CSM, ASDM & FWSM versions
Hi,
Can anyone explain the interaction between CSM, ADSM & the FWSM I'm trying to work out if there are incompatible combinations with various versions.?
It is my understanding that the CSM server makes a connection to port 443 on the FWSM so must be communicating with the installed ASDM version. We have a CSM 3.1.1 server & FWSM 3.1(4) installed, is there a specific ASDM version that should be installed on the FWSM when using CSM or can we just upgrade to the latest - the 6.1(x)F ASDM release notes says it is compatable with FWSM 3.1(4).
One of the reasons I am checking is that we recently had an issue where an ACL entry was not being match correctly and the packets were being discarded by an entry further down the list. Originally the offending entry had the subnet referenced by IP/netmask, we changed the entry in CSM to use an object group for the same subnet and pushed the policy, the ACL then behaved as expected. We then changed the ACL back to IP/netmask in CSM, pushed the policy and it carried on matching correctly.
During these changes the ACL order was identical and it wasn't anything complicated - the mask was a simple /24 subnet being referenced to allow a well known service port. We even have a test FWSM that is configured identically to the live one and the ACL worked fine on that during testing, the rules were copy & pasted from the test FWSM to the live FWSM in CSM.
We are upgrading CSM to 3.3.1 next week so hopefully won't see this issue again.
Regards
Mel
Thanks for the response.
I fully understand the differences between ASDM & CSM and how they should be used. As it is, we only use CSM to configure the FWSM but we log in using CLI for troubleshooting.
The question was asking how CSM talks to the FWSM using port 443. I presumed that when you upgraded the ASDM image on the FWSM this contained updates to the code that manages the incoming web connections on the FWSM i.e. fixed bugs, added functionality etc as well as updates to the software client that you can download.
If I connect to my FWSM from my desktop using https://myfirewall/admin/index.html I get a choice of downloading and installing the ASDM GUI or running the ASDM as a java applet. Either way there is some code installed on the FWSM that these connect to i.e. a server process listening on port 443. I presumed that CSM would use the same management connections to the FWSM that the ASDM GUI does, the only difference being that CSM is intelligent enough to connect to multiple security devices at once. Whether you hit 'Submit & Deploy' or 'Apply' in your chosen GUI front end, the changes are pushed as a group of CLI commands in one go.
Hence the original question about compatible code versions throughout the whole management chain. We have the FWSM software, we have the installed ASDM image on the FWSM module and we have the CSM software itself. All of which can be various versions and will contain capabilities and bugs pertaining to whatever version they are.
With the ACL issue that we experienced we probably would not have had an issue if we had used just the CLI to input the changes, or if we used just the ASDM GUI, but a combination of all 3 factors may have created the issue with the dodgy ACL. Currently our FWSM web interface states it has 6.1F installed (since we are due to upgrade to CSM 3.3.1 I will leave it be) but if we were staying at CSM3.1.1 I would probably look at reverting the ASDM image to an earlier version on the FWSM, the FWSM image itself will stay at 3.1(4) and hopefully with that combination not see the ACL issue again.
Hope that is a little clearer of what I am trying to understand.
Similar Messages
-
We are a hosting company looking to implement a Blade server/6500 solution.
We are looking to use a 6500 with an FWSM and loadbalancing between servers on a per customer/context basis.
All the examples on cisco.com support suggest CSM before and after firewall contexts however is it possible to move traffic in the following order on a single 6500?
Outside -> FWSM -> CSM -> Customer server farm?
Would this be done utilising 3 VLANs?Are you doing firewall loadbalancing or server loadbalancing ?
FW loadbalancing needs 2 CSM because you first need to select which firewall to use on the way out -> in and you also need to guarantee to use the same Fw on the way in -> out for the same connection.
The 2nd CSM can learn what FW was used and guarantee that the server response will use the same one.
This can however be done with a single CSM - just a little bit more complicated to configure.
I wrote a document about this @
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008020cd7c.shtml
I also would like to mention that nowadays the prefered loadbalancer would be the application control engine (ACE).
This device will defintely replace the CSM in a near future.
Gilles. -
Good morning guys
I need to upgrade a FWSM from version 4.1(6) to 4.1(15). I understand this procedure as mantaining the same major and minor version, only changing the maintenance release.
I found some articles and discussions regarding caution upgrading with different minor and major versions.
I have never upgraded FWSM only ASA appliances. I need to perform this aiming zero-downtime, the same way I could perform with ASA appliances.
I could not find where is the actual system image (it doesnt appear with dir command). Even I could not find something like boot in configuration.
That modules work in active-standby and have many contexts.
Anyone have the detailed procedures, recommendations, commands to perform this task?...This environment is very critical.
Regards
ChristianHello.
Today I have found that new release available - FWSM 4.1(16), but there is no Release Notes for this minor release!
Download link:
http://software.cisco.com/download/release.html?mdfid=277413409&flowid=4383&softwareid=280775068&release=3.2(28)&relind=AVAILABLE&rellifecycle=&reltype=latest
Release notes link:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html
There are no 4.1(16) mentioned. Anybody knows what difference between 4.1(15) and 4.1(16)? -
Hello all,
Would appreciate some insight on a issue I'm facing when trying to configure a CSM in a 6513 with a Firewall Module.
The FWSM has IPs in all vlans and is in routing mode, also it is the default gateway for servers in all VLANs.
There is also the MSFC in the same 6513 with interfaces on all vlans.
I've done a lot of research but could not yet figure out what is the best topology for this implementation.
Some places say it is best to do routing in the FWSM and bridging in the CSM.
The problem I'm facing with the CSM in routing mode and the FWSM in routing mode is that servers from a certain vlan need to access application servers in other vlan on the same 6513, but the application servers don't point to the CSM as Def gateway but point directly to the Firewall Module.
Any help is greatly appreciated.
MarcioHello Gilles,
I have tried the configuration you advised and something strange is happening. I can access the servers directly, but not via VIP (I can ping the VIP). The config follows:
module ContentSwitchingModule 7
vlan 14 client
ip address 10.200.240.54 255.255.255.0
gateway 10.200.240.1
vlan 50 server
ip address 10.200.240.54 255.255.255.0
probe TESTE1 http
request method get
interval 3
failed 3
port 80
real LAPTOP
address 10.200.240.230
inservice
real TESTE1
address 10.200.240.12
inservice
serverfarm TESTE1
nat server
no nat client
real name TESTE1
inservice
real name LAPTOP
inservice
probe TESTE1
vserver TESTE1
virtual 10.200.240.231 tcp www
serverfarm TESTE1
persistent rebalance
inservice
gateway 10.200.240.1 is the FWSM.
I have captured packets with a sniffer on the server LAPTOP and the packets that reach the server come from IP 10.200.240.54 (the CSM interface on the client vlan). Shouldn't they come directly from the origin client?
If I create a interface vlan on the MSFC for vlan 50 it works. Could you explain?
Thanks,
Marcio -
Problems after CSM upgrade to version 3.3.1 Service Pack 1
Hello,
After CSM upgrade to 3.3.1 SP1, automatic IPS signature updates stop working with the following message:
"Unable to communicate with locator service to retrive available files."
IEV has stopped working as well. Error message is in the attachment.
Has anyone experienced similar problem?
Thanks in advance.
Regards,
VesnaYes, that always work.
Automatic IPS update has started working again since yesterday, without any reconfiguration on CSM. Do you maybe know what could be explanation for that?
The other issue still persists. After CSM was upgraded to 3.3.1 SP1, IPS Event Viewer cannot be started from CSM. The following error message appears:
"CreateProcess: .\cache\iev\bin\iev-launcher.exe
https://CSM:443/athena/IEVServlet/user
C6D7202102ECF1B3A8410987A91D3FF7 C6D7202102ECF1B3A8410987A91D3FF7
startServerProxy error=267" -
CSM 3.3.0, FWSM 4.0(6), HTTP Inspection
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
i have a firewall module (FWSM) ,(version 4.0(6)) which is managed with CSM (3.3.0). There is a problem about regular expression configuration with CSM. HTTP Inspection with regular expression is configured with ASDM successfully but this configuration is not deployed with CSM on FWSM. It seems CSM does not support regular expression for FWSM. The following picture shows that CSM support HTTP advanced inspection configuration only for ASA7,2 and PIX7.2. i need to know does CSM 4.0 has this limitation or is there any solution for this CSM version?Here is the guide for Flex configs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html
There is no predefined flex config for the http inspection. But you can create a new Flex config that has the commands
regex ...class-map type inspect http match header host regex ...
The Flex config in CSM will be deploying the commands as if you were doing it with CLI.
I hope it makes sense.
PK -
Hi!
I have FWSM running 4.1(6) with two security contexts.
The context test config is:
FWSM/test# sh run
: Saved
FWSM Version 4.1(6) <context>
hostname test
domain-name fwsm.spbstu.ru
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
interface Vlan556
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
interface Vlan557
nameif dmz
security-level 50
ip address 172.16.2.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list dmz_in extended permit udp any any
access-list dmz_in remark dmz_in
access-list dmz_in extended permit tcp any any
access-list dmz_out extended permit icmp any any
access-list dmz_out extended permit udp any any
access-list dmz_out extended permit tcp any any
access-list inside_in extended permit tcp any eq 3389 any
access-list inside_in extended permit tcp any any
access-list inside_in extended deny ip any any
access-list inside_out extended permit icmp any any
access-list inside_out extended permit udp any any
access-list inside_out extended permit tcp any any
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu dmz 1500
no asdm history enable
arp timeout 14400
nat-control
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
route dmz 0.0.0.0 0.0.0.0 172.16.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ZBZ8GNEdrJsjFvsR encrypted
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
no snmp-server location
no snmp-server contact
telnet timeout 60
ssh timeout 60
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect netbios
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
service-policy global_policy global
Cryptochecksum:632fecb27da8e4b662d4197c60f1b22a
: end
Routing and vlan config is fine for sure.
but access is denied while ACL counters are 0
Does anybody have any ideas where I should look more carefully?
system context config is
FWSM# sh run
: Saved
FWSM Version 4.1(6) <system>
resource acl-partition 12
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan555
interface Vlan556
interface Vlan557
interface Vlan1216
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
description default_context
member default
allocate-interface Vlan1216
allocate-interface Vlan555
allocate-acl-partition 0
config-url disk:/admin.cfg
context test
description test
member default
allocate-interface Vlan556
allocate-interface Vlan557
allocate-acl-partition 1
config-url disk:/CON_test.cfg
prompt hostname context
Cryptochecksum:ae682011fefdab9a0e4eeda02ca49c6e
: endaccess-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list permit_any extended permit icmp any any
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
I don't understand why FWSM denies ICMP:
( I am pinging from Cat6509 SUP 172.16.2.254 ( which is on dmz interface ) the host on inside interface 192.168.100.250:
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-7-111009: User 'enable_15' executed cmd: show logging
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
Any ideas? -
FWSM Failover configuration - One Context
Hi,
Is it possible to configure only one context in H.A. in FWSM? , yesterday I tried to configure this but I can´t .
Please check my configuration and tell me your opinon, or not is possible , maybe I have to configure all context in H.A.
This message appears in the console when I active the FAILOVER
Nov 23 2011 19:20:04: %FWSM-1-105002: (Secondary) Enabling failover.
Nov 23 2011 19:20:08: %FWSM-1-105038: (Secondary) Interface count mismatch
Nov 23 2011 19:20:08: %FWSM-1-104002: (Secondary) Switching to STNDBY - Other unit has different set of vlans configured
Nov 23 2011 19:20:11: %FWSM-1-105001: (Secondary) Disabling failover.
Nov 23 2011 19:23:58: %FWSM-6-302010: 0 in use, 46069 most used
FWSM-Primario# show failover
Failover On
Failover unit PrimaryFailover LAN Interface: FAILLINK Vlan 1100 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 1 of 250 maximum
failover replication http
Config sync: active
Version: Ours 4.1(5), Mate 4.1(5)
Last Failover at: 19:18:35 UTC Nov 23 2011
This host: Primary - Active
Active time: 1125 (sec)
admin Interface inside (10.1.1.1): Normal (Not-Monitored)
admin Interface outside (20.1.1.1): No Link (Not-Monitored)
FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.36): Normal (Waiting)
GESTION-WAS Interface OUTSIDE (10.116.20.22): Normal (Not-Monitored)
GESTION-WAS Interface U2000 (10.123.20.1): Normal (Not-Monitored)
Other host: Secondary - Cold Standby
Active time: 0 (sec)
admin Interface inside (0.0.0.0): Unknown (Not-Monitored)
admin Interface outside (0.0.0.0): Unknown (Not-Monitored)
FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.37): Unknown (Waiting)
GESTION-WAS Interface OUTSIDE (0.0.0.0): Unknown (Not-Monitored)
GESTION-WAS Interface U2000 (0.0.0.0): Unknown (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : STATELINK Vlan 1101 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
AAA tbl 0 0 0 0
DACL 0 0 0 0
Acl optimization 0 0 0 0
OSPF Area SeqNo 0 0 0 0
Mamba stats msg 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
FWSM-Primario#
FWSM-Primario#
The configuration in the SW-6500
SW-PRIMARY#sh run | in fire
firewall multiple-vlan-interfaces
firewall module 3 vlan-group 1,2
firewall vlan-group 1 10,20,25,400,1709
firewall vlan-group 2 1100,1101,1111,1112
SW-SECUNDARY#sh run | in fire
firewall multiple-vlan-interfaces
firewall module 3 vlan-group 1,2
firewall vlan-group 1 900,1709
firewall vlan-group 2 1100,1101,1111,1112
ip subnet-zero
FWSM-Primario(config)# sh run
: Saved
FWSM Version 4.1(5) <system>
resource acl-partition 12
hostname FWSM-Primario
hostname secondary FWSM-Secundario
domain-name cisco.com
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan10
interface Vlan29
shutdown
interface Vlan400
interface Vlan1100
description LAN Failover Interface
interface Vlan1101
description STATE Failover Interface
interface Vlan1111
description FWSW_7200_GoB_Fija
interface Vlan1112
description FWSW_7200_GoB_BA
interface Vlan1709
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FAILLINK Vlan1100
failover replication http
failover link STATELINK Vlan1101
failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
failover group 1
preempt
replication http
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
allocate-interface Vlan10
allocate-interface Vlan29
config-url disk:/admin.cfg
context GESTION-WAS
allocate-interface Vlan1709
allocate-interface Vlan400
config-url disk:/GESTION-WAS
context FW-GoB-Fija
allocate-interface Vlan1111
allocate-interface Vlan1112
config-url disk:/FW-GoB-Fija.cfg
join-failover-group 1
prompt hostname context
Cryptochecksum:8b5fabc676745cfbafd6569c623a98b1
: end
SECUNDARY FIREWALL.
FWSM# sh run
: Saved
FWSM Version 4.1(5) <system>
resource acl-partition 12
hostname FWSM
domain-name cisco.com
enable password S13FcA2URRiGrTIN encrypted
interface Vlan100
shutdown
interface Vlan900
interface Vlan1100
description LAN Failover Interface
interface Vlan1101
description STATE Failover Interface
interface Vlan1111
interface Vlan1112
interface Vlan1709
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
no failover
failover lan unit secondary
failover lan interface FAILLINK Vlan1100
failover replication http
failover link STATELINK Vlan1101
failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
failover group 1
preempt
replication http
no asdm history enable
arp timeout 14400
console timeout 0
admin-context PCBA-NAT
context PCBA-NAT
allocate-interface Vlan1709
allocate-interface Vlan900
config-url disk:/PCBA-NAT
context FW-GoB-Fija
allocate-interface Vlan1111
allocate-interface Vlan1112
config-url disk:/FW-GoB-Fija
join-failover-group 1
prompt hostname context
Cryptochecksum:c7529707b6d10d02c296a57253a925b2
: end
FWSM#
I WILL APRECIATE YOUR COMMENTS, BECAUSE IT´S IMPORTANT , THE FWSM SUPPORT FOR DEFAULT 3 CONTEXT.
Regards,
Robert Soto.Hi Robert,
Unfortunately no, this is not possible.
Since you enable failover at the system level, all contexts will particpate in failover and there is no way to change this.
Additionally, both firewalls in the failover pair must have identical licenses, VLANs, and software versions in order for failover to work properly.
-Mike -
ASA5505 upgrade from asa9.1.2/asdm7.1.3 to asa9.1.3/asdm7.1.4 no ASDM login
Hi,
I have following problem after upgrading a ASA5505 from asa9.1.2/asdm7.1.3 to asa9.1.3/asdm7.1.4.
When I launch ASDM after upgrading and login with my credentials asdm keeps prompting for a password and dont let me in.
I have testet a few tasks but still can't login via asdm.
What I have made:
crypto key zerosize rsa modules
crypto key generate ras modules 2048
http server enable
http xxx.xxx.xxx.xxx 255.255.255.0 inside
asdm image disk0:/asdm-714.bin
ASDM Java Version is 7 Update 45
If I go back to asa9.1.2/asdm7.1.3 everythink work
Thanks a lotOh no it was my fault.
On this ASA I haven't configured a local account only the enable user with password and this won't work with the new asa and asdm image ...
Thanks a lot for your help marius! -
FWSM maintenance mode - vlan 1
Hi,
A client has had their FWSM fail, when you try to start the module the switch eventually disables the power to that slot (%C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Module Failed SCP dnld)). I have turned off diagnostics with 'no diagnostic boot level' and then use 'boot device module 4 cf:1' to bring the FWSM up into maintenance mode. I can then session up from the switch and log in to the FWSM as root.
After inputting all the necessary IP info I can't ping anything on vlan 1 as I would expect, I have set the FWSM as 192.168.1.2 and a FTP/TFTP server as 192.168.1.1
I have removed the firewall vlan groups and tried to put them back with just vlan 1 but this isn't accepted (the reasons are covered in other posts on the forum). What am I doing wrong as the instruction say that vlan 1 is the only vlan that is accessable whilst the FWSM is in maintenance mode.
I can create an int vlan 1 in the switch and ping my ftp server so know that the switchport is set up correctly, I can also see that Po308 is formed and when the module boots I can see the Gi4/xx interfaces come up (FWSM is in slot 4).
Any ideas of what to try next?
............and they aren't covered by maintenance agreements
FWSM
Maintenance image version: 2.1(4)
[email protected]#show images
Device name Partition# Image name
Compact flash(cf) 4 c6svc-fwm-k9.3-1-4-0.bin
Switch
SWITCH# sh ver
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Mon 18-Jul-11 05:49 by prod_rel_team
ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)
Regards
MelRecently i met the same problem.
When installing FWSM board on the Catalyst 6509 there is not communication access via vlan1 in the maintenance partition.
Moreover, the FWSM works properly in the aplication partition(cf:4).
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH8, RELEASE SOFTWARE (fc1)
System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
Mod Ports Card Type Model
1 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX
4 6 Firewall Module WS-SVC-FWM-1
5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL
8 5 Communication Media Module WS-SVC-CMM
Mod MAC addresses Hw Fw Sw Status
1 001b.d41a.8360 to 001b.d41a.838f 1.5 8.4(1) 8.7(0.22)BUB Ok
4 0003.fead.962e to 0003.fead.9635 3.0 7.2(1) 4.1(14) Ok
5 0017.9444.c3ec to 0017.9444.c3ef 5.4 8.5(2) 12.2(33)SXH8 Ok
8 0017.0ee2.13cc to 0017.0ee2.13d5 2.8 12.4(25c), 12.4(25c), Ok
FWSM versions
FWSM Firewall Version 3.2(20)
Device Manager Version 5.0(3)F
Not possible to verify the switch is in the service.
I guess the reason is likely next.
FWSM supports only untagged packets on the vlan1. By default catalyst 6500 not tagged native vlan1.
In my case globally enabled tagging in the native vlan.
#sh vlan dot1q tag native
dot1q native vlan tagging is enabled globally
sh vlan dot1q tag native
dot1q native vlan tagging is enabled globally
Per Port Native Vlan Tagging State:
Port Operational Native VLAN
Mode Tagging State
Gi1/2 trunk enabled
Gi1/8 trunk enabled
Gi1/13 trunk enabled
Gi1/14 trunk enabled
Gi1/17 trunk enabled
Gi1/18 trunk enabled
Gi1/21 trunk enabled
Gi1/27 trunk enabled
Gi1/30 trunk enabled
Gi1/32 trunk enabled
Gi1/38 trunk enabled
Gi1/42 trunk enabled
Gi1/43 trunk enabled
Gi1/44 trunk enabled
Gi1/46 trunk enabled
Gi5/2 trunk enabled
Po2 trunk enabled
Po308 trunk enabled -
FWSM Active/Active Failover ICMP replication
I have an issue with WS-SVC-FWM-1 module - in the active/active failover it doesn't make ICMP connection state replication with asr-groups configured on the respective interfaces. Although other connections are working just fine (asymmetric routing is verified with 'show ip cef' on the MSFC) it seems that only newer ASAs are doing ICMP replication in failover, but I couldn't find any documentation describing replication behavior for the FWSM. Can anyone
clearly describe FWSM's behavior for this?What FWSM version are you running?
Please remember to rate and select a correct answer -
Ospf retransmission packet over transparent fwsm
Hello everyone!
I have a problem, ospf packets are lost over fwsm in transparent mode. my scheme cisco 6513 (vlan 602) - FWSM (transparent mode)- juniper mx 480 (vlan 1602)
sh ip ospf neighbor 10.25.78.102
Neighbor 10.25.78.102, interface address 10.25.4.49
In the area 0.0.0.25 via interface Vlan602
Neighbor priority is 0, State is FULL, 6 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
Options is 0x12 in Hello (E-bit L-bit )
Options is 0x52 in DBD (E-bit L-bit O-bit)
LLS Options is 0x1 (LR)
Dead timer due in 00:00:38
Neighbor is up for 00:34:26
Index 13/13, retransmission queue length 1377, number of retransmission 1829
First 0x56B71B24(22845)/0x541589D4(1980410) Next 0x56B71B24(22845)/0x53145CDC(1982479)
Last retransmission scan length is 1, maximum is 3
Last retransmission scan time is 0 msec, maximum is 0 msec
Link State retransmission due in 170 msec
fwsm version 4.1(15)
On fwsm there is a separate transparent context
interface Vlan1602
nameif outside_vos2
bridge-group 5
security-level 100
interface Vlan602
nameif inside_vos2
bridge-group 5
security-level 100
mtu outside_vos2 1600
mtu inside_vos2 1600
same-security-traffic permit inter-interface
access-group outside_vos2 in interface outside_vos2
access-group inside_vos2 in interface inside_vos2
vld-fwsm-3/Acon# sh access-list inside_vos2
access-list inside_vos2; 7 elements
access-list inside_vos2 line 1 extended permit icmp any any (hitcnt=3013) 0xdc0494dc
access-list inside_vos2 line 2 extended permit ospf any any (hitcnt=11870) 0x1a46fe16
access-list inside_vos2 line 3 extended permit ip any any (hitcnt=1) 0x8be5ad9f
access-list inside_vos2 line 4 extended permit ospf host 224.0.0.5 any (hitcnt=0) 0x96c6702
access-list inside_vos2 line 5 extended permit ospf host 224.0.0.6 any (hitcnt=0) 0xc8bc65d9
access-list inside_vos2 line 6 extended permit ospf any host 224.0.0.6 (hitcnt=0) 0xa6831776
access-list inside_vos2 line 7 extended permit ospf any host 224.0.0.5 (hitcnt=0) 0x1c1248b
vld-fwsm-3/Acon# sh access-list outside_vos2
access-list outside_vos2; 7 elements
access-list outside_vos2 line 1 extended permit icmp any any (hitcnt=3010) 0xda598b52
access-list outside_vos2 line 2 extended permit ospf any any (hitcnt=7886) 0x112dad2b
access-list outside_vos2 line 3 extended permit ip any any (hitcnt=10) 0x910c4a5a
access-list outside_vos2 line 4 extended permit ospf host 224.0.0.5 any (hitcnt=0) 0x2d6480d7
access-list outside_vos2 line 5 extended permit ospf host 224.0.0.6 any (hitcnt=0) 0x4a8401c0
access-list outside_vos2 line 6 extended permit ospf any host 224.0.0.5 (hitcnt=0) 0x70f8cbba
access-list outside_vos2 line 7 extended permit ospf any host 224.0.0.6 (hitcnt=0) 0x60783961
FWSM logs(there is no drops):
6|Apr 11 2014|14:47:40|302023|||||Teardown IP protocol 89 connection 12379739847668082336 for outside_vos2:10.25.4.49 to inside_vos2:10.25.4.54 duration 0:00:06 bytes 1520
6|Apr 11 2014|14:47:40|302022|||||Built IP protocol 89 connection 12379739847668082338 for inside_vos2:10.25.4.49 (10.25.4.49) to outside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:38|302022|||||Built IP protocol 89 connection 12379739847668082337 for inside_vos2:224.0.0.5 (224.0.0.5) to outside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:36|302023|||||Teardown IP protocol 89 connection 12379739847668082335 for inside_vos2:10.25.4.54 to outside_vos2:10.25.4.49 duration 0:00:05 bytes 164
6|Apr 11 2014|14:47:34|302022|||||Built IP protocol 89 connection 12379739847668082336 for outside_vos2:10.25.4.49 (10.25.4.49) to inside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:31|302023|||||Teardown IP protocol 89 connection 12379739847668082332 for outside_vos2:10.25.4.49 to inside_vos2:10.25.4.54 duration 0:00:05 bytes 1520
6|Apr 11 2014|14:47:31|302022|||||Built IP protocol 89 connection 12379739847668082335 for inside_vos2:10.25.4.49 (10.25.4.49) to outside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:29|302023|||||Teardown IP protocol 89 connection 12379739847668082329 for inside_vos2:10.25.4.54 to outside_vos2:224.0.0.5 duration 0:00:09 bytes 196
6|Apr 11 2014|14:47:26|302023|||||Teardown IP protocol 89 connection 12379739847668082330 for inside_vos2:10.25.4.54 to outside_vos2:10.25.4.49 duration 0:00:05 bytes 164
6|Apr 11 2014|14:47:25|302022|||||Built IP protocol 89 connection 12379739847668082332 for outside_vos2:10.25.4.49 (10.25.4.49) to inside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:21|302023|||||Teardown IP protocol 89 connection 12379739847668082328 for outside_vos2:10.25.4.49 to inside_vos2:10.25.4.54 duration 0:00:05 bytes 1520
6|Apr 11 2014|14:47:21|302022|||||Built IP protocol 89 connection 12379739847668082330 for inside_vos2:10.25.4.49 (10.25.4.49) to outside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:19|302022|||||Built IP protocol 89 connection 12379739847668082329 for inside_vos2:224.0.0.5 (224.0.0.5) to outside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:17|302023|||||Teardown IP protocol 89 connection 12379739847668082327 for inside_vos2:10.25.4.54 to outside_vos2:10.25.4.49 duration 0:00:05 bytes 164
6|Apr 11 2014|14:47:15|302022|||||Built IP protocol 89 connection 12379739847668082328 for outside_vos2:10.25.4.49 (10.25.4.49) to inside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:12|302023|||||Teardown IP protocol 89 connection 12379739847668082324 for outside_vos2:10.25.4.49 to inside_vos2:10.25.4.54 duration 0:00:04 bytes 1520
6|Apr 11 2014|14:47:11|302022|||||Built IP protocol 89 connection 12379739847668082327 for inside_vos2:10.25.4.49 (10.25.4.49) to outside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:10|302023|||||Teardown IP protocol 89 connection 12379739847668082322 for inside_vos2:10.25.4.54 to outside_vos2:224.0.0.5 duration 0:00:10 bytes 196
6|Apr 11 2014|14:47:07|302022|||||Built IP protocol 89 connection 12379739847668082324 for outside_vos2:10.25.4.49 (10.25.4.49) to inside_vos2:10.25.4.54 (10.25.4.54)
6|Apr 11 2014|14:47:07|302023|||||Teardown IP protocol 89 connection 12379739847668082323 for inside_vos2:10.25.4.54 to outside_vos2:10.25.4.49 duration 0:00:05 bytes 164
on svi interface cisco 6500 and juniper mx480 - ip mtu 1400.
when traffic goes without FWSM no packet loss
sh ip ospf neighbor 10.25.78.102
Neighbor 10.25.78.102, interface address 10.25.4.49
In the area 0.0.0.25 via interface Vlan1602
Neighbor priority is 0, State is FULL, 6 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
Options is 0x12 in Hello (E-bit L-bit )
Options is 0x52 in DBD (E-bit L-bit O-bit)
LLS Options is 0x1 (LR)
Dead timer due in 00:00:38
Neighbor is up for 00:00:36
Index 13/13, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msecHi Mike,
Thanks for the reply. One of my colleagues had logged a TAC case recently and the advise was to redesign OSPF networking to reduce size of DBD packets and prevent fragmentation.
I accept this as a valid recommendation - the network does need work but was also looking for real life experiences where people had fixed similar issues.
I am looking at introducing another OSPF area and summarising as many routes as possible. I am also investigating / confirming MTU sizes on switch between ASA and FWSM. Based on some other research I am wondering whether I can increase MTU on FWSM,ASA and the interconnecting 3750 to alleviate issue.
The ASA has another neighbour with no problems - but very few routes recieved on the other network.
Thanks,
Pete -
FWSM 2.3(4) with AAA accounting
i have FWSM version 2.3(4) , but i can't find a command to enable AAA accounting to
remote TACACS server , does 2.3(4) support AAA accounting or not , and what is the minimum version that support AAA accountingFWSM 2.3(4) does support aaa accounting. To define a TACACS server, you can use the 'aaa-server' command. Please see the command reference below for more details:
aaa accounting:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/command/reference/ab.html#wp1073208
aaa-server:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/command/reference/ab.html#wp1070086 -
Problem with config sync between two CSM-S modules
Hi everybody,
I have a problem with config sync between two CSM-S modules.
I am using CSM-S software version 2.1(8).
The acitve module is used in a 6509 with WS-SUP720-BASE supervisor running software version 12.2(18)SXF12a.
The standby module is used in a 6509-V with VS-S720-10G supervisor (no VSS setup) running software version 12.2(33)SXI3.
Failover seems to work fine:
switch-active#sh modu csm 2 ft
FT group 1, vlan 398
This box is active
Configuration is out-of-sync
priority 150, heartbeat 3, failover 40, preemption is on
switch-standby# sh modu csm 2 ft
FT group 1, vlan 398
This box is in standby state
Configuration is out-of-sync
priority 80, heartbeat 3, failover 40, preemption is on
The command (on active side) "hw-module contentSwitchingModule 2 standby config-sync" leads to following result:
switch-active:
2010-04-14T16:21:45+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56042: Apr 14 16:21:44.223: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Bulk sync started
2010-04-14T16:21:45+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56043: Apr 14 16:21:44.251: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configurations to Standby CSM, this may take several minutes!
2010-04-14T16:21:46+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56044: Apr 14 16:21:45.995: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:21:51+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56045: Apr 14 16:21:50.831: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:21:57+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56046: Apr 14 16:21:56.151: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56047: Apr 14 16:22:58.791: %CSM_SLB-3-REDUNDANCY: Module 2 FT error: Active: Manual bulk sync timed out
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56048: Apr 14 16:22:58.803: %CSM_SLB-3-REDUNDANCY: Module 2 FT error:
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56049: FT CONFIG SYNC: Failed config sync entity send
switch-standby:
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2475: Apr 14 16:21:44.232: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Bulk sync started
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2476:
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2477: Apr 14 16:21:44.240: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: STANDBY:Configuration is being received, This may take several minutes!
2010-04-14T16:21:49+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2478: Apr 14 16:21:48.824: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Receiving configuration from Active CSM
2010-04-14T16:21:54+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2479: Apr 14 16:21:53.964: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Receiving configuration from Active CSM
2010-04-14T16:21:59+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2480: Apr 14 16:21:58.852: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Started clearing configuration
2010-04-14T16:21:59+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2481: Apr 14 16:21:59.400: %CSM_SLB-4-REDUNDANCY_WARN: Module 2 FT warning: Standby: Config Sync does not save running-config to startup-config
2010-04-14T16:22:00+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2482: Apr 14 16:21:59.400: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Previous configuration are being deleted from supervisor
The last log message on standby device seems to be correct - there is no CSM configuration after the attempted config sync.
Our configuration includes about 3500 lines and it is really uncomfortable to keep in sync manually.
Maybe someone has the same problem?
kind regards,
ChristophHi Christoph,
I am running into the exact same issue. Upon further investigation I've discovered that this is a known bug, CSCtd09117. You can read more about it here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd09117 . Apparently this is fixed in ver 12.2(32.8.11)SX323 .
I haven't had a chance to upgrade yet, so I can't verify the fix, but if it works for you please let me know.
Regards,
Brandon -
Backup configuration missing from ASDM
Having a problem with an ASA5520 system in that Backup and Restore configuration option under the ASDM Tools menu is not displayed/available. Any ideas as to why this is? ASDM version supports it as far as I can see. Further details:
- ASDM/ASA versions of ASA5505 and ASA5520 system are:
ASDM Version 7.1(3)
ASA Version 9.1(2)
Java 1.7.0_45
- User logging in with is a Priv 15 user.
- Only when system context is selected, under the Tools menu "System Reload" is available along with File Management, Downgrade Software etc. but no Backup Configuration or Restore Configuration.
- If same ASDM client is used with ASA5505 instead of ASA5520, the Backup Configuration and Restore Configuration options display just below "Downgrade Software" and backup and restore work.
- If try to access ASDM via a different system with different version of Java etc. same problem.Your mention of system context gave the clue.
Backup and restore from ASDM is only available when the firewall is running in single context mode. Reference.
Maybe you are looking for
-
has anyone had this problem and know how to work on the program? i recently got a macbook pro, migrating to it from windows XP pro. its operating system is OS 10 X; however, the most up to date mac OS is really (on my mac) called OS mavericks. when
-
IDoc error In case of ERS procedure, please enter terms of payment
Hi, I tried to use BAPI_PO_CREATE1 to post purchase order. However, I encountered this error. IDoc error In case of ERS procedure, please enter terms of payment I passed the payment term in IDOC PORDCH. Segment E1BPMEPOHEADER-PMTTRMS has value filled
-
No Easy Way to Join on Tables from Different Schemas
Hi, The company policy does not allow to join on tables from different schemas or use db links... I'm tasked to come up with a Perl script that does exactly that - allows for the SELECT statement to do several joins on 3 different schemas. In additio
-
Invoice verification number ranges
Hi After processing a payment in MIR7, document number 5100519088 was assigned. When user processed the next payment 51000519063 was assigned. Can some one explain how these document numbers are being allocated, Normally the documents numbers are all
-
Hi, Please tell me how to make change in ALV standard Layout.. I have added 3 field in output ALV for Tcode QA32. Now I want these three field to get displayed in Standard Layout.I dont wanna make my own layout. Please Help