, I can no longer access the module using "session slot 4 processor 1" when connecting to the 6509 switch via console. Please note that if I ssh to 6509 then I can get to FWSM successfully.

    Obviously I can remove authentication config to resolve the issue for now but I need to keep them in the final configuration and cannot figure out how they would cause the above issue to find a workaround ...

    My Authentication config:

    *******************************************

    enable password ew9KHLwZJ3Ih2ff5 encrypted

    passwd GQwTW2VuxBDYJJlK encrypted

    username admin nopassword privilege 15

    aaa authentication ssh console TACACS+ LOCAL

    aaa authentication http console TACACS+ LOCAL

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ (management) host x.x.x.x

    timeout 5

    key xxxxx

    http server enable

    http x.x.x.x 255.255.255.255 management

    ssh x.x.x.x 255.255.255.255 management

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    *******************************************

    Thanks in advance for your help ...

    Ali

    DB:3.07:Problem Accessing Fwsm From Switch Console sx


    The test aaa-server command lets you verify that the FWSM can authenticate users with a particular AAA server, and for legacy VPN authorization, if you can authorize a user. This command lets you test the AAA server without having an actual user who attempts to authenticate or authorize. It also helps you isolate whether AAA failures are due to misconfiguration of AAA server parameters, a connection problem to the AAA server, or other configuration errors on the FWSM.

  • RELEVANCY SCORE 3.06

    DB:3.06:Configuring Fwsm 2.2(1) Using Cli Or Vms? 8f



    Hi Sir,

    I'm a newbie to FWSM. May I know what's the recommended method to configure FWSM; CLI or VMS?

    The FWSM I'm having here is 2.2(1), installed on a Catalyst 6509 switch with SUP720 (CatOS 8.3(4) and IOS 12.2(17d)SXB6).

    Also appreciate it if you can point me to any useful FWSM config guide for beginners.

    Thank you.

    B.Rgds,

    Lim TS

    DB:3.06:Configuring Fwsm 2.2(1) Using Cli Or Vms? 8f


    Limtihsoon,

    Is hard to tell what to use when it comes to FWSM... It depends on your needs. I will say:

    1) If you are familiar/experienced with IOS/PIX code, and you want to have full access to firewall configuration use CLI

    2) If you have to deploy a lot of FWSM and need monitoring, SNMP, RO/RW access use VMS (make sure you are familiar with this product)

    3) If you just want to have a GUI interface in order to configure the FWSM use PDM:

    http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_installation_and_configuration_guide_chapter09186a0080381498.html

    Another good link is:

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802010bf.html

    Hope this helps...

    Frank

  • RELEVANCY SCORE 3.06

    DB:3.06:Fwsm And Capture. z9



    Another question about FWSM with software 4.1(1).

    Using capture, we are able to view the captured packets after a minute, or more, that they hit the interface.

    Why?

    Regards.

    Andrea

    DB:3.06:Fwsm And Capture. z9


    Sorry Mike. To be clear, FWSM captures all packets but shows these after some minutes, when session is already closed.

  • RELEVANCY SCORE 3.06

    DB:3.06:Question Regarding 6500..... jx



    hi,

    We are planning to have 6513 at our data center along with the FWSM , IDSM and DFC modules .

    i have a question regarding the same :

    I plan to use MSFC in front and then fwsm ..

    1.in this case does all of my dfc will be like L2 switches and even the inter vlan communication will happen through passing fwsm...

    2.If yes, do i need to define the rules on fwsm for every vlans ..

    3.considering the msfc is connected to my WAN routers on one end and fwsm on other end ..do i need to connect it to my fwsm outside interface..

    4.if yes, where will i connect my firewall router as firewall router has to be connected to outside interface of the firewall.

    thanks in advance,

    DB:3.06:Question Regarding 6500..... jx


    hi,

    We are planning to have 6513 at our data center along with the FWSM , IDSM and DFC modules .

    i have a question regarding the same :

    I plan to use MSFC in front and then fwsm ..

    1.in this case does all of my dfc will be like L2 switches and even the inter vlan communication will happen through passing fwsm...

    2.If yes, do i need to define the rules on fwsm for every vlans ..

    3.considering the msfc is connected to my WAN routers on one end and fwsm on other end ..do i need to connect it to my fwsm outside interface..

    4.if yes, where will i connect my firewall router as firewall router has to be connected to outside interface of the firewall.

    thanks in advance,

  • RELEVANCY SCORE 3.05

    DB:3.05:Ping From Fwsm k1



    Dear *,

    I have a simple setup with a core switch and FWSM. From the FWSM I am able to ping from the inside interface (interface between FWSM and MSFC) of the FWSM to other vlan on the core switch and to the internet however when i source the ping from another vlan of FWSM to internet or other vlan of core switch, no reply. Here is my config on FWSM:

    FWSM-1# sh run: Saved:FWSM Version 4.0(4)!hostname FWSM-1enable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface Vlan102description *** Servers ***nameif SRVRsecurity-level 50ip address 10.10.2.1 255.255.255.0!interface Vlan103description *** Servers Mgmt ***nameif SRVR-mgmtsecurity-level 50ip address 10.10.3.1 255.255.255.0!interface Vlan174description LAN/STATE Failover Interface!interface Vlan175description *** Inside Interface to MSFC ***nameif insidesecurity-level 100ip address 10.10.75.2 255.255.255.0!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivesame-security-traffic permit inter-interfaceaccess-list inside-in extended permit ip any anyaccess-list inside-in extended permit icmp any anyaccess-list SRVR-in extended permit ip any anyaccess-list SRVR-mgmt-in extended permit ip any anyaccess-list SRVR extended permit icmp any anyaccess-list SRVR-mgmt extended permit icmp any anypager lines 24mtu SRVR 1500mtu SRVR-mgmt 1500mtu inside 1500failoverfailover lan unit primaryfailover lan interface FAIL Vlan174failover key *****failover replication httpfailover link FAIL Vlan174failover interface ip FAIL 192.168.74.1 255.255.255.252 standby 192.168.74.2icmp permit any echo SRVRicmp permit any SRVRicmp permit any echo SRVR-mgmticmp permit any SRVR-mgmticmp permit any insideno asdm history enablearp timeout 14400access-group SRVR-in in interface SRVRaccess-group SRVR-mgmt-in in interface SRVR-mgmtaccess-group inside-in in interface insideroute inside 0.0.0.0 0.0.0.0 10.10.75.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00timeout sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolutehttp 10.10.0.0 255.255.0.0 SRVRhttp 10.10.0.0 255.255.0.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartservice reset no-connectiontelnet 10.10.0.0 255.255.0.0 SRVRtelnet 10.10.0.0 255.255.0.0 SRVR-mgmttelnet 10.10.0.0 255.255.0.0 insidetelnet timeout 5ssh timeout 5console timeout 0!class-map inspection_defaultmatch default-inspection-traffic!!policy-map global_policyclass inspection_default  inspect dns maximum-length 512  inspect ftp  inspect h323 h225  inspect h323 ras  inspect netbios  inspect rsh  inspect skinny  inspect smtp  inspect sqlnet  inspect sunrpc  inspect tftp  inspect sip  inspect xdmcp!service-policy global_policy globalprompt hostname contextCryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30: endFWSM-1#

    FWSM-1# ping inside 4.2.2.2Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 130/140/150 msFWSM-1# ping inFWSM-1# ping inside 10.10.10.1Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 msFWSM-1# ping inFWSM-1# ping SRV 4.2.2.2

    FWSM-1# ping SRVR 4.2.2.2Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:?????Success rate is 0 percent (0/5)FWSM-1# ping SRVR 10.10.10.1Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:?????

    Core Switch:

    interface Vlan175description *** Connected to FWSM ***ip address 10.10.75.1 255.255.255.0end

    interface Vlan100  description *** NQA-mgmt ***ip address 10.10.1.1 255.255.255.0end

    ip route 10.10.2.0 255.255.255.0 Vlan175ip route 10.10.3.0 255.255.255.0 Vlan175

    Any help is appreciated as this is the first time i am configuring FWSM.

    Thanks,Aamir

    DB:3.05:Ping From Fwsm k1


    Hello,

    Please add the following commands and let me know:

    policy-map global_policy

    class inspection_default

    Inspect ICMP

    Please rate helpful posts,

    Regards,

    Julio

  • RELEVANCY SCORE 3.05

    DB:3.05:Fwsm Not Comming Up 9p



    Hi,

    our FWSM (in 6509) is not comming up, when tried to sesssion up using "Session slot 1 proc 1" command,

    It is giving error , "Tyring 127.0.0.11 .....connection timed out remote host not responding".

    In "show mod" command output at Switch in IOS console: 

    Under Card Type Section:  it is showing Model Serial Number correctly, 

    Under MAC address sectino: displaying some MAC address

    But in Online Diag Status, it showing "Unknown" for Module 1.

    We tried re-seating in other slots, but of no use. Giving same error.

    Some of other forms are saying it is the issue with 128 Mb CF image problem,

    FWSM is no more reachable from 6509 IOS consolie.

    We even tried using FWSM console (using PC-Conse LCP Console) but FWSM is not contactable. 

    Can some please adivce me here what could be the problem.

    If it is the issue with Compat Flash image, please advice steps to image CF for FWSM. 

    Thanks

    Sasidhar.

    DB:3.05:Fwsm Not Comming Up 9p


    It appears you have a hardware failure in which case the TAC would issue an RMA to exchange the broken FWSM. Do you not have a Smartnet contract covering your FWSM?

    If I was looking at it, I would try monitoring via the FWSM console during a reset with full memory test (described here) and watching for boot time errors.

    hw-module module mod_num reset [cf:n] [mem-test-full]

    If you have a high availability pair, perhaps you could schedule a maintenance window during which you could move the CF card from the working one to further isolate / troubleshoot the problem. If the working unit's CF card tests OK in the currently failed unit, you might be able to do an exact copy from the working unit onto a new CF card to get things back up.

  • RELEVANCY SCORE 3.05

    DB:3.05:Fwsm Maintenance Mode - Vlan 1 13



    Hi,

    A client has had their FWSM fail, when you try to start the module the switch eventually disables the power to that slot (%C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Module  Failed SCP dnld)). I have turned off diagnostics with 'no diagnostic boot level' and then use 'boot device module 4 cf:1' to bring the FWSM up into maintenance mode. I can then session up from the switch and log in to the FWSM as root.

    After inputting all the necessary IP info I can't ping anything on vlan 1 as I would expect, I have set the FWSM as 192.168.1.2 and a FTP/TFTP server as 192.168.1.1

    I have removed the firewall vlan groups and tried to put them back with just vlan 1 but this isn't accepted (the reasons are covered in other posts on the forum). What am I doing wrong as the instruction say that vlan 1 is the only vlan that is accessable whilst the FWSM is in maintenance mode.

    I can create an int vlan 1 in the switch and ping my ftp server so know that the switchport is set up correctly, I can also see that Po308 is formed and when the module boots I can see the Gi4/xx interfaces come up (FWSM is in slot 4).

    Any ideas of what to try next?

    ............and they aren't covered by maintenance agreements

    FWSM

    Maintenance image version: 2.1(4)

    root@fwsm.localdomain#show imagesDevice name             Partition#              Image name-----------             ----------               ----------Compact flash(cf)       4                       c6svc-fwm-k9.3-1-4-0.bin

    Switch

    SWITCH# sh verCisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI7, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2011 by Cisco Systems, Inc.Compiled Mon 18-Jul-11 05:49 by prod_rel_team

    ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)

    Regards

    Mel

    DB:3.05:Fwsm Maintenance Mode - Vlan 1 13


    Recently i met the same problem.When installing FWSM board on the Catalyst 6509 there is not communication access via vlan1 in the maintenance partition.Moreover, the FWSM works properly in the aplication partition(cf:4).

    Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH8, RELEASE SOFTWARE (fc1)System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)

    Mod Ports Card Type                              Model              --- ----- -------------------------------------- ------------------   1   48  48-port 10/100/1000 RJ45 EtherModule   WS-X6148A-GE-TX      4    6  Firewall Module                        WS-SVC-FWM-1         5    2  Supervisor Engine 720 (Active)         WS-SUP720-3BXL       8    5  Communication Media Module             WS-SVC-CMM        

    Mod MAC addresses                       Hw    Fw           Sw           Status--- ---------------------------------- ------ ------------ ------------ -------  1  001b.d41a.8360 to 001b.d41a.838f   1.5   8.4(1)       8.7(0.22)BUB Ok  4  0003.fead.962e to 0003.fead.9635   3.0   7.2(1)       4.1(14)      Ok  5  0017.9444.c3ec to 0017.9444.c3ef   5.4   8.5(2)       12.2(33)SXH8 Ok  8  0017.0ee2.13cc to 0017.0ee2.13d5   2.8   12.4(25c),   12.4(25c),   Ok

    FWSM versionsFWSM Firewall Version 3.2(20) Device Manager Version 5.0(3)F

    Not possible to verify the switch is in the service.I guess the reason is likely next.FWSM supports only untagged packets on the vlan1. By default catalyst 6500 not tagged native vlan1.In my case globally enabled tagging  in the native vlan.#sh vlan dot1q tag nativedot1q native vlan tagging is enabled globally

    sh vlan dot1q tag nativedot1q native vlan tagging is enabled globally

    Per Port Native Vlan Tagging State:-------------------------------------------

    Port    Operational          Native VLAN           Mode               Tagging State-------------------------------------------Gi1/2   trunk                 enabledGi1/8   trunk                 enabledGi1/13  trunk                 enabledGi1/14  trunk                 enabledGi1/17  trunk                 enabledGi1/18  trunk                 enabledGi1/21  trunk                 enabledGi1/27  trunk                 enabledGi1/30  trunk                 enabledGi1/32  trunk                 enabledGi1/38  trunk                 enabledGi1/42  trunk                 enabledGi1/43  trunk                 enabledGi1/44  trunk                 enabledGi1/46  trunk                 enabledGi5/2   trunk                 enabledPo2     trunk                 enabledPo308   trunk                 enabled

  • RELEVANCY SCORE 3.05

    DB:3.05:Fwsm Failover With Different Contexts Number 7a



    Hi,

    I have 2 FWSM modules, and they have different security contexts, one is 20 and the other is 100. can I build Active/Active or Active/Stand if I am running 1 context? Thanks a lot.

    DB:3.05:Fwsm Failover With Different Contexts Number 7a


    Hi,

    I have 2 FWSM modules, and they have different security contexts, one is 20 and the other is 100. can I build Active/Active or Active/Stand if I am running 1 context? Thanks a lot.

  • RELEVANCY SCORE 3.05

    DB:3.05:Fwsm Questions p8



    Just Purchased FWSM some questions.

    1. Can I install FWSM in a Cat 6513 without power down?

    2. Is the software pre-installed on FWSM?

    3. In transparent, can I have 1 group with 1 outside VLAN and multiple inside VLANs or do I need a group for each inside/outside pair?

    DB:3.05:Fwsm Questions p8


    Number 3.

    You can have up to multiple briidge groups (up to 8)

    Each Bridge group is a pair of interfaces/

    you could subnet the network to give the same function as one outside to many insides.

    The FWSM road map I beleive talks about the scenario you describe.

  • RELEVANCY SCORE 3.04

    DB:3.04:Fwsm Aaa Problem ma



    Hi,

    I am using FWSM 4.1(1) with ASDM 6.2(1)F. I use ASDM to configure the FWSM with TACACS authentication, authorization and accounting. And I have enabled the TACACS authentication for "Enable", "Telnet", "HTTP/ASDM"... Everthing is fine when I use ASDM to login the "admin" context. But when I try to session into the FWSM from switch, I can't login with the same username and password I used to login with ASDM. Can anyone tell me what is the problem? Thanks

    DB:3.04:Fwsm Aaa Problem ma


    I had the same problem and was solved by restarting the fwsm slot with the command: hw-module module slot N° reset

  • RELEVANCY SCORE 3.03

    DB:3.03:Ace/Fwsm ak



    hello people

    was going thru the data center design guide using fwsm/ace..

    using above the below is what i need to get working

    1) user farm accessing server farm, they must be loadbalance

    2)thre are mutilple application servers , each server farm must have control access between them.

    3) failvoer of fwsm and ace with fastest possible convegence

    4) extended security

    the ace/fwsm mod are connected to 6500 chassis x 2

    what kind of design i must go for

    thanks

    DB:3.03:Ace/Fwsm ak


    Thanks

    Yep i went thru the link. i am not sure which design to select and so i thought putting the questions

    can you please help here to understand the real advantages and disadvantages

    Thanks

  • RELEVANCY SCORE 3.02

    DB:3.02:Problema Con El Failover Del Fwsm jd



    Hola,

    Una pregunta, tengo un par de FWSM en redundancia, sin embargo, me aparece un error de Vlan mismatch, cuando trato de establecer el failover.

    FWSM(config)# failover

    FWSM(config)#

    FWSM(config)#

    FWSM#

    FWSM#

            Detected an Active mate

    FWSM#

    FWSM#

            Vlan configuration mismatch

            Failover will be disabled

    FWSM#

    FWSM#

    FWSM#FWSM# sh failover

    Failover Off (pseudo-Standby)

    Failover unit Secondary

    Failover LAN Interface lfover Vlan 49

    Unit Poll frequency 1 seconds, holdtime 15 seconds

    Interface Poll frequency 15 seconds

    Interface Policy 50%

    Monitored Interfaces 0 of 250 maximum

    failover replication http

    FWSM#

    He estado revisando la configuración de ambas FWSM y se ve igual.

    Muchas gracias,

    Chris,

    DB:3.02:Problema Con El Failover Del Fwsm jd


    Chris,

    Este es un problema muy común, sin embargo, creo que la mejor forma de atacarlo es siguiendo estos pasos.

    En lo personal programas como Notepad++, nos pueden ayudar a comparar la información de manera más fácil.

    Se requiere revisar la configuración del swith y de los FWSM.

    1) Realizar un show run | in firewall, en ambos switches y verificar que se estén mandando las mismas vlans a ambos módulos.

    2) Revisar en la configuración de los FWSM que tengas las mismas vlans. A veces cuando  cuando se tiene  multiple context, se tiene alguna vlan en un contexto pero no en el mismo contexto del otro FWSM.

    3) Realizar un show vlan en el FWSM, para verificar las vlans que está recibiendo de la SUP. Comparar ambos outputs.

    Algo muy importante que se debe tener en cuenta, es que en algunas ocasiones se tienen las vlans asignadas con el comando de vlan-group, pero no están configuradas en alguno de los switches.

    Gracias,

    Itzcoatl

  • RELEVANCY SCORE 3.02

    DB:3.02:Fwsm Upgrade. xj



    Dear friends,

    I jsut need to upgrade existing FWSM of 6509.FWSM Firewall Version 2.3(1)

    My question is ,is it possible to upgrade to the version of  4.X .If not  to which  version is safe?And also I need to steps of doing FWSM upgrade.

    Thanks

    DB:3.02:Fwsm Upgrade. xj


    this link should help you

    http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/upgrade/guide/fwsm31up.html#wp1972136

    keep in mind the following

    make sure you check the following

    maintence release (of fwsm), to upgarde it to 3.x you need it to be min 2.1(2), the above link should help you with this

    4.x image of fwsm needs to be compatible with the switch ios, check the release notes for this
    http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html#wp171379

  • RELEVANCY SCORE 3.01

    DB:3.01:Question About Ime And Csm jx



    Hi,

    I have installed IME in a server to manage network module IPS of 6500 , and I would like to install in the same server the CSM to manage the FWSM of the same catalyst 6500. I have several questions:

    - Can I have installed and running in the sane server IME and CSM?

    - Does CSM contain the same functionality of IME and more?, I mean, it is enough with CSM to manage FWSM and IDS-2 network modules of 6500?

    - Does CSM provide a better view of FWSM logs than other applications?. Which is the better tool to view the logs of FWSM, I mean is there a tool like checkpoint log view for FWSM?

    - My customer has 2 catalyst 6500 and 1 FWSM installed in each 6500, both FWSM running in redundancy active/pasive mode, do I consume 1 or 2 licences of CSM?

    Thanks

    Regards,

    Juan Luis. 

    DB:3.01:Question About Ime And Csm jx


    Juan;

      No, CS-MARS is a completely separate product that is sold separately.  You can find out more here:

    http://www.cisco.com/go/mars

      It is an appliance-based solution.

    Scott

  • RELEVANCY SCORE 3.01

    DB:3.01:Fwsm A/P Cluster In Transparent Mode p1



    I've been implementing the immensly performant fwsm for some time now, but allways at new customer sites. But now I've stumbled into a re-design of a huge existing network. 2 issues arrise; the transparent mode = the way to go obviously. To minimize the impact for the client. But 1. ALl the Vlan's are allready created on the MSFC's, So how can I assign them to the fwsm (without wreaking havoc)? And 2. Their entire Lan Ip-range/Partner IP-range are on vlan 1 (I know, I know...) and I May not touch this... sigh.

    Annyone encounter a similar set-up and have more intelligent suggestions than I can come up with?

    I humbly bow in gratitude.

    Bart

    DB:3.01:Fwsm A/P Cluster In Transparent Mode p1


    Hmmm okay... either my english is very bad or you have not read what I typed in my question.

    Thank you for the effort tough.

    Design wise I know what is the current/ recommended practice. I am asking what I can do in this particular situation technically, without uprooting their use of vlan 1... If there is no workarround, no problem. I'll have to migrate everything first and use routed mode.

  • RELEVANCY SCORE 3.01

    DB:3.01:Vlan Interface Keepalive In Fwsm Asa 5540 dz



    Dear All,

    I have config VLAN in FWSM Routed mode.Now i have to prepare auto redundant set up for this with ASA 5540.But my problem is that when primary connection in FWSM fails VLAN which is config is never goes down ,so route is not flush from FWSM routing table.My requirement is that

    1) when FWSM first ethernet goes down it should make VLAN down so that i can route same traffic on other VLAN with higher metric to achieve auto redundancy.

    TIA

    Regards

    SAM

    DB:3.01:Vlan Interface Keepalive In Fwsm Asa 5540 dz


    Thanks for reply,

    Your solution is use when i am using routing protocol but i m not using any routing protocol.I want it through static routing .

    Thanks

    SAM

  • RELEVANCY SCORE 3.00

    DB:3.00:Ace And Fwsm Design And Configuration Guideline With 6500 fs



    I have Cisco 6500 with FWSM and ACE module which are in one central DC. Also we have four different Datacenter (Hub spoke) and in our FWSM we have configured four contexts in central DC FWSM for each DC. Each DC servers are different VLAN and IP subnet. Now we have to configure ACE module for load balancing among those different subnet servers. What will be the design and configuration for this solution? Like routed or one-arm mode design.

    Scenario Example:

    1.  App Server01

    IP:192.168.11.5/24

    GW: 192.168.11.1 in FWSM

    FWSM Context: DC1

    Physical Location:DC1

    VLAN:11

    2.  App Server02

    IP:10.101.4.5/24

    GW: 10.101.4.1 in FWSM

    FWSM Conext:DC2

    Physical Location:DC2

    VLAN:4

    3.   App Server03

    IP:192.168.2.5/24

    GW: 192.168.2.5 in Local Switch (not in FWSM)

    Physical Location:DC3

    VLAN2

    Now customer requirement is we have to load balance using ACE between these App Servers which are in different context s in FWSM and one Server is not FWSM.

    Please guide me how to configure or design or placement of ACE and FWSM for above scenario.

    Thanks

    Rashed

  • RELEVANCY SCORE 2.98

    DB:2.98:Fwsm Queries k3



    Hi,

    I have 2 queries regarding FWSm, kindly suggest :

    1) As cisco says, "The FWSM connects the same network on its inside and outside interfaces, but each interface must be on a different VLAN. No dynamic routing protocols or NAT are required "

    what configuration is required to be done on MSFC. how the different VLANs will be created on MSFC.

    2) Is it possible to have more than 2 active FWSM on a single chassis.If so,what Cisco IOS ver supports this feature set.?

    If possible also send me the sh tech of your switch. That will be very helpful.

    TIA

    Best Regards

    Aashish

    DB:2.98:Fwsm Queries k3


    Hi Georg,

    Thanks for your update and email.

    Now, if i have vlan 10,11,12 and 13 vlans on inside and I want inter-vlan routing between them. I`m running my FWSM in transparent mode then how many Vlans will be required to connect FWSM to MSFC ? Will Vlan 10,11,12,13 have SVIs on MSFC.

    as my second questiopn was concerned, as you said i can have 2 FWSMs are possible.At the max. I can have 4 FWSMs in a chassis. But my actual question is whether I can have all 4 FWSMs in "ACTIVE" state or they will be in ACTIVE and STNADBY state ?

    Kindly clarify

    Best Regards

    aashish C

  • RELEVANCY SCORE 2.98

    DB:2.98:Fwsm: Multicast-Routing Command Breaks Failover mm



    I have two FWSM's, each in it's own 6500 chassis.

    Version FWSM = 3.1.1, Version 6500 IOS: s72033-advipservicesk9_wan-mz.122-18.SXF4.bin

    These FWSM's work in active/standby failover, interconnected by state-link and failover vlans.

    After issueing the 'multicast-routing' global command the standby unit has become unreachable, where it would normally be reachable by means of the 'sess slot x proc 1' command.

    A 'show failover' command on the active unit reports that the standby unit has failed.

    When i restart this unit with the 'hw-module mod 1 reset' command it boots and takes over. The former active unit syncs, becomes standby and becomes unreachable in turn (sess slot x proc 1).

    After removing the global command 'multicast-routing' all works fine again.

    Seems like a bug to me.

    Anyone??

    DB:2.98:Fwsm: Multicast-Routing Command Breaks Failover mm


    Hi,

    I have the same issue, would you mind telling me how you resolved it?

    Thanks,

    Neil.

  • RELEVANCY SCORE 2.98

    DB:2.98:Help Fwsm Config fj



    hello all

    i'm in process of configuring FWSM on 6509 switch in a bank i have 5 vlans

    1.MGMT Vlan for amangement staff vlan 100

    2.users Vlan for users vlan 101

    3. Servers-1 Vlan for group of servers vlan 102

    4. Servers-2 Vlan for another group of servers Vlan 103

    5. Vlan 104 for connection with internet router (this vlan for internet connection)

    what i want is to configure the FWSM to inspect and allow all connections between all vlans in addition to allow all vlans to connect to internet

    and i want to configure FWSM in routed mode with only one context

    so please do help me with best scenario and configuration for this topology

    with the knowledge FWSM software version is 2.2

    thanks in advance

    DB:2.98:Help Fwsm Config fj


    Hi,

    Basically on the Catalyst switch you need to allocate the mentioned VLANS to a firewall group. You might also need to configure SVI on the core for routing VLANS that are not routed by the FWSM. Once the FWSM has VLANs allocated to it then you need to configure it like any other PIX. This link will give you the steps you need to follow. you might want to read on first so that you understand how traffic flows within the catalysts and its modules.

    http://cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/switch.html

    I hope it helps .. please rate it if it does !!!

  • RELEVANCY SCORE 2.97

    DB:2.97:Fwsm Names. am



    Hello.

    We are using FWSM with software 4.1(1) and ASDM 6.2(1)F.

    How can we disable the use of names for the routing table only?

    Thanks.

    Regards.

    Andrea

    DB:2.97:Fwsm Names. am


    You might want to open a TAC case to get the 2 issues investigated closer.

    For the first question, since you have a thousand rules, around 2 mins is actually already quite fast to retrieve all the 1000 lines of ACL. Those ACL needs to be retrieved from the FWSM and the connectivity between the FWSM and the GUI is via HTTPS, so it needs to transfer the 1000 lines of ACL from the FWSM towards the GUI.

  • RELEVANCY SCORE 2.97

    DB:2.97:Fwsm And Vrf 7a



    Hi,

    Would this work :

    A FWSM context, outside vlan is in vrf 1 and inside vlan is in vrf 2.

    Secure server farm 40 server in many different vlan but they dont need to pass in the FW to communicate with each other.

    FW is used as a perimeter firewall for this application.

    DB:2.97:Fwsm And Vrf 7a


    Yes, I use this setup extensively and it works very well. The only problem... it's confusing to document.

  • RELEVANCY SCORE 2.96

    DB:2.96:Firewall Services Module (Fwsm) Questions 31



    Hello,

    I have some questions on FWSM and any help will be appreciated:

    Basically what we are trying to do is simple in architecture: Relocating production Vlans behind the FWSM blade.. In comparison, this is much simpler than putting it on the perimeter and have the whole network behind it where you need to do complex

    routing etc..

    I have defined one outside interface where FWSM interfaces with the campus network ... The idea is to put VLANS (not complex) behind this interface. The filtering (ACL)s for incoming traffic is done on the outside interface.

    1) In order to make a distinction between different vlans, would it be possible to use more then one access-list on the outside interface ?

    (If I specify only one access-list for all the incoming traffic from outside to the vlans, it will be difficult to troubleshoot when having problems with specific vlans)

    2) ACL Command: "access-list x permit tcp any any established" can not be used for FWSM.. Is there anything else I can use to replace "established" ?

    3) If I want to put comments in the FWSM configuration file, how can I do that ?

    Thanks in advance

    --osman

    Montreal, Quebec

    DB:2.96:Firewall Services Module (Fwsm) Questions 31


    Osman,

    All good questions. Answers in-line below:

    1) In order to make a distinction between different vlans, would it be possible to use more then one access-list on the outside interface ?

    (If I specify only one access-list for all the incoming traffic from outside to the vlans, it will be difficult to troubleshoot when having problems with specific vlans)

    A - Unfortunately, the answer is no. This can mean that you have a large ACl on your outside interface as you indicated but applying one ACL in one direction per interface is a Cisco standard.

    2) ACL Command: "access-list x permit tcp any any established" can not be used for FWSM.. Is there anything else I can use to replace "established" ?

    A - By default, the FWSM already performs a function similar to the "established" command. Due to the Adaptive Security Algorithm (ASA), the FWSM will monitor all traffic outbound and autoimatically allow the return traffic back in. In general, the "established" keyword is a bad idea. All it does is look to see if the ACK, FIN, PSH, RST, SYN, or URG set TCP control bits are set. If they are, the traffic is allowed. Falsely setting control bits is not hard to do and can allow hackers into your network if they know what they are doing. The FWSM ASA is far more advanced than this but effectively does what you need.

    3) If I want to put comments in the FWSM configuration file, how can I do that ?

    A - Currently you cannot. This is a new feature coming in the FWSM 2.2 release. Right now, your only option is to put a line in your text file that contains the config (on your TFTP server for example) with a '!' preceeding it.

    Hope this helps.

    Scott

  • RELEVANCY SCORE 2.96

    DB:2.96:Fwsm Interfaces Down xx



    Hello,

    I have a problem with FWSM running version 3.2(5) on Catalyst 6506 with 12.2SXH(33)a. All the interfaces of the FWSM are in down/down state without any explicable reason. The output is in the attachment - FWSM2 is the problematic one, FWSM1 is working fine. Uptime is 16 days on both modules.

    Both switches have this configuration:

    firewall multiple-vlan-interfaces

    firewall module 1 vlan-group 2,

    firewall vlan-group 2 77-80,749,750

    I have one more 6506 with FWSM both running the same versions - the module works just fine. The trunks between the two switches are up, the VLANs are in STP Forwarding State (I'm running MST btw), everything looks just fine. The more interesting thing is that I'm 99% sure this problem is reoccurring in time - it appears for a while then it disappears without any logical reason. I searched through the bug toolkit as the FWSM version is quite old but I couldn't find a bug matching this description. Anyone had a similar problem? I plan to do an upgrade tomorrow if I don't find another solution.

    Kind Regards,

    Stefan

    DB:2.96:Fwsm Interfaces Down xx


    Thanks for the information! Do you have any idea if it's necessary to upgrade the license I have for 3.2 to go to 4.x?

  • RELEVANCY SCORE 2.96

    DB:2.96:Traffic Through Fwsm Is Slow f1



    My customer says that performance through the FWSM was very sluggish.

    He said he switched over from active to standby FWSM and everything is fine after this.

    I want to ask him to switch back to the suspect FWSM module again to see the problem first hand.

    Apart from SHOW TECH and SHOW LOG is there any more usefull commands that I can do on the problem FWSM at the time of the problem that will help me narrow down the problem.

    At the moment I have the SHOW TECH and a sniffer trace with the problem FWSM and a sniffer trace after switching over to standby FWSM, but I can't see anything unusual in these sniffer traces such as retranmissions, etc.

    Versions running on both the FWSM:

    FWSM Firewall Version 2.3(4)6

    FWSM Device Manager Version 2.1(1)

    DB:2.96:Traffic Through Fwsm Is Slow f1


    Hi,

    When looking at the graphing (ASDM) and via SNMP .I can see that the interfaces are not particularly under any load (less than 20Mbps). The impact is seen when attempting to run a backup or a large copy.

    What identified the issue was a 187 GB drive on a server in a blade farm backing up in the same vlan with a write speed of approx 40MBps (speed that the tape writes at) where as through through the firewall this dropped to 1.5MBps. The architechture of the FWSM should allow for at least 100MBps throughput on the basis of the backplane being able to process 1Gbps.

    Many Thanks for your input

    Ju

  • RELEVANCY SCORE 2.96

    DB:2.96:Cant Session Into Fwsm xp



    I got this message when trying to session in the fwsm. Any ideas?

    Router#session slot 4 processor 1

    The default escape character is Ctrl-^, then x.

    You can also type 'exit' at the remote prompt to end the session

    Trying 127.0.0.41 ...

    % Destination unreachable; gateway or host down

    Router#ping 127.0.0.41

    % Unrecognized host or address, or protocol not running.

    Router#

    vnt

    DB:2.96:Cant Session Into Fwsm xp


    Dear nguyenvinht!

    Do You have any physical or logical interfaces in "UP-UP" state in the host chassis? I think, the telnet session to FWSM should use an IP address as a source ("protocol not running").

    Hope this help!

    BR

    Belabacsi

  • RELEVANCY SCORE 2.96

    DB:2.96:Fwsm Module Shuts Down Itself Without Any Warning 3f



    Hi,

    I'm using CAT 6509 switch with FWSM blade from past three years. Today FWSM module went down without any warning messages or crashdump information.

    Show module on chassis indicated that that status for FWSM was shutdown. I could not get any information in logs and could not login to FWSM as it was in shutdown state.

    I brought it up manually after two or three retries from chassis CLI. When I logged in to

    FWSM to see crash info, it said

    WARNING: There is no crash dump data!

    I do log all messages from chassis and fwsm to a linux host. In this case, it is a standby FWSM which went down. I did not get any error logs when this event happened.

    Any ideas why this happened after three years?

    Yes, I had upgraded FWSM from 1.1 to 2.2(1) in early 2005.

    Currently I'm running native IOS 12.1(19)E1a with FWSM 2.2(1)

    Any inputs are appreciated.

    DB:2.96:Fwsm Module Shuts Down Itself Without Any Warning 3f


    There are different reasons for FWSM failure.The default boot partition is set to cf:1.Try reloading FWSM module.To reload FWSM from CAT OS use the command Console (enable) reset mod_num.Refer the following URL for more info

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802010c7.html#wp1159988

  • RELEVANCY SCORE 2.95

    DB:2.95:Fwsm Span With 3rd Party Ids az



    I would like to setup our environment with third party IDS (not IPS).

    Configuring SPAN on FWSM ends up with % Monitor Session with FWSM Card doesn't work for egress traffic in Crossbar switching mode.

    Catalyst 6500 environment:

    Mod Ports Card Type                              Model             

    --- ----- -------------------------------------- ------------------

      1    6  Firewall Module                        WS-SVC-FWM-1      

      7    5  Supervisor Engine 720 10GE (Active)    VS-S720-10G       

      8    5  Supervisor Engine 720 10GE (Hot)       VS-S720-10G       

      9   48  CEF720 48 port 1000mb SFP              WS-X6748-SFP      

    10   48  CEF720 48 port 1000mb SFP              WS-X6748-SFP      

    11    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE     

    12    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE     

    I took look at http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bfd516.shtml

    but end up with problem described here https://supportforums.cisco.com/thread/2129108

    Is it possible to capture inbound and outbound traffic passing through FWSM and mirror it somewhere else?

    Or what is the recommened approach for integrating Catalyst 6500+FWSM infrastructure with 3rd party IDS/IPS system?

    DB:2.95:Fwsm Span With 3rd Party Ids az


    I would like to setup our environment with third party IDS (not IPS).

    Configuring SPAN on FWSM ends up with % Monitor Session with FWSM Card doesn't work for egress traffic in Crossbar switching mode.

    Catalyst 6500 environment:

    Mod Ports Card Type                              Model             

    --- ----- -------------------------------------- ------------------

      1    6  Firewall Module                        WS-SVC-FWM-1      

      7    5  Supervisor Engine 720 10GE (Active)    VS-S720-10G       

      8    5  Supervisor Engine 720 10GE (Hot)       VS-S720-10G       

      9   48  CEF720 48 port 1000mb SFP              WS-X6748-SFP      

    10   48  CEF720 48 port 1000mb SFP              WS-X6748-SFP      

    11    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE     

    12    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE     

    I took look at http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080bfd516.shtml

    but end up with problem described here https://supportforums.cisco.com/thread/2129108

    Is it possible to capture inbound and outbound traffic passing through FWSM and mirror it somewhere else?

    Or what is the recommened approach for integrating Catalyst 6500+FWSM infrastructure with 3rd party IDS/IPS system?

  • RELEVANCY SCORE 2.95

    DB:2.95:Fwsm Requirements ja



    What 6500 supervisor modules are required to use a FWSM module? More specifically, will the WS-SVC-FWM-1 module run with WS-X6K-S2U-MSFC2 sup module?

    DB:2.95:Fwsm Requirements ja


    You can Chassis requirements here

    http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/release/notes/fwsmrn31.html#wp73044

    Vikram

  • RELEVANCY SCORE 2.94

    DB:2.94:Fwsm Issue cm



    Hi,

    I need 2 information:

    1) Is posible to define two or more interfaces in same vlan in a FWSM :

    interface dmz-90-gw vlan90

    interface dmz-90-test vlan90

    nameif vlan90 dmz-90-gw security 65

    nameif vlan90 dmz-90-test security 65

    ip address dmz-90-gw 1.1.1.1 255.255.255.0

    ip address dmz-90-gw 2.2.2.1 255.255.255.0

    2)is posible to modify stateful information updates to 5 seconds?

    DB:2.94:Fwsm Issue cm


    Hi,

    I need 2 information:

    1) Is posible to define two or more interfaces in same vlan in a FWSM :

    interface dmz-90-gw vlan90

    interface dmz-90-test vlan90

    nameif vlan90 dmz-90-gw security 65

    nameif vlan90 dmz-90-test security 65

    ip address dmz-90-gw 1.1.1.1 255.255.255.0

    ip address dmz-90-gw 2.2.2.1 255.255.255.0

    2)is posible to modify stateful information updates to 5 seconds?

  • RELEVANCY SCORE 2.94

    DB:2.94:Cisco Fwsm, One Of The Context Is Slow zp



    Hi,

    I am currently facing the following issue with FWSM module installed Cisco 6509 E Chassis, Please go through the following questions in details and please let me know what could have been the issue with this case.

    we have go two FWSMs and both of them are running in active and standby mode. And the actual problem is, The application which the user is accessing on the server loads very very slowly. It takes close to 3 minutes just to load the opening screen. COmpare that to about a few seconds when it is not behind the firewall. we have recently created this context to access this application, this is a relatively new context on the fwsm although there are already a few context in the fwsm prior to this.  we have started facing this issue From the time the server was place behind the firewall (Wk2 Nov 2009). But did isolation and observation first for about a month. Isolation includes putting the server out of the fwsm context.  This problem was observed on more than one context of the firewall. The problem was affected on the same context this problem was observed on more than 1 server. No load balancing on the servers. The servers are running Oracle database (port 1521). But No port restriction on the fwsm context. we have created another context called text and without applying any policies, all the clients are able to access the server without any issues at all. We would like to create policies only for IP filtering  and no port filtering.  

    If anyone has any clue for this issue that I am facing, please let me know.

    Many thanks.

    Best regards

    - Ismail

    DB:2.94:Cisco Fwsm, One Of The Context Is Slow zp


    ismailmohammed wrote:

    Hi,

    I am currently facing the following issue with FWSM module installed Cisco 6509 E Chassis, Please go through the following questions in details and please let me know what could have been the issue with this case.

    we have go two FWSMs and both of them are running in active and standby mode. And the actual problem is, The application which the user is accessing on the server loads very very slowly. It takes close to 3 minutes just to load the opening screen. COmpare that to about a few seconds when it is not behind the firewall. we have recently created this context to access this application, this is a relatively new context on the fwsm although there are already a few context in the fwsm prior to this.  we have started facing this issue From the time the server was place behind the firewall (Wk2 Nov 2009). But did isolation and observation first for about a month. Isolation includes putting the server out of the fwsm context.  This problem was observed on more than one context of the firewall. The problem was affected on the same context this problem was observed on more than 1 server. No load balancing on the servers. The servers are running Oracle database (port 1521). But No port restriction on the fwsm context. we have created another context called text and without applying any policies, all the clients are able to access the server without any issues at all. We would like to create policies only for IP filtering  and no port filtering.  

    If anyone has any clue for this issue that I am facing, please let me know.

    Many thanks.

    Best regards

    - Ismail

    Ismail

    If you have created a test context with no filtering and the app runs fine then it must be something to do with the filtering policies you are applying. It could well be a timeout issue eg. the server needs to do a DNS lookup but DNS is not allowed so the request must time out before the client can be serviced. This is a common sort of thing with firewalls.

    What you could do is log all denies temporarily on the context, this would show you if any extra traffic you were unaware of is being denied and hence causing the slow response.

    The other thing to check is the resource allocation between contexts on your FWSM, make sure that the context that is responding so slowly is not being starved of resources.

    Jon

  • RELEVANCY SCORE 2.94

    DB:2.94:Fwsm Implementation.. 19



    Hi,

    Presently I have a 6513 with MSFC running IOS image. I configured 25 L3 vlan on cat 6513. ALl the vlans are using vlan IP address as a default gateway. Now I want to install FWSM on this switch, I want to use 1 vlan for outside, 2 dmz vlan and other vlan as a internal vlan. How can i configured this setup. please help me to configured this FWSM.

    Thanks,

    Banno

    DB:2.94:Fwsm Implementation.. 19


    Hi Tony,

    Yes, the 'firewall multiple-vlan-interfaces' command is not applicable here.

    My design is more like a server farm (SF) environment where I have multiple VLANs to host my resources. But only a few will sit behind FWSM.The setup is more towards the "MSFC-Outside".

    I have a few other SVIs with IP on the MSFC, but only one will participate in MSFC-FWSM setup. The other SVIs are not relevant.

    The selected SVI served as OUTSIDE VLAN, while a few other VLANs (non-SVI) served as the INSIDE/DMZs.

    Route to OUTSIDE/Internet is via the next hop IP which is the OUTSIDE VLAN on MSFC. The static route to OUTSIDE/other segments is working fine.

    Questions:

    1. How many vlan you tie to Firewall vlan? I believed it should be "firewall vlan-group1 11".

    2. Do you get the "Warning: VLAN *XXX* is not configured" message on FWSM for other vlans that does not declared under the firewall vlan-group, e.g firewall vlan-group 1 11, but configure all 3 VLANs (11,12,13) in FWSM?

    3. Check the command 'firewall module 12 vlan-GROUP 1' - pls explain(?)

    Thanks

    Amrih

  • RELEVANCY SCORE 2.93

    DB:2.93:Fwsm Not Allowing Hosts Communication On Same Interface ps



    Hi Experts,

    I have an FWSM configured which has communication between hosts on the inside interface(10.101.101.254). The inside host 10.101.101.10 with default gateway as FWSM is trying to communicate with another internal host 192.168.200.6 (different vlan).

    FWSM has,

    1. routes to all internal networks.

    2. NAT exempt using nat 0 command for all internal networks.

    3. same-security-traffic permit intra-interface.

    4. ACL on inside interface permitting any any.

    I am able to ping the internal hosts each other, but other ports are not communicating.

    Please me if i missed some configuration.

    DB:2.93:Fwsm Not Allowing Hosts Communication On Same Interface ps


    Hi all,

    I got the solution...

    The problem is asymmetric network topology. The request was going through the firewall, but the return traffic reaches the server directly via core switch. hence when further packets go through the fwsm was deny because it did not know about the connection.

    I used the tcp-state-bypass option for this traffic in the MPF and it solved the problem.

    Thanks for all your replies...

  • RELEVANCY SCORE 2.93

    DB:2.93:Very Weird Issue With Our Fwsm c7



    Hi all

    We have a redundant Cat6500-E with Sup720-3B and FWSM setup.

    Software releases:

    Sup: 12.2(33)SHX2

    FWSM: 3.2(6)

    The issue, if I add several new VLANs to the Catalyst and then give them to the FWSM with the command:

    firewall vlan-group 1 14-18,20,21,23...

    The usualy appear on the FWSM of this Catalyst. Then I add them on the other Catalyst and there they also apear. But here starts the problem, they don't always do...

    When they don't then this message appears on the FWSM:

    FWSM#

    Vlan configuration mismatch between peers.

    Please correct the condition as soon as possible

    in order to avoid a possible disabling of failover.

    FWSM#

    If I login then to this FWSM and make a show vlan, the vlan isn't shown on this FWSM, while on the other, idential configured Catalyst+FWSM it is.

    The only solution to get the Vlan working on this FWSM, is to reboot the whole Catalyst. A reload of only the FWSM isn't enough.

    Any ideas what this could be or how I could debug this?

    Thanks,

    Patrick

    DB:2.93:Very Weird Issue With Our Fwsm c7


    Thanks for your answer.

    I'll try that, but it will probably take 1-4 months until I have the chance to. It's our core network and I can reboot only twice a year and the next one is in 4 weeks. After that, all VLANs should work (until I add new ones).

    I'll try to keep this thread in mind when I add new ones next time.

  • RELEVANCY SCORE 2.93

    DB:2.93:Fwsm And Private Vlan 8a



    Hi all,

    i would like to configure PVLAN on my cat 6509 with FWSM2.2(1) and IDSM2.

    Due that the default gateway for all VLAN is the FWSM, is it possible to configure this virtual intefrace as promiscuos port?? If not there is a work around??

    Thanks

    Marco

    DB:2.93:Fwsm And Private Vlan 8a


    I don't know which next release Marco is talking about for the private VLAN functionality he is looking for but in your case, I would assume you have been waiting on the 2.X release of FWSM code. We did have some delays (not related to the TAC) but it is currently available on CCO (released 3 or so weeks ago) and most of the reviews I have seen have been favorable. The release is numbered as 2.2(1). Just an FYI in case you had missed it.

    Scott

  • RELEVANCY SCORE 2.93

    DB:2.93:C6509, Fwsm Failover, C3560g, Vlans sx


    Hi,

    I have the folowing network scenario:

    In the central node:
       1 Catalyst 6509
       2 FWSM (failover and routed mode configured)

    In the remote locations:
        1 Catalyst 3560G

    I want to have more than one vlans behind catalyst 3560G switches.
    How i configure the firewall and the routing between FWSM and C3560G?

    Scenario is presented in the attached draft (tested for one vlan).

    Thank you.

    DB:2.93:C6509, Fwsm Failover, C3560g, Vlans sx


    I want the FWSM to make NAT for
    vlans even if one firewall module failed and the PC behind switches  to
    have internet access through firewall module.

    How i configure the firewalls and the switches to make this happen?

    Thank you.

  • RELEVANCY SCORE 2.93

    DB:2.93:Issues With Fwsm And 6509: Heartbeat Drop? za



    Hi,

    We have a couple of 6509s with the firewall module (WS-SVC-FWM-1) in them.  There is a redundant link between the switches and the firewalls are set for active/passive. They're set up like this with 2 Nexus 5ks behind them:

    |\ /|

    |/ \|

    Last night the network failed behind the 6500s.  The only errors we received on the 6500:

    Aug 15 19:16:28.002 AWST: %SEC-6-IPACCESSLOGDP: list restrict-UPS-SC denied icmp 172.16.200.1 - 172.16.40.179 (0/0), 1 packet

    Aug 15 19:16:49.510 AWST: %SEC-6-IPACCESSLOGDP: list restrict-UPS-SC denied icmp 172.16.200.22 - 172.16.40.29 (0/0), 1 packet

    Aug 15 19:23:08.540 AWST: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks

    Aug 15 19:23:08.652 AWST: %SVCLC-SW2_STBY-5-FWTRUNK: Firewalled VLANs configured on trunks

    Aug 15 20:00:58.425 AWST: %SEC-6-IPACCESSLOGDP: list restrict-UPS-SC denied icmp 172.16.205.2 - 172.16.40.16 (0/0), 1 packet

    Aug 15 20:44:01.010 AWST: %SEC-6-IPACCESSLOGDP: list restrict-UPS-SC denied icmp 172.16.200.10 - 172.16.40.192 (0/0), 1 packet

    And on the firewall modules:

    /InternalFW/act# sh logg

    Syslog logging: enabled

        Facility: 22

        Timestamp logging: enabled

        Name logging: enabled

        Standby logging: disabled

        Deny Conn when Queue Full: disabled

        Console logging: level errors, class auth, 1514 messages logged

        Monitor logging: level emergencies, 367 messages logged

        Buffer logging: level errors, 1514 messages logged

        Trap logging: level informational, facility 22, 73537453 messages logged

            Logging to Outside Tftptest errors: 418252  dropped: 72682199

        History logging: level warnings, 369290 messages logged

        Device ID: disabled

        Mail logging: disabled

        ASDM logging: level notifications, 370960 messages logged

    on interface Shield-B2C

    Aug 15 2012 22:26:36: %FWSM-1-105008: (Primary) Testing Interface CIM-Inside

    Aug 15 2012 22:26:36: %FWSM-1-105008: (Primary) Testing Interface Shield-B2C

    Aug 15 2012 22:26:37: %FWSM-1-105009: (Primary) Testing on interface CIM-Inside Passed

    Aug 15 2012 22:26:42: %FWSM-1-105009: (Primary) Testing on interface Shield-B2C Passed

    Aug 15 2012 22:26:51: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface Shield-Inside

    Aug 15 2012 22:26:51: %FWSM-1-105008: (Primary) Testing Interface Shield-Inside

    Aug 15 2012 22:26:51: %FWSM-1-105009: (Primary) Testing on interface Shield-Inside Passed

    Aug 15 2012 22:27:51: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface BWS-Inside

    Aug 15 2012 22:27:51: %FWSM-1-105008: (Primary) Testing Interface BWS-Inside

    Aug 15 2012 22:27:52: %FWSM-1-105009: (Primary) Testing on interface BWS-Inside Passed

    Aug 15 2012 22:28:06: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface CIM-Inside

    Aug 15 2012 22:28:06: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface Shield-B2C

    Aug 15 2012 22:28:06: %FWSM-1-105008: (Primary) Testing Interface CIM-Inside

    Aug 15 2012 22:28:06: %FWSM-1-105008: (Primary) Testing Interface Shield-B2C

    Aug 15 2012 22:28:07: %FWSM-1-105009: (Primary) Testing on interface Shield-B2C Passed

    Aug 15 2012 22:28:09: %FWSM-1-105009: (Primary) Testing on interface CIM-Inside Passed

    Aug 15 2012 22:28:36: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface Shield-Inside

    Aug 15 2012 22:28:36: %FWSM-1-105008: (Primary) Testing Interface Shield-Inside

    Aug 15 2012 22:28:36: %FWSM-1-105009: (Primary) Testing on interface Shield-Inside Passed

    Aug 15 2012 22:29:21: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface BWS-Inside

    Aug 15 2012 22:29:21: %FWSM-1-105008: (Primary) Testing Interface BWS-Inside

    Aug 15 2012 22:29:22: %FWSM-1-105009: (Primary) Testing on interface BWS-Inside Passed

    Aug 15 2012 22:29:36: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface CIM-Inside

    Aug 15 2012 22:29:36: %FWSM-1-105008: (Primary) Testing Interface CIM-Inside

    Aug 15 2012 22:29:40: %FWSM-1-105009: (Primary) Testing on interface CIM-Inside Passed

    Aug 15 2012 22:29:51: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface Shield-B2C

    Aug 15 2012 22:29:51: %FWSM-1-105008: (Primary) Testing Interface Shield-B2C

    Aug 15 2012 22:29:52: %FWSM-1-105009: (Primary) Testing on interface Shield-B2C Passed

    Aug 15 2012 22:30:06: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface Shield-Inside

    Aug 15 2012 22:30:06: %FWSM-1-105008: (Primary) Testing Interface Shield-Inside

    Aug 15 2012 22:30:06: %FWSM-1-105009: (Primary) Testing on interface Shield-Inside Passed

    Aug 15 2012 22:31:06: %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface BWS-Inside

    Aug 15 2012 22:31:06: %FWSM-1-105008: (Primary) Testing Interface BWS-Inside

    No one had logged in to make a change on the switches or FW modules at the time and there is no evidence of the line going down.

    Currently the seconardy FW module is powered down.  Any ideas what to look for before we power it back up?

    The issue is similar to this old thread:

    https://supportforums.cisco.com/docs/DOC-4831

    DB:2.93:Issues With Fwsm And 6509: Heartbeat Drop? za


    Hi

    it seems like this fwsm lost contact with its fail-over fwsm peer.

    You say the network behind the 6500 failed. Could it be that the FWSM's lost contact because of this? Some routes disappeared or something?

    In that case, if that network is up and running again, they should be able to see each other again.

    I woud only worry about what happens when they see each other again.(who will become master) cause i do not know the active/standby configuration of your set up.

    Maybe that does not matter in your set up. (it would matter in my setuop, i m running active active over 2 locations...)

  • RELEVANCY SCORE 2.93

    DB:2.93:Ips-4270 Problem With Fwsm 3c



    Hi,

    I am facing some strange issue with IPS 4270. As soon as I am connecting one interface of IPS into any free port(default configs) on 7609, after some time FWSM stops forwarding traffic for around 5 to 10 minutes. I have never seen this type of problem before. During the problem I have noticed that MSFC forwards traffic properly to other devices but traffic across FWSM halts for some time.

    FWSM Code: 4.0(1)

    IPS Code: 6.1(2)E3

    FWSM COnfigs: Multiple Context configured

    IPS Config: Only Interface Pairing configured.

    Would appreciate any feedback on this.

    Regards,

    Akhtar

    DB:2.93:Ips-4270 Problem With Fwsm 3c


    Hi,

    I am facing some strange issue with IPS 4270. As soon as I am connecting one interface of IPS into any free port(default configs) on 7609, after some time FWSM stops forwarding traffic for around 5 to 10 minutes. I have never seen this type of problem before. During the problem I have noticed that MSFC forwards traffic properly to other devices but traffic across FWSM halts for some time.

    FWSM Code: 4.0(1)

    IPS Code: 6.1(2)E3

    FWSM COnfigs: Multiple Context configured

    IPS Config: Only Interface Pairing configured.

    Would appreciate any feedback on this.

    Regards,

    Akhtar

  • RELEVANCY SCORE 2.93

    DB:2.93:Fwsm Module Upgrade Reccomendation j1



    Hi Guys,

    I'm looking at upgrading our FWSM modules in our 6500's. They're the WS-SVC-FWM-1 modules.

    We're running on version 3.2(12) at the moment and I'm looking to jump up to 4. Does anyone have any reccomendations around whether I should to go to 4.1(6) or 4.0(16)? There aren't any features in particular that I would need in 4.1 but wan't a good stable base to sit on for 12 months until I look at this excercise all over again

    Any experience with this or advice greatly appreciated.

    Cheers

    DB:2.93:Fwsm Module Upgrade Reccomendation j1


    You too Stewart , thanks for the rating.

    Thanks,

    Varun

  • RELEVANCY SCORE 2.93

    DB:2.93:Fwsm : Latest Maintenence Partition Version xc



    Dear Friends,

    I wanted to download the latest maintenence partition image for FWSM.

    I am seeing that there is nothing specific in the description of the download file for FWSM. Its just mentioned in the description "Cat6k Maintenance Partition Image" and the filename is c6svc-mp.2-1-4.bin.gz.

    Can this image be used for FWSM?

    Thanks a lot

    Gautam

    DB:2.93:Fwsm : Latest Maintenence Partition Version xc


    Dear Friends,

    I wanted to download the latest maintenence partition image for FWSM.

    I am seeing that there is nothing specific in the description of the download file for FWSM. Its just mentioned in the description "Cat6k Maintenance Partition Image" and the filename is c6svc-mp.2-1-4.bin.gz.

    Can this image be used for FWSM?

    Thanks a lot

    Gautam

  • RELEVANCY SCORE 2.92

    DB:2.92:Fwsm With Multiple Vlans 9a



    Hi

    I have two queries: First -

    We have an FWSM in 6500 with FW OS 3.2(12). It allows only 1 vlan (SVI) to assign to firewall vlan-group. If I want to assign more than 1 vlan, I need to add this command "firewall multiple-vlan-interfaces". The document says, if I add this command, traffic will bypass FWSM. We have around 40 vlan's to assign for inside interface. Any suggestion for this issue?

    Second - I assigned 2 VLAN's to FWSM by enabling multiple-vlan-interfaces, configured inside outside and added ACL ip any any to both interfaces. Traffic is passing thru both interfaces packet count is increasing, but ACL hit count remains at zero. Any suggestion why it is happening?

    Thanks in advance for your advice.

    regards

    abdullah

    DB:2.92:Fwsm With Multiple Vlans 9a


    Hi Jon,

    Any update on this pls?

    regards

    abdullah

  • RELEVANCY SCORE 2.92

    DB:2.92:Otp Support For Asdm Authentication Of Fwsm xj



    Hi Please help to answer whether FWSM can support OTP like ASA or not. If can support, which version of FWSM is this?

    New Features for ASA Version 8.2(1)
    ASDM now supports administrator authentication using one time passwords (OTPs) supported by RSA SecurID (SDI). This feature addresses security concerns about administrators authenticating with static passwords.

    Thanks,
    Ye

    DB:2.92:Otp Support For Asdm Authentication Of Fwsm xj


    Great thanks. Please kindly mark the post as answered if you have no further question. Thank you.

  • RELEVANCY SCORE 2.92

    DB:2.92:Fwsm Auto Reboot Problem !!! f1



    Dear all !

    I have a problem with FWSM. I've used ver: FWSM Firewall Version 3.2(3). and configured Failover in two chassis 6509. The firewall system have worked for 8 months but this is the second times the FWSM auto reboot. The first time has happended a month ago.

    the system has log like this :

    -C6KPWR-SP-4-DISABLED power to module in slot 1 set off (Reset)

    -DIAG-SP-6-RUN_MINIMUM Module 1: Running Minimal Diagnostics...

    -DIAG-SP-6-DIAG_OK Module 1: Passed Online Diagnostics

    - OIR-SP-6-INSCARD Card inserted in slot 1, interfaces are now online

    there is no log before this event !

    Please give me some advises !

    Thanks so much !

    DB:2.92:Fwsm Auto Reboot Problem !!! f1


    Pls. open a case with TAC.  Issue "sh crash" and if there is a crash file saved, attach that to the TAC case.

    TAC will decode the crash and suggest and upgrade if needed.

    -KS

  • RELEVANCY SCORE 2.92

    DB:2.92:Enabliing Netflow j7



    Hi,

    Could you please let me know whether I can enable/supports netflow on the below IOS and models?

    ASA 5540 - 8.0(5).23

    FWSM v 2.3(4)

    ASA 5580-20 8.1(2).49

    FWSM V 3.2(20)

    FWSM v 3.2.(13)

    ASA 5585 8.4(2)

    ASA 5520 8.3(1)

    Thank you

    Sankar

    

    

  • RELEVANCY SCORE 2.92

    DB:2.92:About Rule In Fwsm pm



    Hi all,

    I confuse about configuring rule in FWSM,

    I use Catalyst 6513 + FWSM, I configure one rule:

    Source Dest Service

    10.20.4.0/27 any IP

    that means I have 32 address from 1 to 32 to connect to any with service IP. But when I test, I only configure from 1 to 31, IP 32 can't connnect to any. If you know why, please answer me early.

    Thank you very much.

    Regards,

    DB:2.92:About Rule In Fwsm pm


    Hi

    This is because .32 is not part of your 10.20.4.0/27 subnet. Think of it like this.

    /27 = 255.255.255.224

    256 - 224 = 32 so your subnets go up in 32's eg.

    Ist subnet = 10.20.4.0 255.255.255.224

    2nd subnet = 10.20.4.32 255.255.255.224

    3rd subnet = 10.20.4.64 255.255.255.224

    etc...

    So .32 is the network address of the next subnet.

    Just for completeness you shouldn't really use .31 as an IP address of a host either as this is the broadcast address for the 10.20.4.0/27 subnet.

    HTH

    Jon

  • RELEVANCY SCORE 2.92

    DB:2.92:Fwsm Setup fp



    We placed a FWSM in our 6513 to replace our external PIX525. I'm able to session into the FWSM. We are not ready to switch over as yet. I just want to work with the FWSM a bit and get things ready. I created a VLAN15 on the 6513 and presented it to the FWSM. I created an interface and assigned an IP subnet on the 6513. I sessioned into the FWSM and assigned the presented VLAN an IP address. I named it inside and gave it a security level of 100. I setup a laptop on the VLAN and gave it an IP address on that subnet and added an icmp statement to allow the lpatop to ping the inside interface on the FWSM. Works. I added a telnet statement to the FWSM for the laptop. I can't telnet to the FWSM. I also tried enabling http for the laptop and that doesn't work as well. Not sure what I'm missing. I have not added any SVI outside interface to the FMSM as yet since we are not ready to switch over from the PIX. FWSM shows version 2.3(4). We are using only static NAT.

    We have multiple VLANs on the 6513 that will all use the same outside interface on the FWSM. The VLANs route to each other inside the 6513. Some VLANs have more then one subnet defined as secondary on there interface.

    Craig

    DB:2.92:Fwsm Setup fp


    to reach the contexts themselves without using telnet/ssh you can just

    session slot 4 proc 1 on the 6513

    (where slot 4 is the location of the FWSM).

    you will then be in the SYSTEM context.

    from there you can type

    changeto context wan

    and you will be logged into the virtual-fw context named "wan".

    See this doc for more information.

    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml

  • RELEVANCY SCORE 2.91

    DB:2.91:Fwsm On Cat 6509 zz



    I am running FWSM 2.3(3) and need to upgrade to 3.1(4). Booted maintenance partition to check version 2.1(2) requirement. I found that mp is up to date.

    After "hw-module module 1 reset", I cannot access the FWSm anymore.

    6509-SW-01#sess slot 1 pro 1

    The default escape character is Ctrl-^, then x.

    You can also type 'exit' at the remote prompt to end the session

    Trying 127.0.0.11 ...

    % Connection timed out; remote host not responding

    6509-SW-01#

    Looks like I lost the local IP to the FWSM. Any help will be appreciated.

    Thanks.

    Boyet

    DB:2.91:Fwsm On Cat 6509 zz


    ok friend pleas if you solve the problem let me know , it is important for me to avoide this problem in my system

    thanx

  • RELEVANCY SCORE 2.91

    DB:2.91:Fwsm: Svi, Vlan 1 pf



    Hello,

    I've been used to "traditionnal" standalone pix, so I'm a bit confused about the way the fwsm and the msfc interact with each other.

    Two questions :

    1) I understand that only one svi-enabled vlan could be shared between the msfc and the fwsm. My question is, for functionnal routing between fwsm and msfc, IPs should be affected to both points of the vlan, "as if" they were two physically connected routing devices? Could only one ip for the fwsm interface be configured and then, for example, specifying msfc svi's ip from another vlan as default gateway on the fwsm?

    2) could vlan 1 be affected to the fwsm? vlan 1 is the only vlan which is not 802.1q tagged, and as msfc and fwsm communicates with each other via 802.1q, is it still possible? It's not explictly stated in official documentation that vlan 1 could not be mapped to fwsm, but some posts here claim it couldn't. So what's the final word there?

    Thanks in advance!

    DB:2.91:Fwsm: Svi, Vlan 1 pf


    I too had the same questions. Here is how I configured my FWSM

    1. I do not use VLAN 1 for anything

    2. You create the VLAN SVI with a ip address as normal and set it up as the inside interface of your firewall. That way all inside traffic flow into the firewall.

    3. The outside of the firewall I created a layer 2 vlan (no ip address) add that to the firewall vlan-group. Create the outside interface in the firewall giving it an ip address ( I used a 30 bit mask) gave the other ip address to my internet router and place a port ithat vlan and plugged my internet router in that port.

    hope this clears it up some.

  • RELEVANCY SCORE 2.91

    DB:2.91:Fwsm 4.1(1) And Access-List Commit. 1x



    How can I commit access-list more quickly?

    When I add an ACE the FWSM takes more times to commit.

    Thanks.

    Regards.

    Andrea

    DB:2.91:Fwsm 4.1(1) And Access-List Commit. 1x


    Hi all I'm having the same issue I have a FWSM running 3.1(1)  when I add any ACL it took the FWSM about 7 minutes to apply it during that time the CPU hits 95%

    -------------- CLS Rule Current Counts --------------

    CLS Filter Rule Count       :             0

    CLS Fixup Rule Count        :           105

    CLS Est Ctl Rule Count      :             0

    CLS AAA Rule Count          :             0

    CLS Est Data Rule Count     :             0

    CLS Console Rule Count      :            18

    CLS Policy NAT Rule Count   :             0

    CLS ACL Rule Count          :         70566

    CLS ACL Uncommitted Add     :             0

    CLS ACL Uncommitted Del     :             0

    ---------------- CLS Rule MAX Counts ----------------

    CLS Filter MAX              :          2764

    CLS Fixup MAX               :          4147

    CLS Est Ctl Rule MAX        :           460

    CLS Est Data Rule MAX       :           460

    CLS AAA Rule MAX            :          6451

    CLS Console Rule MAX        :          1843

    CLS Policy NAT Rule MAX     :          1843

    CLS ACL Rule MAX            :         74188

    Help Please

    Thanks,

  • RELEVANCY SCORE 2.91

    DB:2.91:Ip Becomes Unreachable Through Fwsm In Vss 3z



    Hi All,

    We have two Cisco 6509-E  switches configured in VSS. A FWSM is installed in the VSS. Recently we faced a problem that  an IP which was configured in a Cyberoam server on the outside of the FWSM, stopped responding from inside. We changed the IP to a different one and it started responding. After some days the new IP too stopped responding and we had to change the IP to yet another IP. The version of the FWSM is 4.0.4 while the IOS of VSS is SXI3.

    The problem is existing with the two IPs only (currently). We tried configuring the problematic IPs on a machine and connected it to the outside of the FWSM, but the machine was not able to communicate with the inside IP, though it was able to ping the gateway, which is the IP of the outside VLAN in FWSM.

    When we try to trace the problematic IPs from the inside VLANs, the trace seems to end on packet oscillate between FWSM and Core switch IP.

    C:\Users\Administratortracert 10.10.139.180

    Tracing route to 10.10.139.180 over a maximum of 30 hops

      1     1 ms    1 ms    1 ms  10.10.132.2  2     1 ms     1 ms     1 ms  10.10.139.195  3     3 ms     5 ms     2 ms  10.10.139.195  4     4 ms     4 ms     5 ms  10.10.139.195  5     4 ms     3 ms     3 ms  10.10.139.195  6     5 ms     7 ms    11 ms  10.10.139.195

    10.10.139.195 is the IP of the vlan in core switch which communicates with the FWSM inside IP (10.10.139.193). The default route in switch 10.10.139.193.

    We have tried rebooting the FWSM, but still the problem exists.

    Has anyone faced a similare problem. Please respond.

    DB:2.91:Ip Becomes Unreachable Through Fwsm In Vss 3z


    Hi Manohar,

    Please attach a brief topology with some IP addresses as well for better understanding of the problem.

    Based on my understanding until now, there is some kind of loooping in the network. What IP address is this 10.10.139.180, 10.10.132.2? What is the IP address of the machine on the Inside from where you are trying to access the servers?

    Please paste the output of "show xlate det | in Problematic_IP" for both the problematic IPs.

    Regards,

    Prapanch

  • RELEVANCY SCORE 2.91

    DB:2.91:Stacked Fwsm Capabilities 1p



    Hello,

    According to the cisco documentation you can stack up to 4 FWSMs in one chassis. The document says that the bandwidth will increase however it says nothing about the maximum number of concurrent connections. One FWSM is suposed to handle 1 million concurrent connections and my question is if 2 stacked FWSMs would be able to handle then 2 million connections.

    Regards

    Carol

    DB:2.91:Stacked Fwsm Capabilities 1p


    Hello,

    According to the cisco documentation you can stack up to 4 FWSMs in one chassis. The document says that the bandwidth will increase however it says nothing about the maximum number of concurrent connections. One FWSM is suposed to handle 1 million concurrent connections and my question is if 2 stacked FWSMs would be able to handle then 2 million connections.

    Regards

    Carol

  • RELEVANCY SCORE 2.89

    DB:2.89:Fwsm Configuration With Shared Interface - Confusion 19



    Hello,

    I have attached a pdf of an example of a FWSM configuration with shared interfaces. Now what I dont get is (please refer to the link)

    http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.pdf. Also attached the link

    Is there any difference between the natting that they have done on page B-4 on Context A

    nat (inside) 1 10.1.2.0 255.255.255.0

    global (outside) 1 interface

    as opposed to configuring a static NAT for processing traffic to correct context

    nat(inside,outside) 209.165.201.0 10.1.2.0

    The other question is on page B-2 (diagram)

    Context A has a customer A network linked to the inside interface. Is it possible to put a default route towards that "Network 2" cloud and restrict traffic from the 6509 switch towards the context A?

    Thanks

    DB:2.89:Fwsm Configuration With Shared Interface - Confusion 19


    1. Base on the diagram, VLAN 14 is only connected to Context 2, so assuming that is the only access you need towards the Internet, then VLAN 14 generally should have the lowest security level, ie: configured as an outside interface.

    You can't configure "static (vlan11,vlan14) 192.168.10.0 192.168.10.0" for internet traffic unless if you are going to perform NAT on any upstream device. If you would like the FWSM to perform NAT for access to the Internet, then you would need to configure NAT exemption, and in the NAT exemption access-list, you would need to be specific on what subnet you would like to exempt from NAT.

    Eg:

    access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

    nat (vlan11) 0 access-list nonat

    From the above example, only traffic from 192.168.10.0/24 towards 192.168.50.0/24 will be exempted, and the rest will just be PATed when you configure NAT/Global pair towards the Internet.

    2. Yes, you would need to design this correctly, and check inter context traffic communication if you plan to have access between context. Security level, and NATing need special attention when communication between context is required. For communication between context, traffic will only flow with the following security level:

    1) High -- Low -- Low -- High

    2) Low -- High -- High -- Low

    Plus you would also need to configure the correct NATing accordingly.

  • RELEVANCY SCORE 2.89

    DB:2.89:Vss Fwsm Config 1z



    Hi,

    Please help me on below queries.

    Cisco doc says that both FWSM in VSS chasis are active.

    I have 5 vlans in my network and assigned all vlans to both FWSM. But i am confused over the FWSM configuration on VSS standby.

    1) Whether we need to configure both FWSM individually

    2) Is it a must that i should enable active/stanby or active/active  failover in FWSM

    3) if i don't enable failover , whether i have to individually configure the FWSM with different Vlan interface IP's and point the routes based on path cost.

    Regards,

    Savad

    DB:2.89:Vss Fwsm Config 1z


    Hi,

    Please help me on below queries.

    Cisco doc says that both FWSM in VSS chasis are active.

    I have 5 vlans in my network and assigned all vlans to both FWSM. But i am confused over the FWSM configuration on VSS standby.

    1) Whether we need to configure both FWSM individually

    2) Is it a must that i should enable active/stanby or active/active  failover in FWSM

    3) if i don't enable failover , whether i have to individually configure the FWSM with different Vlan interface IP's and point the routes based on path cost.

    Regards,

    Savad

  • RELEVANCY SCORE 2.89

    DB:2.89:Fwsm Ip Route Question za



    Hi.

    I just got a new brand new FWSM from Cisco that have Cisco IOS :

    FWSM Firewall Version 2.3(4) system

    FWSM Device Manager Version 4.1(5)

    And my problem is that I cat get my Management Interface on the FWSM to come up.

    I can log in to the FW but not get any traffic out. It always says “no route to host”

    The management VLAN 799 is configured on the WS-6500:

    firewall multiple-vlan-interfaces

    firewall switch 1 module 6 vlan-group 1

    firewall vlan-group 1 799

    And the Admin-context is configured on FWSM:

    admin-context admin

    context admin

    description Admin context

    allocate-interface vlan799

    config-url disk:/admin.cfg

    What fundamental mistake have I done?

    DB:2.89:Fwsm Ip Route Question za


    Hi.

    I just got a new brand new FWSM from Cisco that have Cisco IOS :

    FWSM Firewall Version 2.3(4) system

    FWSM Device Manager Version 4.1(5)

    And my problem is that I cat get my Management Interface on the FWSM to come up.

    I can log in to the FW but not get any traffic out. It always says “no route to host”

    The management VLAN 799 is configured on the WS-6500:

    firewall multiple-vlan-interfaces

    firewall switch 1 module 6 vlan-group 1

    firewall vlan-group 1 799

    And the Admin-context is configured on FWSM:

    admin-context admin

    context admin

    description Admin context

    allocate-interface vlan799

    config-url disk:/admin.cfg

    What fundamental mistake have I done?

  • RELEVANCY SCORE 2.89

    DB:2.89:Troubling Fwsm Issue k3



    Hi,

    We have an FWSM running 3.1.3 in routed mode, single context. It has been running fine (as far as we can tell) since July06.

    It runs in a 6509 with Sup32/CatOS 8.5.3

    The MSFC is not being used and has not been configured.

    The FWSM routes traffic between 3 vlans:

    interface Vlan400

    nameif external

    security-level 0

    ip address X.Y.45.245 255.255.255.0

    !

    interface Vlan480

    description Systems Vlan

    nameif systems

    security-level 50

    ip address X.Y.16.120 255.255.255.128

    !

    interface Vlan481

    description Users Vlan

    nameif users

    security-level 40

    ip address X.Y.16.240 255.255.255.128

    !

    The issue: traffic going from vlan481 to vlan480 shows up on interface vlan400. I can see it with a sniffer, and also gets denies in syslog.

    Jan 23 00:54:18 hostname %FWSM-4-106023: Deny udp src external:X.Y.16.144/2422 dst systems:X.Y.16.108/389 by access-

    group "external_access_in" [0x0, 0x0]

    Note that the denied traffic came from user vlan (481), went out the external interface, was sent back to the FWSM by our gateway, and is denied as it tries to re-enter the FWSM to be routed to the server vlan (480)

    I don't understand why such traffic would be routed out to the external interface.

    This doesn't make sense to me. Why would the traffic be routed out to the external interface in the first place.

    What's even more troubling, is that the issue never surfaced before 2 days ago. I went through the log files for the last month and couldn't find any such Deny.

    The FW configuration didn't change in the last 2 weeks.

    Just to add some information that might be relevant, we are not using translation in this setup. However I had to setup some static because the hosts on the external interface use a /16 subnet mask.

    from the FWSM config:

    nat (systems) 0 access-list systems_nat0_outbound

    static (systems,external) X.Y.16.0 X.Y.16.0 netmask 255.255.255.128

    static (users,external) X.Y.16.128 X.Y.16.128 netmask 255.255.255.128

    access-group external_access_in in interface external

    access-group systems_access_in in interface systems

    access-group users_access_in in interface users

    route external 0.0.0.0 0.0.0.0 X.Y.45.240 1

    Has anyone ever seen/heard similar issue and could point me in the right direction.

    Thank you,

    DB:2.89:Troubling Fwsm Issue k3


    Thanks for the input. I thought about this, routing is the first thing I checked.

    All systems involved are directly connected. No dynamic routing involved.

    I opened a case with TAC, they are still looking into it.

  • RELEVANCY SCORE 2.89

    DB:2.89:6509 Fwsm Routing Problem 89



    6509 fwsm block search engine after 1-5 hour later. i am not write any rule for it. how can i stop it.

  • RELEVANCY SCORE 2.89

    DB:2.89:Fwsm 4.0 Asdm 19



    I just upgraded a FWSM to 4.0(1). Now the old ASDM is inoperative (5.2.4(F)). I also have ASDM 6.11 for my ASA's. That version of the loader does not work either.

    I use the ASDM to monitor, so it's not a major issue, but does anyone know if a new version of the ASDM is coming out for FWSM 4.0? Maybe compatible with ASDM Launcher 1.5 (30)?

    TIA

    DB:2.89:Fwsm 4.0 Asdm 19


    Per Cisco TAC:

    The ASDM 6.1F is not yet available for deployment. It is planned to be available in July.

    Unfortunately till the release all configuration in FWSM 4.0 have to be done through CLI.

  • RELEVANCY SCORE 2.89

    DB:2.89:Asdm Image Command Not Working On Fwsm 8k



    Hi all,

    I m trying to enable ASDM on FWSM but the commands are not there to enable it.....

    FWSM(config)# asdm ?

    configure mode commands/options:

    group Associate object group names with interfaces. Warning: This option

    is designed for use solely by ASDM. Do not manually configure this

    option.

    history Enable/Disable Device Manager data sampling

    location Associate an external network object with an interface. Warning:

    This option is designed for use solely by ASDM. Do not manually

    configure this option.

    exec mode commands/options:

    disconnect Specify ASDM session id to be disconnected after this keyword

    FWSM(config)# asdm

    Firewall(config)# asdm image disk0:/asdm.bin command is not seen on FWSM... need assistance for the same.. Here are some more information which can help you all in guiding me...

    FWSM# dir flash:

    Directory of flash:/

    2 -rw- 5632060 no date asdm

    1 -rw- 6037560 no date image

    3 -rw- 4984 no date startup-config

    No space information available

    FWSM#

    What i can see is in dir command its not showing date or the space available on flash. Is there any bug????

    FWSM# sh version

    FWSM Firewall Version 3.2(2)

    Device Manager Version 5.2(1)F

    Compiled on Thu 16-Aug-07 14:40 by dalecki

    FWSM up 8 days 15 hours

    failover cluster up 8 days 15 hours

    Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

    Flash SMART CF @ 0xc321, 20MB

    0: Int: Not licensed : irq 5

    1: Int: Not licensed : irq 7

    2: Int: Not licensed : irq 11

    The Running Activation Key is not set, using default settings:

    Licensed features for this platform:

    Maximum Interfaces : 256

    Inside Hosts : Unlimited

    Failover : Active/Active

    VPN-DES : Enabled

    VPN-3DES-AES : Enabled

    Cut-through Proxy : Enabled

    Guards : Enabled

    URL Filtering : Enabled

    Security Contexts : 2

    GTP/GPRS : Disabled

    BGP Stub : Disabled

    VPN Peers : Unlimited

    Serial Number: SAD12140839

    Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000

    Configuration last modified by enable_15 at 07:14:19.230 UTC Sun Aug 31 2008

    FWSM#

    --- Piyush

    DB:2.89:Asdm Image Command Not Working On Fwsm 8k


    But still i m not able to see space information available onto FWSM flash

    FWSM#dir flash:

    Directory of flash:/

    2 -rw- 5632060 asdm

    1 -rw- 6037560 image

    3 -rw- 4984 startup-config

    No space information available

    FWSM#

  • RELEVANCY SCORE 2.89

    DB:2.89:Upgrading 6506 To What 33



    i want to upgrade 6506 chassis as its full with module what will be the best replacemet cisco 6500 vss or nexus.

    module installed

    1) fwsm

    2)10G 4 PORT

    3)UTP 48

    4)sfp 48

    5)TWO SUP 720

    DB:2.89:Upgrading 6506 To What 33


    As the other posters have noted, a 6509 might be the next choice (as it would add 3 more card slots). The 6513 might be an option too, and would more than double your card slots, but not all line cards are supported in all card slots.

    If you stay with just one larger 6500, you might be able to use all existent cards and power supplies. (If you add cards, you might need larger power supplies.)

    If you move to a VSS or Nexus, the former requires sup720C variants, a second chassis (also noted by another poster), and there other VSS requirements and restrictions. Nexus (also noted by another poster) is a different platform, so you would need to buy all the components (I believe).

    PS:

    Another option you might consider, depending on what kind of additional ports you need, use a standalone appliance switch to "fan out" your port density.

    [edit]

    Also depending on your port requirements, another option might be to use a higher port density card. E.g. 8 or 16 port 10 gig to replace the 4 port and the 96 port 10/100 Ethernet.

  • RELEVANCY SCORE 2.89

    DB:2.89:Questions About 6500/Fwsm/Csm sc



    Hi,

    I have some questions regarding FWSM and CSM. Thank you in advance for your feedback.

    I am using a pair of 6513 with one fwsm and csm in each. I am setting up a dmz environment with these units. fwsm is the second tier firewall (a pair of PIX 525 are in perimeter).

    1. Do I have to use MSFC? I am connecting PIXes to the outside VLAN of the FWSM and two inside routers to inside VLAN of the FWSM. FWSM has a DMZ VLAN as well. I don't see any reason to involve MSFC in the picture. Is this correct? Is there any reason in the future that I may need MSFC (i.e. changing from single context to multiple or using load balancing for DMZ servers)?

    2. I am going to extend outside and inside VLANs of FWSM between two 6513 switches. Should I do this for DMZ as well? As I do not use gateway redundancy for my DMZ servers and it is a pure firewall configuration of 6513/FWSM, I don't think it is required.

    3. My understanding is with extending outside VLAN, if the link between primary PIX and primary 6513 fails or if primary PIX fails over to secondary for any reason, secondary PIX will have a way to get to the outside interface of primary FWSM. Is this correct? If not, then how I can make sure that PIX fail over will be transparent to primary 6513/FWSM which is not connected to secondary PIX?

    4. Any difference in spanning-tree configuration between this environment and a regular dual homed server based config?

    Thanks,

    DB:2.89:Questions About 6500/Fwsm/Csm sc


    Hi

    1) No you should be fine if you leave out the MSFC. Certainly you don't want the MSFC between your perimeter pix firewalls and the FWSM's as you could end up routing around the firewalls. You could have the MSFC on the inside of the FSWM's.

    Changing to multiple context will not requre that you need the MSFC for the above. It is quite feasible to have a separate context where the MSFC is involved and still have your above setup where you haven't involved the MSFC. You dictate this by how you allocate vlans to the FWSM.

    2) You will have to extend the DMZ, or at least you will have to allocate the DMZ vlan on both switches under the "firewall vlan-group .. " command. If you don't allocate the same vlans on each switch to the FWSM your failover will not work properley. If the DMZ servers are physically connecting into the 6500 chassis i would look to dual hone and include the DMZ in failover if you can. Can't see the reason not to use failover between chassis's if you can. (Of course depends on your have 2 NIC's in DMZ servers ).

    3)Assuming your 6500's are connected with a layer 2 trunk yes the secondary pix should still be able to get to the outside interface of the FWSM primary.

    4) For the FWSM not really. Just make sure you use a dedicated layer 2 trunk/etherchannel for the FWSM between the 2 switches.

    Hope this has answered some of your queries

    Jon

  • RELEVANCY SCORE 2.89

    DB:2.89:Migrating From Cisco Fwsm To Cisco Asa Software dm



    This document outlines the differences between Cisco FWSM 4.0(1) and Cisco ASA 8.2(1) software to provide users with information to use when making the decision to migrate from FWSM to ASA software. It does not explain how to migrate from using a Cisco FWSM to using a Cisco ASA device. Features that are in FWSM but not in ASA are described, as well as features that are available on both platforms but implemented differently. Features that are in ASA but are not available in FWSM are not listed.

    To access the document, go to the following URL:

    http://docwiki.cisco.com/wiki/Migrating_from_Cisco_FWSM_to_Cisco_ASA_Software

    DB:2.89:Migrating From Cisco Fwsm To Cisco Asa Software dm


    This document outlines the differences between Cisco FWSM 4.0(1) and Cisco ASA 8.2(1) software to provide users with information to use when making the decision to migrate from FWSM to ASA software. It does not explain how to migrate from using a Cisco FWSM to using a Cisco ASA device. Features that are in FWSM but not in ASA are described, as well as features that are available on both platforms but implemented differently. Features that are in ASA but are not available in FWSM are not listed.

    To access the document, go to the following URL:

    http://docwiki.cisco.com/wiki/Migrating_from_Cisco_FWSM_to_Cisco_ASA_Software

  • RELEVANCY SCORE 2.88

    DB:2.88:Problem Accessing Fwsm From Switch Console pa



    Hi,

    I have a 6509 with FWSM in module 4. FWSM is configured in single context mode. After I configured passwords and authentication on the FWSM, I can no longer access the module using "session slot 4 processor 1" when connecting to the 6509 switch via console. Please note that if I ssh to 6509 then I can get to FWSM successfully.

    Obviously I can remove authentication config to resolve the issue for now but I need to keep them in the final configuration and cannot figure out how they would cause the above issue to find a workaround ...

    My Authentication config:

    *******************************************

    enable password xxx

    passwd xxx

    username admin nopassword privilege 15

    aaa authentication ssh console TACACS+ LOCAL

    aaa authentication http console TACACS+ LOCAL

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ (management) host x.x.x.x

    timeout 5

    key xxxxx

    http server enable

    http x.x.x.x 255.255.255.255 management

    ssh x.x.x.x 255.255.255.255 management

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    *******************************************

    Thanks in advance for your help ...

    Ali

    DB:2.88:Problem Accessing Fwsm From Switch Console pa


    Hi,

    I have a 6509 with FWSM in module 4. FWSM is configured in single context mode. After I configured passwords and authentication on the FWSM, I can no longer access the module using "session slot 4 processor 1" when connecting to the 6509 switch via console. Please note that if I ssh to 6509 then I can get to FWSM successfully.

    Obviously I can remove authentication config to resolve the issue for now but I need to keep them in the final configuration and cannot figure out how they would cause the above issue to find a workaround ...

    My Authentication config:

    *******************************************

    enable password xxx

    passwd xxx

    username admin nopassword privilege 15

    aaa authentication ssh console TACACS+ LOCAL

    aaa authentication http console TACACS+ LOCAL

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ (management) host x.x.x.x

    timeout 5

    key xxxxx

    http server enable

    http x.x.x.x 255.255.255.255 management

    ssh x.x.x.x 255.255.255.255 management

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    *******************************************

    Thanks in advance for your help ...

    Ali

  • RELEVANCY SCORE 2.87

    DB:2.87:Wccp Support On A Fwsm Running 4.0(7) ? zp



    Hi,

    I was wondering if anyone knew what the support for WCCP on a FWSM running 4.0(7) is like, if there is any at all ?

    I've read that the earliest PIX release that supports WCCP was 7.2(1) but I'm not sure how FWSM 4.0(7) aligns with the PIX versions.

    The only doc's i can find refrencing WCCP on a 6500 with FWSM is in the 6500 12.2 IOS guide.

    Thanks,

    Scott

    DB:2.87:Wccp Support On A Fwsm Running 4.0(7) ? zp


    No, unfortunately WCCP is not supported on FWSM platform at all.

  • RELEVANCY SCORE 2.86

    DB:2.86:Fwsm Failover Bandwidth zx



    Hi,

    I have 2 6500 with 2 FWSM cards configured as Actif/passif with a 1 giga of bandwidth between them.

    The link is configured as 802.1q.

    My question is how can I calculate the bandwidth use of failover and session traffics (except data traffic).

    Regards

    DB:2.86:Fwsm Failover Bandwidth zx


    I don't have the exact answer, but remember that that your failover traffic is in a different vlan from your data traffic. Of course they are going over the same .1q trunk. show failover or the vlan stats may give you some idea but not the exact info you are looking for.

    Satya

  • RELEVANCY SCORE 2.86

    DB:2.86:Fwsm : Failover Off (Pseudo-Standby) dd


    Hello !!!!,

    We are running FWSM Firewall Version 3.2(1). In multi context mode with Interchassie (2 boxes of 6509 ) failover

    I have FWSM Failover problem.

    Primary Box sh failover output

    ****

    This context: Active

    Peer context: Failed

    Secondary Box shows

    *******

    Failover Off (pseudo-Standby)

    Failover unit Secondary

    Failover LAN Interface: faillink Vlan x (up)

    Unit Poll frequency 1 seconds, holdtime 15 seconds

    Interface Poll frequency 15 seconds

    Interface Policy 4

    Monitored Interfaces 46 of 250 maximum

    failover replication http

    Can some one please guide with the

    1. reason behind Failover got off on secondary box

    2. What can be done to recover from this state.

    3 What are the impact of this if not recovered.

    Thanks in Advance

    Regards

    Yogesh

    India

    DB:2.86:Fwsm : Failover Off (Pseudo-Standby) dd


    No problem at all. I'm glad its working now :)

    Regards

    Farrukh

  • RELEVANCY SCORE 2.85

    DB:2.85:Failover Performance On Fwsm Module fx



    I am testing the failover process (Active / Standby) on the FWSM modules.

    Setup: (2) cat6506's

    (2) FWSM modules configured

    Switch#1 - hosts primary FWSM

    Switch#2 - hosts secondary FWSM

    Switch#3 - Internet/Gateway router

    I have the FWSM configured to monitor the "outside" interface. The "outside" interface is on vlan 100. On switch#1 vlan 100 is only assigned to one physical port that is connected to switch#3 (duplicated on switch#2).

    In order to test failover I disconnect the cable that provides the link between switch#1 and switch#3.

    The primary FWSM does fail over to the Secondary FWSM, but it takes 12 -14 seconds. I have the failover criteria set to the minimum parameters.

    The 12-14 seconds that it takes to failover is to long. I beleive that duirng this time period any TCP sessions would be timed out.

    Question #1

    Is there a better way to configure / design this setup in order to provide a failover scenario that would not drop the tcp sessions ?

    Question#2

    Is there a way to associate the SVI interface on the FWSM module to a physical interface on the switch ? So that if the physical link changes state to down, the SVI interface on the FWSM would change state to down.

    Thanks,

    John R.

  • RELEVANCY SCORE 2.85

    DB:2.85:Configuring 6513 In Dc .... 3c



    hi,

    We are planning to have 6513 at our data center along with the FWSM , IDSM and DFC modules .

    i have a question regarding the same :

    I plan to use MSFC in front and then fwsm ..

    1.in this case does all of my dfc will be like L2 switches and even the inter vlan communication will happen through passing fwsm...

    2.If yes, do i need to define the rules on fwsm for every vlans ..

    3.considering the msfc is connected to my WAN routers on one end and fwsm on other end ..do i need to connect it to my fwsm outside interface..

    4.if yes, where will i connect my firewall router as firewall router has to be connected to outside interface of the firewall.

    thanks in advance

    DB:2.85:Configuring 6513 In Dc .... 3c


    thanks thomas,

    kindly tell me ..if msfc will be connected to fwsm outside interface , which will i connect my internet router..?

    Thanks in advance

  • RELEVANCY SCORE 2.85

    DB:2.85:Fwsm Stateful Inspection mx



    Hi,

    I am running a 6500 with FWSM in a test lab.

    The FWSM is configured with 1 Admin Context and two Other Contexts. The FWSM is configured for transparent mode.

    A client configured in on the inside side can initiate a connection through the firewall however the return SYN-ACK from the destination is being denied by the firewall.

    Any obvious reasons why this might be occuring?

    Miron

    DB:2.85:Fwsm Stateful Inspection mx


    Miron,

    It occurs to me that the problem is not with the FWSm but with the routing around it. Could you check the routing from your workstation to the end-device youu were telnetting to?

    The symptoms are consistent with the traffic from the workstation bypassing the FWSM, but the return traffic trying to pass through it (and then being dropped by the stateful firewall).

    Kind Regards

    Cathy

  • RELEVANCY SCORE 2.85

    DB:2.85:Fwsm Vlan1 ap



    Just installed the FWSM in our 6513. Was reading on its configuration. It states under assigning VLANs to the FWSM under VLAN guidelines that you can not use VLAN 1. We do use VLAN 1.

    To change away from VLAN 1 would require a lot of changes on our campus edge switches. By default all switch ports were in VLAN 1 when our LAN was first setup.

    What is the issue with VLAN 1 and is there nothing I can do other than start the process of moving away from using VLAN 1?

    Craig

    DB:2.85:Fwsm Vlan1 ap


    Hi Craig,

    I believe the reason for this is simply the enforcement of a best practice. It is assumed that VLAN1 will be used for management traffic only and not need to be firewalled. It is a best practice to move your production traffic into VLANs other than VLAN1 (though certainly not a requirement as you have seen in your case).

    -Mike

  • RELEVANCY SCORE 2.85

    DB:2.85:Context Migration From Fwsm To Asa 7x



    Hi there ,

         What would be best way to migrate a Context from FWSM to ASA (non SM)  with minimal down time effort .

    I am thinking of these steps :

    1) Preconfigure  the new ASA with the same IP-Address as FWSM for the interfaces (keep the ASA subinterfaces in shut state ) , configure Access rules .

         ( Want to retain same ip for the interfaces , since there are many hosts behind the FWSM with this gateway IP configured )

    2) Shut the context specific interfaces on FWSM bring up the Context specific interfaces on the ASA.

       ( Also a query - If I introduce ASA into the Network with the same IP as of FWSM , though the interfaces would be in shut state , should i expect any IP Conflicts )

    Thanks

  • RELEVANCY SCORE 2.85

    DB:2.85:Fwsm Update Problem 9m



    HI al.

    I'm trying to update two different FWSM on different chassis with version 4.1.3

    In both FWSm the result is the following:

    FWSM# copy tftp://192.168.222.215/c6svc-fwm-k9.4-1-3.bin flash:

    Address or name of remote host [192.168.222.215]?

    Source filename [c6svc-fwm-k9.4-1-3.bin]?

    Destination filename [image]?

    Accessing tftp://192.168.222.215/c6svc-fwm-k9.4-1-3.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    It seems that the installation doesn't progress anymore, but i don't know why.

    Can anybody help me?

    Thank you!!!

    DB:2.85:Fwsm Update Problem 9m


    Or if gets stuck forever, just do the copy one more time. It will work then.

    I hope it helps.

    PK

  • RELEVANCY SCORE 2.85

    DB:2.85:Fwsm High Cpu Utilisation xf



    Hi,

    Lately, i am observing one problem with my FWSM, whenever put an access-list or removes one, the cpu utilisation of the FWSM goes as high as 90% for around 2 mins and rule download takes around 5 mins. We have another FWSM for our other location which is running with the same version and not having problem.

    There is a difference in rule count at both location..

    i want to know -

    1. rule limit in around 1 lakh and we are having around 30k rules...rule count could be the reason for this problem??

    2. how to find which process is taking maximum cpu?

    3. how to rectify this problem, once it is identified that this process is taking high utilisation.

    Regards,

    Ahmed

    DB:2.85:Fwsm High Cpu Utilisation xf


    Hi,

    Lately, i am observing one problem with my FWSM, whenever put an access-list or removes one, the cpu utilisation of the FWSM goes as high as 90% for around 2 mins and rule download takes around 5 mins. We have another FWSM for our other location which is running with the same version and not having problem.

    There is a difference in rule count at both location..

    i want to know -

    1. rule limit in around 1 lakh and we are having around 30k rules...rule count could be the reason for this problem??

    2. how to find which process is taking maximum cpu?

    3. how to rectify this problem, once it is identified that this process is taking high utilisation.

    Regards,

    Ahmed

  • RELEVANCY SCORE 2.85

    DB:2.85:Fwsm 3.1(1) cj



    Hello,

    Has anyone had the chance to run the lastest FWSM code (3.1(1)) in production yet? Have there been any issues with the migration from the legacy Pix parser to the newest integration of the IOS parser and CLI? What about other issues?

    Thanks for your time.

    -m2

    DB:2.85:Fwsm 3.1(1) cj


    Hello,

    Has anyone had the chance to run the lastest FWSM code (3.1(1)) in production yet? Have there been any issues with the migration from the legacy Pix parser to the newest integration of the IOS parser and CLI? What about other issues?

    Thanks for your time.

    -m2

  • RELEVANCY SCORE 2.85

    DB:2.85:Vpn Access To Fwsm Lan Through A 2801 cf



    Hello, I've come to the experts since i've exhausted every possible idea in my head.

    I have a FWSM in my 6509, this firewall is managing three VLANs, one of which holds a file server. As you all know, FWSM do not support VPN like the ASAs and PIXs do.

    I have been trying to add remote access to this file server LAN all week. The only VPN device i have is a 2801 router.

    first layout
    VPN router behind FWSMstatic translation from FWSM LAN (private) to VPN WAN (public)default route was facing back at FWSMip address pool was to be NAT'd on the interface facing the FWSM

    the idea was that my VPN address pool would be NAT'd back to the FWSM on it's VLAN. since the FWSM was managing this VLAN and recognized the source IP of the translated address pool, i would have access to my precious file server. no luck.

    second layout
    VPN router fa 0/1 on a /30 with 6509 (public)VPN router fa 0/0 still on the same LAN as FWSM (private)address pool for VPN once again NAT'd to fa 0/0default route pointed to fa 0/1static route of FWSM LAN pointed to fa 0/0

    this idea was to have more of a 'inside' and 'outside' interface on the VPN router. this too did not work, having used every trick in the book, i could still not ping anything on the FWSM LAN while VPN'd in the network (aside from the LAN interface on my router)

    traceroute was showing that the all routes were headed out fa 0/1 (default route) and all to my FWSM died. i really don't think my address pool is being NAT'd, though my route map statement applied to the NAT policy is permitting my VPN address pool.

    I am new to VPN technology, one of those things that happened to land on my lap. Can someone give a suggestion as to how this layout could work? there are no good VPN Remote access walkthroughs for a situation like this (2801 allowing access to a FWSM controlled LAN)

    Thanks, and have a good weekend!

    DB:2.85:Vpn Access To Fwsm Lan Through A 2801 cf


    thanks for the reply, i'll go back and confirm my routes in the FWSM

  • RELEVANCY SCORE 2.84

    DB:2.84:Rme Syslog Reports 93



    Hello, my troubles are located here:

    CiscoWorks LMSResource Manager EssentialsSyslog AnalysisStandard ReportsAll DevicesAll Messages.

    There is a lot of messages (I'm watching about 30 switches, 15 routers, 8 firewals....).

    Problem is that only one syslog message is recorded only every 9th second.

    Here is sample:

    ("10.0.150.1","15 Apr 2004 22:53:54 GMT+02:00","FWSM","6","302006","Teardown UDP connection for faddr 10.39.15.254/161 gaddr 172.20.0.1/3143 laddr 10.20.29.10/3143","*"

    "10.0.150.5","15 Apr 2004 22:54:03 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 62030 for faddr 10.39.1.3/7200 gaddr 10.230.123.11/2764 laddr 10.230.123.11/2764","*"

    "10.0.150.1","15 Apr 2004 22:54:12 GMT+02:00","FWSM","1","106012","Deny IP from 10.20.29.12 to 10.39.15.252, IP options: "0x9404000000000000000000000000000000000000000000000000000000000000"","*"

    "10.0.150.5","15 Apr 2004 22:54:21 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 62034 for faddr 10.39.1.3/7200 gaddr 10.230.123.11/2777 laddr 10.230.123.11/2777","*"

    "10.10.32.11","15 Apr 2004 22:54:30 GMT+02:00","CDP-CLUSTER_MEMBER_4","4","NATIVE_VLAN_MISMATCH","Native VLAN mismatch discovered on FastEthernet0/24 (1), with C3550-48_KD FastEthernet0/46 (10).","*"

    "10.0.150.1","15 Apr 2004 22:54:39 GMT+02:00","FWSM","6","302002","Teardown TCP connection 42555 faddr 10.39.1.93/3327 gaddr 172.20.0.27/2395 laddr 10.20.10.64/2395 duration 0:00:00 bytes 2170 (Unknown)","*"

    "10.0.150.5","15 Apr 2004 22:54:48 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 794748 for faddr 10.39.1.3/7200 gaddr 10.225.128.8/59927 laddr 10.225.128.8/59927","*"

    "10.0.150.1","15 Apr 2004 22:54:57 GMT+02:00","FWSM","6","302005","Built UDP connection for faddr 10.39.15.9/137 gaddr 172.20.0.7/137 laddr 10.20.29.11/137","*"

    "10.0.150.5","15 Apr 2004 22:55:06 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 62042 for faddr 10.39.1.3/7200 gaddr 10.230.123.11/2807 laddr 10.230.123.11/2807","*"

    "10.0.150.1","15 Apr 2004 22:55:15 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 42558 for faddr)

    There is much more sended messages(by network devices to CW/RME server) than one per every nine second. But the others syslog messages are dropped.

    Could you advice me how fix this problem, please?

    CW LMS 2.2 running on W2K SP4, RME 3.5

    Thanks a lot

    Martin Vejsada

    DB:2.84:Rme Syslog Reports 93


    Hello, my troubles are located here:

    CiscoWorks LMSResource Manager EssentialsSyslog AnalysisStandard ReportsAll DevicesAll Messages.

    There is a lot of messages (I'm watching about 30 switches, 15 routers, 8 firewals....).

    Problem is that only one syslog message is recorded only every 9th second.

    Here is sample:

    ("10.0.150.1","15 Apr 2004 22:53:54 GMT+02:00","FWSM","6","302006","Teardown UDP connection for faddr 10.39.15.254/161 gaddr 172.20.0.1/3143 laddr 10.20.29.10/3143","*"

    "10.0.150.5","15 Apr 2004 22:54:03 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 62030 for faddr 10.39.1.3/7200 gaddr 10.230.123.11/2764 laddr 10.230.123.11/2764","*"

    "10.0.150.1","15 Apr 2004 22:54:12 GMT+02:00","FWSM","1","106012","Deny IP from 10.20.29.12 to 10.39.15.252, IP options: "0x9404000000000000000000000000000000000000000000000000000000000000"","*"

    "10.0.150.5","15 Apr 2004 22:54:21 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 62034 for faddr 10.39.1.3/7200 gaddr 10.230.123.11/2777 laddr 10.230.123.11/2777","*"

    "10.10.32.11","15 Apr 2004 22:54:30 GMT+02:00","CDP-CLUSTER_MEMBER_4","4","NATIVE_VLAN_MISMATCH","Native VLAN mismatch discovered on FastEthernet0/24 (1), with C3550-48_KD FastEthernet0/46 (10).","*"

    "10.0.150.1","15 Apr 2004 22:54:39 GMT+02:00","FWSM","6","302002","Teardown TCP connection 42555 faddr 10.39.1.93/3327 gaddr 172.20.0.27/2395 laddr 10.20.10.64/2395 duration 0:00:00 bytes 2170 (Unknown)","*"

    "10.0.150.5","15 Apr 2004 22:54:48 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 794748 for faddr 10.39.1.3/7200 gaddr 10.225.128.8/59927 laddr 10.225.128.8/59927","*"

    "10.0.150.1","15 Apr 2004 22:54:57 GMT+02:00","FWSM","6","302005","Built UDP connection for faddr 10.39.15.9/137 gaddr 172.20.0.7/137 laddr 10.20.29.11/137","*"

    "10.0.150.5","15 Apr 2004 22:55:06 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 62042 for faddr 10.39.1.3/7200 gaddr 10.230.123.11/2807 laddr 10.230.123.11/2807","*"

    "10.0.150.1","15 Apr 2004 22:55:15 GMT+02:00","FWSM","6","302001","Built outbound TCP connection 42558 for faddr)

    There is much more sended messages(by network devices to CW/RME server) than one per every nine second. But the others syslog messages are dropped.

    Could you advice me how fix this problem, please?

    CW LMS 2.2 running on W2K SP4, RME 3.5

    Thanks a lot

    Martin Vejsada

  • RELEVANCY SCORE 2.84

    DB:2.84:Fwsm Maintenance Software And Upgrade 7c



    Hi All,

    I have few questions on FWSM software upgrade.

    1) I could not find the availale maintenance software under software donwload section?

    2) what is the maintenance software version required for fwsm 4.1.8 upgrade (this does not have on the release note)

        http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html

    3) what is the main difference when you upgrad fwsm using following two methods:

        - Installing to the current application partition from the FWSM CLI

       -  Installing to any application partition from the maintenance partition

    4) how can we verify the file integrity after copied from tftp/ftp server (because it does not support verify command as in IOS)

    5) how can we see the copied files in the fwsm (it does not show with show flash or dir commands)

    Appreciate if someone can answer to above querries.

    thanks

    DB:2.84:Fwsm Maintenance Software And Upgrade 7c


    Dear Gautam,

    Thank you very much for your detailed explanation with all the documents. This clears all my doubts and questions that I wanted to clarify.

    Regards,

    Prem

  • RELEVANCY SCORE 2.84

    DB:2.84:Problems With 6500 Sup720 And Fwsm 87



    Hi there,

    I just received a 6506E with Sup720-3B and a FWSM. I went through the documentation (http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/switch.html) to configure my switch and FWSM, and I'm having no luck getting the switch to be able to ping the FWSM, or vice-versa.

    Just to review what I've done so far:

    1. Added L2 vlan 100 for MSFC--FWSM connectivity.

    2. Added L3 SVI for vlan100, with the IP 10.5.17.2 /29

    3. Added firewall vlan groups:

    --firewall vlan-group 1 100

    --firewall module 1 vlan-group 1

    4. Added interface on FWSM, with the IP 10.5.17.4/29

    5. Allowed icmp for testing purposes:

    icmp permit any inside

    All interfaces show as up, but nothing is communicating between the two devices.

    In the logs, I'm seeing these errors:

    Sep 24 19:27:46.488 UTC: %PM_SCP-SP-2-LCP_FW_ERR_INFORM: Module 1 is experiencing the following error: Bus Asic #0 out of sync error

    I tried resetting the firewall by using this command: hw-module mod 1 reset and when I did, I saw these errors:

    Sep 24 19:50:15.417 UTC: %ONLINE-SP-6-INITFAIL: Module 1: Failed to synchronize Port asic

    Sep 24 19:50:15.429 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Module Failed SCP dnld)

    Sep 24 19:51:01.738 UTC: %ONLINE-SP-6-INITFAIL: Module 1: Failed to synchronize Port asic

    Sep 24 19:51:01.750 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Module Failed SCP dnld)

    Sep 24 19:51:47.962 UTC: %ONLINE-SP-6-INITFAIL: Module 1: Failed to synchronize Port asic

    Sep 24 19:51:47.974 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Module Failed SCP dnld)

    Sep 24 19:52:34.426 UTC: %ONLINE-SP-6-INITFAIL: Module 1: Failed to synchronize Port asic

    Sep 24 19:52:34.438 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Module Failed SCP dnld)

    The FWSM is in slot 1 and the Sup720 is in Slot 6. I tried reseating the FWSM, but nothing changed.

    Has anyone seen these errors before? Any ideas what they could mean?

    Thanks in advance,

    Brandon

    DB:2.84:Problems With 6500 Sup720 And Fwsm 87


    Do you think it's the FWSM, or could it possibly be the Supervisor or Chassis backplane?

    I don't necessarily think the FWSM is bad because I tested it in a second chassis, and it worked fine. It worked in every single slot in the chassis.

    Let me see if I can explain this:

    I have two chassis, Chassis-A and Chassis-B, each chassis has a FWSM, X6066-SLB-APC, X6748-GE-TX, X6724-SFP, and Sup720-3B.

    If I take all of the modules from Chassis A and put them in Chassis B, everything seems to work fine. If I take the Sup720 from Chassis-A, and put it in Chassis-B, with all of the line cards that were with Chassis-B to begin with, I see errors on the FWSM. If I run Chassis-A with all of the original modules, I see errors on the FWSM.

    For the heck of it, I tried rotating the modules in Chassis-B, with the supervisor from Chassis-A, to see what happened. I had the modules installed in the slots top down, in the order FWSM, CSM, 6724-SFP, 6748-GE, blank, Sup720-3B.

    As I rotated the modules around I saw these errors:

    Initial state (FWSM in slot 1)

    Mar 9 10:59:24.956 UTC: %FABRIC-SP-6-TIMEOUT_ERR: Fabric in slot 6 reported timeout error for channel 0 (Module 1, fabric connection 0)

    Test 1 (FWSM in slot 2)

    Mar 9 11:20:21.342 UTC: %FABRIC-SP-6-TIMEOUT_ERR: Fabric in slot 6 reported timeout error for channel 1 (Module 2, fabric connection 0)

    Mar 9 11:21:20.894 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Fabric channel errors)

    Mar 9 11:21:56.730 UTC: %ONLINE-SP-6-INITFAIL: Module 2: Failed to synchronize Port asic

    Mar 9 11:21:56.742 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Module Failed SCP dnld)

    Test 2 (FWSM in Slot 3)

    Mar 9 11:39:47.432 UTC: %ONLINE-SP-6-INITFAIL: Module 3: Failed to synchronize Port asic

    Mar 9 11:39:47.448 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 3 set off (Module Failed SCP dnld)

    Test 3 (FWSM in slot 4)

    Mar 9 11:43:49.909 UTC: %FABRIC-SP-6-TIMEOUT_ERR: Fabric in slot 6 reported timeout error for channel 3 (Module 4, fabric connection 0)

    Mar 9 11:44:28.186 UTC: %FABRIC-SP-6-TIMEOUT_ERR: Fabric in slot 6 reported timeout error for channel 3 (Module 4, fabric connection 0)

    Test 4 (FWSM in Slot 5)

    No errors, oddly enough

    Test 5 (FWSM back in slot 1)

    Mar 9 12:08:00.973 UTC: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Module Failed SCP dnld)

    Is it possible I'm doing something wrong here? Am I not waiting long enough for the modules to initialize and synchronize? How long should it normally take? Also, I know the FWSM is a CEF256 card -- does that pose any problem when using CEF720 cards with Sup720-3B?

    Thanks in advance,

    Brandon

  • RELEVANCY SCORE 2.84

    DB:2.84:Between Fwsm And Vlan1 At 6500 9j



    Hi,

    I have the following scennario:

    VLAN 1, 5, 10 etc. ---- Core 6500 MSFC ---- Vlan 2 ---- FWSM --- VLAN 4

    Everything goes well except when i try to ping from vlan 4 to vlan 1 and vice-versa. All the connectivity between vlan 4 and all the internal vlans (5, 10 etc) are working perfectly.

    Is there any known bug / issue when using vlan 1 to communicate with some other vlan behind a FWSM [4.0(13)]?

    Regards,

    Nuno

    DB:2.84:Between Fwsm And Vlan1 At 6500 9j


    Correct. Your topology is supported.

    what is not supported is this:

    inside hosts--vlan1--FWSM--vlan4--MSFC

    Check the logs and see what it shows when you try to connect from a host on vlan1 to the outside through the FWSM.

    -KS

  • RELEVANCY SCORE 2.84

    DB:2.84:Configuring Fwsm For Catalyst 6509 9k



    Our company has two Catalyst 6509 equiped everyone with MSFC and FWSM. We need to deploy a network area behind the FWSM (MSFC outside the FWSM) and to connect through dual GB links three Catalyst 3550 EMI running OSPF.

    1. FWSM has sufficient capability for routing as is we need to have OSPF routing process to the three Catalyst 3550 EMI ?

    2. How can we configure the FWSM as the three Catalyst 3550 EMI have different security policy (defining separately VLANs and allocate to DMZs) ?

    Thanks in advance for your help

    DB:2.84:Configuring Fwsm For Catalyst 6509 9k


    The FWSM can do everything the PIX firewall can do ...with some additional features like OSPF routing and 100 interface/VLAN support. So I guess it should be able to handle the OSPF processes.

    http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/ps4452/prodlit/fwsm_ds.htm