Debug on FWSM

How can you perform a debug packet on a FWSM? The traffic is in the Data Plane of the FWSM and not the control plane, so the debug command cannot see the through traffic.
Any ideas???

Hi Jeramel,
I'm not quite sure what you are looking for.  Syslogs are your best bet for tracking when the FWSM creates and tearsdown a connection. 
"show conn" will display the current connections passing through the FWSM, along with their state, and what inspections are applied to them.
"debug tcp" on the ASA is really showing some internal checks which the ASA is performing on the TCP packets.  It should not be used on a loaded ASA.  As it is very verbose. 
What exactly are you looking to acheive?
Sincerely,
David.

Similar Messages

  • Can you do a debug of TCP sessions in a FWSM?

    Hello,
    Is there any debug or show command to see when the tcp connections are opened or closed in an FWSM? I know that in the current versions of ASA for this you can do a "debug tcp", but there is any command on the FWSM to do something like this?
    Thanks in advance.

    Hi Jeramel,
    I'm not quite sure what you are looking for.  Syslogs are your best bet for tracking when the FWSM creates and tearsdown a connection. 
    "show conn" will display the current connections passing through the FWSM, along with their state, and what inspections are applied to them.
    "debug tcp" on the ASA is really showing some internal checks which the ASA is performing on the TCP packets.  It should not be used on a loaded ASA.  As it is very verbose. 
    What exactly are you looking to acheive?
    Sincerely,
    David.

  • Puedes un hace debugging de las sesiones TCP en un FWSM?

    Hola,
    Existe algun debug para ver las conexiones tcp que se van abriendo y cerrando en un FWSM? Se que las versiones actuales de ASA
    para esto puedes hacer un "debug tcp", pero existe algun comando en el FWSM que haga algo similar a esto?
    Saludos.

    You might have a higher chance for answers if you asked in english.
    Rgds,  MiKa

  • FWSM (where is the debug troubleshooting facilities?)

    Hi,
    Thanks for reading ... hope someone can help.
    I have just taken over some FWSM running fairly old code (3.1)
    I have previously worked with ASA and PIX's, so this is fairly new to me.
    I am troubleshooting some traffic issues. I noticed a few commands/tools that are not available.
    There is no "debug NAT " facility unlike on the ASA's
    There is no capture "match" command boo hoo.
    And there is no "packet tracer" ASDM tool ..... which is a fantastic troubleshooting tool.
    Any advise really really appreciated.
    Thanksnat
    Matt

    Sorry to disappoint, but unfortunately there won't be feature to feature parity between ASA and FWSM.
    It is indeed very similar in terms of configuration, but FWSM is lacking quite a number of tools that ASA has.
    FWSM will be replaced by ASA-SM which has the exact same tools as the existing ASA appliance.

  • Problem with FWSM and L3 interface in same switch

    I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
    I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
    The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
    The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
    A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
    Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
    This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
    If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
    Thanks.
    Keith

    I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
    I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
    I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
    Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
    Thanks.

  • FWSM strange acl behavior

    Hi!
    I have FWSM running 4.1(6) with two security contexts.
    The context test config is:
    FWSM/test# sh run
    : Saved
    FWSM Version 4.1(6) <context>
    hostname test
    domain-name fwsm.spbstu.ru
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    dns-guard
    interface Vlan556
    nameif inside
    security-level 100
    ip address 192.168.100.254 255.255.255.0
    interface Vlan557
    nameif dmz
    security-level 50
    ip address 172.16.2.1 255.255.255.0
    passwd 2KFQnbNIdI.2KYOU encrypted
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list permit_any extended permit tcp any any
    access-list permit_any extended permit udp any any
    access-list permit_any extended permit ip any any
    access-list dmz_in extended permit icmp any any
    access-list dmz_in extended permit udp any any
    access-list dmz_in remark dmz_in
    access-list dmz_in extended permit tcp any any
    access-list dmz_out extended permit icmp any any
    access-list dmz_out extended permit udp any any
    access-list dmz_out extended permit tcp any any
    access-list inside_in extended permit tcp any eq 3389 any
    access-list inside_in extended permit tcp any any
    access-list inside_in extended deny ip any any
    access-list inside_out extended permit icmp any any
    access-list inside_out extended permit udp any any
    access-list inside_out extended permit tcp any any
    pager lines 24
    logging enable
    logging console debugging
    logging buffered debugging
    logging asdm debugging
    mtu inside 1500
    mtu dmz 1500
    no asdm history enable
    arp timeout 14400
    nat-control
    access-group permit_any in interface inside
    access-group permit_any out interface inside
    access-group permit_any in interface dmz
    access-group permit_any out interface dmz
    route dmz 0.0.0.0 0.0.0.0 172.16.2.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout pptp-gre 0:02:00
    timeout uauth 0:05:00 absolute
    username cisco password ZBZ8GNEdrJsjFvsR encrypted
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authentication http console LOCAL
    http server enable
    no snmp-server location
    no snmp-server contact
    telnet timeout 60
    ssh timeout 60
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect dns
      inspect ftp
      inspect netbios
      inspect rsh
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
      inspect http
    service-policy global_policy global
    Cryptochecksum:632fecb27da8e4b662d4197c60f1b22a
    : end
    Routing and vlan config is fine for sure.
    but access is denied while ACL counters are 0
    Does anybody have any ideas where I should look more carefully?
    system context config is
    FWSM# sh run
    : Saved
    FWSM Version 4.1(6) <system>
    resource acl-partition 12
    hostname FWSM
    enable password 8Ry2YjIyt7RRXU24 encrypted
    interface Vlan555
    interface Vlan556
    interface Vlan557
    interface Vlan1216
    passwd 2KFQnbNIdI.2KYOU encrypted
    class default
      limit-resource IPSec 5
      limit-resource Mac-addresses 65535
      limit-resource ASDM 5
      limit-resource SSH 5
      limit-resource Telnet 5
      limit-resource All 0
    ftp mode passive
    pager lines 24
    no failover
    no asdm history enable
    arp timeout 14400
    console timeout 0
    admin-context admin
    context admin
      description default_context
      member default
      allocate-interface Vlan1216
      allocate-interface Vlan555
      allocate-acl-partition 0
      config-url disk:/admin.cfg
    context test
      description test
      member default
      allocate-interface Vlan556
      allocate-interface Vlan557
      allocate-acl-partition 1
      config-url disk:/CON_test.cfg
    prompt hostname context
    Cryptochecksum:ae682011fefdab9a0e4eeda02ca49c6e
    : end

    access-list permit_any extended permit tcp any any
    access-list permit_any extended permit udp any any
    access-list permit_any extended permit ip any any
    access-list permit_any extended permit icmp any any
    access-group permit_any in interface inside
    access-group permit_any out interface inside
    access-group permit_any in interface dmz
    access-group permit_any out interface dmz
    I don't understand why FWSM denies ICMP:
    ( I am pinging from Cat6509 SUP 172.16.2.254 ( which is on dmz interface ) the host on inside interface 192.168.100.250:
    %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
    %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
    %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
    %FWSM-7-111009: User 'enable_15' executed cmd: show logging
    %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
    %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
    Any ideas?

  • Reg:FWSM router mode issue

    Hi,
    I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,
            7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29] 
    Here  we created a p2p link between 7613 gig port and switch3560 gig port  (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches  ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.
    Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.
    We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .
    router config:
    Router#sh firewall module
    Module Vlan-groups
      04   1,2
    Router#sh firewall vlan-group
    Display vlan-groups created by both ACE module and FWSM
    Group    Created by      vlans
        1           ACE      100-101,200-202
        2                    <empty>
    Router#sh arp
    Protocol  Address          Age (min)  Hardware Addr   Type   Interface
    Internet  10.225.62.145           -   001d.a156.9300  ARPA   GigabitEthernet10/1
    Internet  10.225.62.146         107   001d.a1a5.fbc1  ARPA   GigabitEthernet10/1
    Internet  192.168.2.1             -   001d.a156.9300  ARPA   Vlan200
    Internet  192.168.2.2             7   0007.0e5c.3d00  ARPA   Vlan200
    Internet  192.168.3.1             4   0007.0e5c.3d00  ARPA   Vlan201
    Internet  192.168.3.2             -   001d.a156.9300  ARPA   Vlan201
    Fwsm config:
    hostname FWSM
    interface Vlan200
    nameif outside
    security-level 0
    ip address 192.168.2.2 255.255.255.0
    interface Vlan201
    nameif inside
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    no asdm history enable
    arp timeout 14400
    route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect dns maximum-length 512
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect smtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9
    : end
    FWSM#
    FWSM# sh arp
            outside 192.168.2.1 001d.a156.9300
            inside 192.168.3.2 001d.a156.9300
            eobc 127.0.0.81 0000.1800.0000
    FWSM# sh int
    Interface Vlan200 "outside", is up, line protocol is up
      Hardware is EtherSVI
            MAC address 0007.0e5c.3d00, MTU 1500
            IP address 192.168.2.2, subnet mask 255.255.255.0
      Traffic Statistics for "outside":
            6 packets input, 658 bytes
            12 packets output, 1316 bytes
            474 packets dropped
    Interface Vlan201 "inside", is up, line protocol is up
      Hardware is EtherSVI
            MAC address 0007.0e5c.3d00, MTU 1500
            IP address 192.168.3.1, subnet mask 255.255.255.0
      Traffic Statistics for "inside":
            6 packets input, 658 bytes
            7 packets output, 726 bytes
            107 packets dropped

    hi,
    thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .
    thanks.
    Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,
    FWSM# debug icmp trace 255
    debug icmp trace enabled at level 255
    FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2
    ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2
    ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1
    ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2
    ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1
    ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2
    ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1
    ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2
    ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1
    ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2
    ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1
    ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2
    ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2
    ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2
    ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1
    ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2
    Kindly suggest what could be done.
    thanks.

  • SW-6509-FWSM failover Troubleshooting First aid

    Fault Description:
    (1)
    active  FWSM and standby FWSM  inside interface Between,ping fails。
    on side FWSM---active: ping 172.17.1.50 -------OK,ping 172.17.1.49------ping fails;
    on side FWSM---standby: ping 172.17.1.49--------OK,ping 172.17.1.50-------ping fails;
    but,active  FWSM and standby FWSM  outside interface between,ping OK。
    on side FWSM---active:ping 172.17.1.36  、  ping 172.17.1.37、ping 172.17.1.35/33/34/、ping www.baidu.com -----------All OK;
    on side FWSM---standby:ping 172.17.1.36 、  ping 172.17.1.37 、ping 172.17.1.35/33/34/、ping www.baidu.com-----------All OK;
    (2)
    Another problem:
    active  FWSM and standby FWSM  inside interface,ping  7706-------All fails。
    Summary:May be caused fwsm。
    Topology :Attachment
    FWSM :
    FWSM#                       show failover state
    ====My State===
    Primary | Active |
    ====Other State===
    Secondary | Standby |
    ====Configuration State===
        Interface config Syncing - STANDBY
        Sync Done
    ====Communication State===
        Mac set
    =========Failed Reason==============
    My Fail Reason:
        Ifc Failure
    Other Fail Reason:
        Comm Failure
    FWSM# show failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: lan Vlan 997 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 15 seconds
    Interface Policy 50%
    Monitored Interfaces 42 of 250 maximum
    Config sync: active
    Version: Ours 4.0(13), Mate 4.0(13)
    Last Failover at: 19:08:24 Beijing Dec 2 2013
        This host: Primary - Active
            Active time: 358944 (sec)
        Interface outside (172.17.1.36): Normal
        Interface inside (172.17.1.49): Normal (Not-Monitored)
        Other host: Secondary - Standby Ready
            Active time: 0 (sec)
        Interface outside (172.17.1.37): Normal
        Interface inside (172.17.1.50): Normal (Not-Monitored)
    (Not-Monitored) -----------------??????

    That's what I thought but the again, from the 6500 config prompt I actually get echo replys(!) from the FWCTX, with capture enabled as:
         access-list CAP permit ip any any
         capture mgmt access-list CAP interface MGMT packet-length 1500 circular-buffer
    But it shows blank and no hit counts. Same happens usind RTMonitor in ASDM (6.2.(2f)) some packets that are permited and routed correctly aren't actually noticed. I don't get any logging for the missing/dropped/denied echo replies from the FWCTX to the 6500 MSFC nor for the successful replies from the 6500 to the FWCTX withh ASDM Debugging logging on.

  • FWSM can not show sessions in xlate between two specific vlans

    Dear Experts ,
    I have FWSM running version 3.2(23) , configured with interface vlans , all having the same security level , except outside interface vlan which has security level 0 , also same-security-traffic permit inter-interface and same-security-traffic permit intra-interface are configured, my problem is when establishing sessions (I tried TCP only using ssh and telnet , in addition of ping ) from one specific vlan (172.16.1.0/28)  to other vlan (172.16.1.16/28) , I can not see the established sessions  in "show xlate debug" output ! although I can see these sessions from capture !  the two subnets are separate , two different /28.
    I can see the session established from the remaining interface vlans with same security level toward  172.16.1.16/28 , my question is what is the exception with vlan having this subnet172.16.1.0/28, how it can reach other vlan with subnnet 172.16.1.16/28 without showing anything in xlate table ? do you thing it is bug ? please advise
    Regards

    Red1,
    Need to make sure the packets are arriving on the correct interface.  Need to grab captures and the debug level syslogs at the same time. Hope you are not running into the xlate limitation of the module.
    Pls. check the limitation link here:
    http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/specs_f.html#wp1056716
    -Kureli
    https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts
    Upcoming Live Webcast in English: January 15, 2013
    Troubleshooting ASA and Firewall Service Modules
    Register today: http://tools.cisco.com/squish/42F25

  • FWSM : Can same security level command create identity nat?

    Hi All,
    As the topic : Can same security level command create identity nat? I found identity nat when show xlate debug command although no configuration related to identitiy nat for those subnet ip address.
    My brief configuration
    - same security level intra interface is enable
    - xlate-baypass is enable
    - NAT examption for some subnet

    To my knowlege the FWSM creates a xlate for all connections.
    http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/cfgnat_f.html
    "Even if you do not configure NAT, the FWSM continues to create translation sessions for all traffic automatically. In this case, the translation is from the real address to the same real address. See the
    show xlate command to view translation sessions."

  • FWSM blocks RPC traffic

    Hello
    I have a customer who has Microsoft SMS running on Windows 2008 server and agent is installed on all clients, server is in DMZ and the clients are in other dmz , other applications are running and using RPS with no problems but the SMS server is new and I found dropped packets by the inspection policy for the inspected SMS server as below
    fwsm# sho service-policy
    Global policy:
      Service-policy: global_policy
        Class-map: inspection_default
          Inspect: dns maximum-length 512, packet 358660, drop 0, reset-drop 0
          Inspect: ftp, packet 1873, drop 0, reset-drop 0
          Inspect: h323 h225, packet 0, drop 0, reset-drop 0
          Inspect: h323 ras, packet 0, drop 0, reset-drop 0
          Inspect: netbios, packet 224450, drop 0, reset-drop 0
          Inspect: rsh, packet 0, drop 0, reset-drop 0
          Inspect: sip, packet 0, drop 0, reset-drop 0
          Inspect: skinny, packet 0, drop 0, reset-drop 0
          Inspect: sqlnet, packet 1265466, drop 0, reset-drop 0
          Inspect: sunrpc, packet 68218, drop 0, reset-drop 0
          Inspect: tftp, packet 0, drop 0, reset-drop 0
          Inspect: xdmcp, packet 72, drop 0, reset-drop 0
          Inspect: dcerpc, packet 100362, drop 18, reset-drop 0
    Also the output of " debug dcerpc events" gives this error "DCERPC-ERR: Corrupted packet, incorrect scm reply header"
    Removing the DCREPC inspection interupts other application .
    the FWSM version is 4.1(7) .
    ANY IDEA ?

    Any hint experts ?

  • Filtering IPv6 extension headers on FWSM

    Hello,
    We want to filter IPv6 extension headers on FWSM (4.1.x) and we discovered that filtering does not works at all. For example to filter destination options we used the following IPv6 ACE:
    ipv6 access-list OUTSIDE6_IN deny 60 any any
    Then packets are sent using extended IPv6 ping from IOS router and FWSM ignores above ACE and forwards the packet to the destination. The same thing happens when using Scapy as packet generator.
    The packet is good  because it matches IOS IPv6 ACL Destination options ACE.
    I didn't checked but my colleague reported me the same issue with filtering Hop-by-hop option on FWSM.
    So, is something wrong with the procedure or this is about new bug?
    Regards,
    Igor

    Jenifer,
    ACL is assigned to the interface... Other ACEs are being matched so ACL works but it does not match extension headers correctly:
    ipv6 access-list OUTSIDE6_IN line 1 deny 60 any any log debugging interval 300 (hitcnt=0) 0xbb24b0a2
    ipv6 access-list OUTSIDE6_IN line 2 permit tcp any any eq www log debugging interval 300 (hitcnt=2) 0xbde27d7c

  • Debugging is not working in R/3 from WebDynpro-ABAP developed webpage input

    Dear Friends,
    We are facing a serious problem for debugging. Expecting valuable input for the same.
    Debugging is not working in R/3 from WebDynpro-ABAP developed webpage input in Production Server.
    The debugging (for WebDynpro-ABAP application) is working in Dev. Server for
    1st ] Within R/3
    Ex. debug for bapi within R/3. i.e. value enter as input in R/3 only.
    2nd ] From webpage to R/3
    Ex. Some input given on the internet web page developed through WebDynpro and external breakpoint set in R/3 it works. It directs to R/3 code through debugging.
    In Prod. Server the 1st case above is working but the 2nd case is not working.
    In Prod. Server the WebDynpro developed applications are running successfully through internet explorer webpage inputs. So running the application is not a problem in prod. Server but debugging of the same is the problem.
    The setting which are done in Prod. server are,
    1] RZ10 in parameters are set for port and host name.
    2.1] In SMICM check for ICM.
    2.2] Host file updated in Windows-System 32.
    3] In SICF following services are active,
    3.1] default_host/sap/bc/webdynpro
    3.2] default_host/sap/public/bc
    3.3] default_host/sap/public/bc/webdynpro/viewdesigner
    3.4] default_host/sap/bc/wdvd
    3.5] default_host/sap/public/icman
    3.6] default_host/sap/bc/gui/sap/its/webgui
    3.7] default_host/sap/public/ping
    3.8] default_host/sap/bc/error
    3.9] default_host/sap/bc/echo
    4] In SE80
    4.1] Internet services-System-are published
    4.2] Internet services-WEBGUI-are published
    4.3] Utilities-Setting-ABAP Editor-Debugging-Username & New Debugger set.
    4.4] Utilities-Setting-ABAP Editor-Editor-Front-End Editor(New) set.
    5] In Su01 for user profiles sap_all & sap_new is assigned and role  SAP_BC_WEBSERVICE_DEBUGGER is assigned.
    6] The support packages are also updated to latest level.
    7] Gone through following links but not getting any clues.
    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/74d50bd1431b5ae10000000a42189c/frameset.htm
    http://help.sap.com/saphelp_nw04s/helpdata/EN/77/3545415ea6f523e10000000a155106/frameset.htm
    Thanks in Advance.
    Best Regards,
    Abhijit.

    No cross posting
    Read the "Rules of Engagament"
    Regards
    Juan

  • Firefox can't open normally without going through the "this is embarrassing" routine; nor does it close down properly; it also sticks frequently, i.e. screen freezes for a minute or more; should I uninstall and re-install to try and debug?

    Firefox can't open normally without going through the "this is embarrassing" routine; nor does it close down properly; I get the "end program" message and have to say "end now"it also sticks frequently, i.e. screen freezes for a minute or more; should I uninstall and re-install to try and debug?
    - I've used Firefox exclusively for around 2 years.
    - My outlook express has no problems
    - other programs seem unaffected; it seems peculiar to Firefox.
    - my main use is surfing the net, primarily entering competitions on line via specialist competition sites.
    - every day at some stage(s) I have to switch computer off as Firefox has got very slow/sticky/freezes.
    I'm not techy by any means, but I can only thing of un- and re-installing to hopefully start with a clean slate.

    Sounds like something is keeping Firefox from closing properly. See this: <br />
    https://support.mozilla.com/en-US/kb/Firefox+hangs#Hang_at_exit

  • ERROR while debugging a SELECT..ENDSELECT

    Hello All,
    We get an error while we go into the select..endselect loop during debugging. Because of this if we try to do some research on existing program with Select-endselect..it fails in the second pass of this loop.
    This problem was not there earlier, but after we upgraded from 4.6 to 4.7 this problem is bugging us..every day. Does any one have a clue why ?
    Thanks!!
    Regards,
    Vishal

    Hi,
      debugging a SELECT...ENDSELECT statements brings to a LUW commit work if no other work processes are available for debug.
    See OSS notes 675, 2104.
    From OSS note 675 **********************************
    Cause and prerequisites
    Chain of causes:
          1. There is a statement in one of the Select loops, that leads to a database Commit (or Rollback).
          2. A database Commit causes the database to lose the cursor.
          3. The system cannot automatically continue within Select loop after loss of cursor.
    Following statements lead to a database Commit:
        * All statements that cause a change of screen (CALL SCREEN, CALL DIALOG, CALL TRANSACTION, SUBMIT, I/W-Message)
        * BREAK-POINT/ Debugging
          . if no debug process free
          . always after regeneration (in order to release generation lock).
        * WAIT Here a work process is released and a Commit is executed.
        * COMMIT WORK/ROLLBACK WORK
    From OSS note 2104 **********************************
    Solution
    The "COMMITWORK" message appears in the ABAP debugger when programs
    orscreensrequireregeneration,or when not enough free capacity
    is available inthesystem (or else the debugger blocks a system
    process).
    Normallyonly one work process is released for debugging. This
    isgenerally insufficient ina developmentsystem, as processes
    can be blocked for other reasonstoo(background processing,
    CPI-C connections,andso on).
    The number of work processes made available for debugging can
    be configured using the profileparameter
                      rdisp/wpdbug_max_no
    Forexample:
                    rdisp/wpdbug_max_no = 10
    setsthe maximum number of work processes made available for
    debuggingto 10. It may be necessary to generally increase the
    numberofwork processesatthis time (parameter rdisp/wp_no_dia).
    In all other known cases, an error in the application program is
    involved.
    Regards, Manuel

Maybe you are looking for