LMS4.1 and FWSM 4.0.4

Similar Messages

• 6500 sup 720 with MPLS, GRE and FWSM problem

  We have 6500 sup 720 with MPLS configured and FWSM in transparent  mode. We also terminate GRE tunnels on the same 6500.
  After implementing the command “mls mpls tunnel-recir” GRE tunnels are hardware switched (which we want them to be), but we don’t have any more connection from locations thru GRE tunnels to servers behind FWSM.
  Does anybody have idea how to solve this problem?

  Hi,
  not sure what you mean exactly.
  the command “mls mpls tunnel-recir” is needed to avoid packets corruption in cases where the Supervisor engine is handling both the GRE header encapsulation and the MPLS label stack imposition. Since it cannot do it in one single shot (without causing random corruption) recirculation is needed. Nevertheless its presence does not influence whether the GRE traffic is handled in hardware or in software. Even without it, IF THE GRE TUNNELS ARE CORRECTLY CONFIGURED (meaning that each GRE tunnels has its unique source address etc.), the traffic is handled in hardware.
  However since you say that after you enabled it you don't have connectivty anymore I suppose that some issue related to recirculation is happening (i.e. traffic ends up in the wrong internal vlan after recirculation).
  Unfortunately the support forum is not meant to help in this case as in-depth troubleshooting is required. For that you need a TAC case.
  regards,
  Riccardo

• IDSM2 and FWSM

  Hi
  I have question regarding IDSM2 implementation in FWSM environment.
  VLAN 60 is outside interface on FWSM
  interface Vlan60
  nameif outside
  security-level 0
  ip address 10.10.60.2 255.255.255.0
  Also, on Cisco 6500, I have VLAN 60
  interface Vlan60
  ip address 10.10.60.1 255.255.255.0
  Everything is OK, inside interface on FWSM is SVI 66, everything is UP and FWSM is wporking correctly.
  Now, I want to put IDSM2 to monitor ALL traffic between FWSM outside interface and MSFC(6500).
  Is it possible? And how?
  I know that I need to put some additional VLAN to bridge through IDMS2, creating interface vlan pair (subinterface on data ports of IDSM2), but in thaht case, I am losing connection between FWSM and MSFC
  Please help. Thank You

  You will need to create a new vlan and then put all traffic between FWSM and MSFC in this vlan. You can also create multiple vlans if required. Then put the vlan for monitoring in the IDSM2. Following link may help you
  http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliIdsm2.html

• Difference between ASA-SM1 and FWSM.What is the throughput of each of them?

  Can any1 tell me wat is the difference between ASA-SM1 and FWSM
  and what is the throughput of it?
  Thanks in advance
  Khem

  The FWSM is end of sale. It has been replaced by the ASA-SM1.
  See the following link for details of the performance differences between the two devices:
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
  Don't forget to rate all posts that are helpful.

• Using CSM and FWSM together

  We are a hosting company looking to implement a Blade server/6500 solution.
  We are looking to use a 6500 with an FWSM and loadbalancing between servers on a per customer/context basis.
  All the examples on cisco.com support suggest CSM before and after firewall contexts however is it possible to move traffic in the following order on a single 6500?
  Outside -> FWSM -> CSM -> Customer server farm?
  Would this be done utilising 3 VLANs?

  Are you doing firewall loadbalancing or server loadbalancing ?
  FW loadbalancing needs 2 CSM because you first need to select which firewall to use on the way out -> in and you also need to guarantee to use the same Fw on the way in -> out for the same connection.
  The 2nd CSM can learn what FW was used and guarantee that the server response will use the same one.
  This can however be done with a single CSM - just a little bit more complicated to configure.
  I wrote a document about this @
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008020cd7c.shtml
  I also would like to mention that nowadays the prefered loadbalancer would be the application control engine (ACE).
  This device will defintely replace the CSM in a near future.
  Gilles.

• MARS and FWSM NAT translation

  Greetings
  I've been running CS-MARS along with an FWSM and IDSM for about a year now and has always wanted to know one thing.
  If the IDSM send an alert originating from the FWSM global IP I 'sometimes' get a translation into the internal NATed IP address. It's about a 10% success ratio.
  All systems are set with NTP to an internal server and I see no special pattern to it.
  Any ideas?
  Best regards
  Fredrik

  You need to check the NAT rules to find out which rule is working and changing the IP. After this scan the network traffic and determine at which particular traffic this happens.

• CSM and FWSM

  Hello all,
  Would appreciate some insight on a issue I'm facing when trying to configure a CSM in a 6513 with a Firewall Module.
  The FWSM has IPs in all vlans and is in routing mode, also it is the default gateway for servers in all VLANs.
  There is also the MSFC in the same 6513 with interfaces on all vlans.
  I've done a lot of research but could not yet figure out what is the best topology for this implementation.
  Some places say it is best to do routing in the FWSM and bridging in the CSM.
  The problem I'm facing with the CSM in routing mode and the FWSM in routing mode is that servers from a certain vlan need to access application servers in other vlan on the same 6513, but the application servers don't point to the CSM as Def gateway but point directly to the Firewall Module.
  Any help is greatly appreciated.
  Marcio

  Hello Gilles,
  I have tried the configuration you advised and something strange is happening. I can access the servers directly, but not via VIP (I can ping the VIP). The config follows:
  module ContentSwitchingModule 7
  vlan 14 client
  ip address 10.200.240.54 255.255.255.0
  gateway 10.200.240.1
  vlan 50 server
  ip address 10.200.240.54 255.255.255.0
  probe TESTE1 http
  request method get
  interval 3
  failed 3
  port 80
  real LAPTOP
  address 10.200.240.230
  inservice
  real TESTE1
  address 10.200.240.12
  inservice
  serverfarm TESTE1
  nat server
  no nat client
  real name TESTE1
  inservice
  real name LAPTOP
  inservice
  probe TESTE1
  vserver TESTE1
  virtual 10.200.240.231 tcp www
  serverfarm TESTE1
  persistent rebalance
  inservice
  gateway 10.200.240.1 is the FWSM.
  I have captured packets with a sniffer on the server LAPTOP and the packets that reach the server come from IP 10.200.240.54 (the CSM interface on the client vlan). Shouldn't they come directly from the origin client?
  If I create a interface vlan on the MSFC for vlan 50 it works. Could you explain?
  Thanks,
  Marcio

• 6500 has IDSM-2 and FWSM modules

  i got a task to configure Catalyst 6509 supervisor engin sup720-10g-3c  and has FWSM and IDSM-2 service modules .
  what consideration should i take  and is  there is any configuration example for both
  thank you for your help

  They are many posts on this forum on this subject, did you try using the search function?
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml
  Regards
  Farrukh

• ACE and FWSM Deployment design

  Hi,
  I have a new deployment with FWSM in single context and ACE in multiple context. I need actually 3 contexts. what is the best mode of deployment of FWSm with ACE. I want to have the gateway of all real servers as the Firewall.
  shall it be something like this - MSFC-> Fwsm -> ACE -> Real servers.
  what mode the FWSM should be?
  with regards
  sathappan.s

  Hi
  You don't need to match FWSM contexts to ACE contexts. You are quite right in what you say in that you could use one routed context on the FWSM use different interfaces in that context for each ACE context.
  It all depends on hwo you want to organise it. For example it could be argued that having matching contexts allows for easier adminstration having both the FW ruleset and the ACE rules "tied" to each other. Also if you have separate depts. managing their firewalls/load balancers contexts are the way to go.
  As i said before it often comes down to licenses/cost but yes it is possible to use only one FWSM context.
  Jon

• Skype on WAAS and FWSM problem

  The customer network has two kind of situations, behind the FWSM or not.Skype already normally operated under these two kind of network construction.When WAAS disposition,behind FWSM's client to use skype , it has very heavy detention even connection error.Another network does not have the FWSM's client to be possible at the same time to use Skype normally as before.
  I use wireshack to sniffer the packet.Skype behind FWSM will use tcp to replace udp.WAAS will intercept tcp and causes voice to create the detention .
  I set client's skype software setting to use 14676 port for connection and disable 80/443 as substitution.And I make classifier on WAAS to pass-through the port 14676 and 443. I see the transaction-logs on WAAS,some APP CFG bypass can see,but some not.
  I sniffer client again.Skype behind FWSM use 443 port and 14676 or other random port to connection.When skype use 443 or 14676 port,he can use happyly,but when skype random other port,it fail again.
  How should I solve this problem ,WAAS cannot bypass Skype voice traffic.

  Ivan,
  Are all of the necessary ports open on the FWSM? Does Skype work when FWSM is removed? WAAS is not doing anything specific to Skype traffic, it is just being handled at the TCP layer. If possible, a packet capture from the client and WAEs may help point us down the right path.
  Zach

• IOS SLB and FWSM

  Hi, this may be a silly question but is there any problem with configuring IOS SLB on a 6509 which also has a FWSM module in it and the Servers being load balanced are behind the FWSM?

  The only thing to consider is that by FWSM, you most likely will be running multiple VRFs on the switch and IOS-SLB has some limitations regarding VRF.
  IOS-SLB probes are sent to the global routing table (VRF default) and you will need to 'no advertise' and add static routes to null0 to the VRF for the virtual IPs.
  Other than that, IOS-SLB works fine with the FWSM and VRF...

• Problem with FWSM and L3 interface in same switch

  I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
  I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
  The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
  The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
  A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
  Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
  This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
  If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
  Thanks.
  Keith

  I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
  I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
  I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
  Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
  Thanks.

• FWSM and CSM

  Folks,
  I know a lot of customers like to implement both at the same time, so that FWSM can give protection to CSM. Can someone point me to the same config that talks about how to configure the 2 together. I remember looking at the config where the FWSM was configured in transparent mode and then the CSM was place behind the FWSM. But, there was a catch to the config which i forget.
  so lets say my fwsm is bridging between vlan 10 and 11, will the csm vip be in vlan 11 (high security interface on the fwsm), will this work, where would my real servers reside, has anyone tested this and could share a sample config please.

  i worked on a design where FWSM was in Routed Mode and CSM Server VLAN was on the secure network and FWSM had the necessary translations and Access-lists to pass the traffic.
  For FWSM in Transparent mode, it would still be the same case where VIP is on the secure side of the network.
  thanks
  Nadeem

• Is there any way to create a job in LMS4.2 to configure only switchports matching a specific description

  Hello Network Management gurus.
  I'm baffled by a lot of new features of LMS4.2 and seem lost where to start looking.
  Our client needs to periodically make changes to switches to change their port settings.
  They have specific descriptions with a certain string. Let's say the description say "Cisco phone".
  The task is to create either template or ad-hoc Netconfig job that will send changes only to those switchports.
  How can it be done?
  Thanks for your help in advance
  Eugene

  Thanks, Michel.
  I'm almost done except for the task/commands definitions.
  This is what I'm doing.
  1)  Admin -> System -> Group Management -> Port and Module (once I clicked "Port and Module" I'm redirected to Inventory -> Group Management -> Port and Module)
  2) I create a group named "VoIP switchport"
  3) Then I select the device that I need to configure. It is my switch SW2
  4) Then goes Rule Expression:
  Port.PortDescription equals "VoIP_Port"INCLUDELIST {:RME:INVENTORY:Port$-1172380997>,
  :RME:INVENTORY:Port$-1172380996>,
  :RME:INVENTORY:Port$-1172380995>,
  :RME:INVENTORY:Port$-1172380994>,
  :RME:INVENTORY:Port$-1172380993>}
  In human language it say that that the switchport description should be matching the string "VoIP_Port" and it is applicable to 5 ports, they are Fa0/1 through Fa0/5 interfaces of the switch
  The fun starts when I try to create a job to push some VoIP parameters to the switchports in question.
  I create a new NetConfig job, select "Port based" type job, then I select the device which is a redundant step for me. I expect the job selector is smart enough to select the device based on my "Port and Module" group created previously.
  Anyways, when I click "Next" I select my Port group which is "VoIP switchport" and then the next screen suggests to select the task. I assume I should select "Adhoc task". When I add an instance of this task I'm presented with a screen prompting to configure CLI commands. This is where I stopped.
  What am I starting with? Should I go to the global config mode first ? If I want to send the command "switchport voice vlan 15" should I just add it in the CLI field? How am I applying it only to the required 5 ports?
  If I start the job anyway it fails and the error message is no applicable devices.

• CSM 3.3.1 and 6500

  Hello,
  We are facing a problem with CSM 3.3.1 and 6500 switch with FWSM. We have 2x 6500 switches with 2 supervisors in each + 2 FWSM cards one in each chassis. The problem is that we have CSM 3.3.1 that manages the switch and FWSM. The problem is that when we try to delete a VLAN in 6500 we get a deployment failure because the switch outputs this message:
  % Applying VLAN changes may take few minutes. Please wait..
  We are using the following IOS version.
  CSR-CORE#sh ver
  Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI2a, RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Wed 02-Sep-09 01:00 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(17r)SX6, RELEASE SOFTWARE (fc1)
  CSR-CORE uptime is 22 weeks, 6 days, 23 hours, 59 minutes
  Uptime for this control processor is 22 weeks, 6 days, 23 hours, 55 minutes
  Time since CSR-CORE switched to active is 22 weeks, 6 days, 23 hours, 55 minutes
  System returned to ROM by  power cycle at 06:42:16 UTC Fri Feb 12 2010 (SP by power on)
  System restarted at 11:10:39 EEST Mon Jun 14 2010
  System image file is "sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin"
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco WS-C6509-E (R7000) processor (revision 1.5) with 983008K/65536K bytes of memory.
  Processor board ID SMC1401000U
  SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
  Last reset from s/w reset
  30 Virtual Ethernet interfaces
  116 Gigabit Ethernet interfaces
  12 Ten Gigabit Ethernet interfaces
  1917K bytes of non-volatile configuration memory.
  8192K bytes of packet buffer memory.
  65536K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  CSR-CORE# 
  Note that we are NOT using VSS.
  TIA,
  Nicos

  Hi all,
  Sorry for not replying earlier. We found a workaround, as quoted below:
  Changing How Security Manager Responds to Device Messages
  Security Manager has built-in responses to many of the response messages that can be encountered when configuring a device. You might find that messages Security Manager treats as errors are messages that you want to ignore or treat as informational. Although you can configure your deployment jobs to ignore errors, you might instead want to update Security Manager to treat specific messages differently. To change how Security Manager treats a message, you need to update the DCS.properties file in \CSCOpx\MDC\athena\config folder in the installation directory (usually c:\Program Files).
  Use a text editor such as NotePad to update the file. It is easiest to determine the message you want to ignore by looking at the transcript of a deployment job that encountered the error using these steps:
  Step 1 Select the job with the error message from the Deployment Manager window.
  Step 2 Click the Transcript button in the Deployment Details tab to open the transcript.
  Step 3 Identify the error text that you want to ignore.
  Step 4 Locate the appropriate warning expressions property in the DCS.properties file. For example, for PIX devices the property is called dev.pix.warningExpressions, whereas for IOS devices the property is called dev.ios.warningExpressions.Conversely, you can make device responses that are not tagged with the Error prefix to appear as error messages. To do this, add the message to the Error Expressions list (for example, dev.pix.ErrorExpressions).
  Step 5 Add the error text to the warning expressions list. The warning message should be a generic regular expression string. Except for the last expression, you must delimit all expressions with “$\”. For example, if the message you want to ignore is “Enter a public key as a hexadecimal number,” enter the following string: .*Enter a public key as a hexidecimal number .*$
  Step 6 Restart the CiscoWorks Daemon Manager
  This has resolved the issue successfully