Guest

Cisco Services Modules

Release Notes for the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Software Release 1.1(x)

  • Viewing Options

  • PDF (541.6 KB)
  • Feedback
Release Notes for Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Software Release 1.1(x)

Table Of Contents

Release Notes for Catalyst 6500 Series and
Cisco 7600 Series Firewall Services Module Software Release 1.1(x)

Contents

System Requirements

Memory Requirements

Hardware Supported

Software Compatibility

Feature Set

Specifications and System Limitations

Firewall Module and PIX Differences

New and Changed Information

Limitations and Restrictions

Caveats

Open Caveats in Release 1.1(4)

Resolved Caveats in Release 1.1(4)

Open Caveats in Release 1.1(3)

Resolved Caveats in Release 1.1(3)

Open Caveats in Release 1.1(2)

Resolved Caveats in Release 1.1(2)

Open Caveats in Release 1.1(1)

Resolved Caveats in Release 1.1(1)

Documentation Updates

Related Documentation

Cisco IOS Software Documentation Set

Obtaining Documentation and Submitting a Service Request


Release Notes for Catalyst 6500 Series and
Cisco 7600 Series Firewall Services Module Software Release 1.1(x)


August 2004

This document contains release information for the following FWSM Releases:

1.1(4)

1.1(3)

1.1(2)

1.1(1)

The FWSM requires Cisco IOS Software Release 12.1(13)E or higher and Catalyst operating system software release 7.5 or later.


Note For detailed installation and configuration procedures for the FWSM, refer to the Catalyst 6500 and Cisco 7600 Series Firewall Services Module Installation and Configuration Note at http://www.cisco.com/en/US/docs/security/fwsm/fwsm11/configuration/guide/fwsm112.html



Note Except where specifically differentiated, the term "Catalyst 6500 series switches" includes the Catalyst 6000 series switches, the Catalyst 6500 series switches, and the Cisco 7600 series router.



Note For information on the latest caveats and updates for the Cisco 7600 series router, refer to the Cisco IOS Release 12.1(7a)E1 release notes or later MSFC release notes at http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html



Note Release notes for prior Catalyst 6500 series and Cisco 7600 series router software releases were accurate at the time of release. However, for information on the latest caveats and updates to previous software releases, refer to the release notes for the latest maintenance release in your software release train. You can access all Catalyst 6500 series and Cisco 7600 series release notes at the World Wide Web locations listed in the "Obtaining Documentation and Submitting a Service Request" section.


Contents

System Requirements

New and Changed Information

Limitations and Restrictions

Caveats

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request

System Requirements

This section describes the system requirements for the Catalyst 6500 series and Cisco 7600 series Firewall Services Module software release 1.1(4).

Memory Requirements

The Catalyst 6500 series and Cisco 7600 series Firewall Services Module memory is not configurable.

Hardware Supported

Before you can use the Catalyst 6500 series and Cisco 7600 series Firewall Services Module, you must have a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a Supervisor Engine 2 (Catalyst operating system and Cisco IOS) and an MSFC 2, and any module with ports to connect server and client networks.

Product Number
Product Description
Minimum Software Version
Recommended
Software Version
Catalyst Operating System Software
Cisco IOS Software
Firewall Services Module
   

WS-SVC-FWM-1-K9

Firewall Services Module

1.1(4)

1.1(4)

7.5

12.1(13)E

SC-SVC-FWM-1.1.4-K9

Firewall Services Module Software

1.1(4

1.1(4)

7.5

12.1(13)E

WS-SVC-FWM-1-K9

Firewall Services Module

1.1(3)

1.1(3)

7.5

12.1(13)E

SC-SVC-FWM-1.1.3-K9

Firewall Services Module Software

1.1(3)

1.1(3)

7.5

12.1(13)E

WS-SVC-FWM-1-K9

Firewall Services Module

1.1(2)

1.1(2)

7.5

12.1(13)E

SC-SVC-FWM-1.1.2-K9

Firewall Services Module Software

1.1(2)

1.1(2)

7.5

12.1(13)E

WS-SVC-FWM-1-K9

Firewall Services Module

1.1(1)

1.1(1)

 

12.1(13)E

SC-SVC-FWM-1.1.1-K9

Firewall Services Module Software

1.1(1)

1.1(1)

 

12.1(13)E


Software Compatibility

Table 1 lists the FWSM software versions supported by Catalyst operating system software and Cisco IOS software.

Table 1 Firewall Services Module Software Compatibility 

Firewall Services Module Software
Catalyst Operating System Software
Cisco IOS Software
Application Image
Maintenance Image
   

1.1(4)

2.1.1.2

7.5 with a Supervisor Engine 1a, and an MSFC 2 or a Supervisor Engine2 and an MSFC 2.

12.1(13)E with a Supervisor Engine 2 and an MSFC 2

1.1(3)

2.1.1.2

7.5 with a Supervisor Engine 1a, and an MSFC 2 or a Supervisor Engine2 and an MSFC 2.

12.1(13)E with a Supervisor Engine 2 and an MSFC 2

1.1(2)

2.1.1.2

7.5 with a Supervisor Engine 1a, and an MSFC 2 or a Supervisor Engine2 and an MSFC 2.

12.1(13)E with a Supervisor Engine 2 and an MSFC 2

1.1(1)

2.1.1.2

7.5

12.1(13)E with Supervisor Engine 2 and an MSFC 2


Feature Set

The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in separate chassis in a failover configuration.

The Firewall Services Module provides the following features:

Switch fabric compatibility.

Interface configuration that can be done through both the native Cisco IOS command-line interface and the module command-line interface.

PIX 6.0-based feature set and some 6.2 features.

LAN failover active or standby (both intra- or inter-chassis).

Dynamic routing, Open Shortest Path First protocol (OSPF) (the module maintains its own OSPF tables), and Routing Information Protocol (RIP).

IPSec for management only.

Command authorization.

Object grouping.

URL filtering enhancement—The module checks the outgoing URL requests with the policy defined on a Websense, Windows NT, or UNIX-based server. The module either permits or denies the connection depending on the response from the server, which matches a request against a list of website characteristics that are considered inappropriate for business use.

Support for PIX 6.0 application inspection which ensures the secure use of applications and services. Application inspection rules are configured using the fixup command, which is why application inspection is called "fixup."


Note Throughout this document, the term "fixup" applies to application inspection and configuring the application inspection process or application inspection rules.


Support for Lightweight Directory Access Protocol (LDAP) or Input [buffer] Limiting Scheme (ILS) fixup for NetMeeting.

Security—Cisco firewalls provide the latest in security technology, ranging from stateful inspection firewalls to content-filtering capabilities that help protect your network environment from future attacks. Another security feature is the Adaptive Security Algorithm (ASA), which maintains the firewalled areas between the networks controlled by the firewall.

The stateful, connection-oriented ASA creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. You can control all inbound and outbound traffic by applying security policies to each connection table entry.

Reliability—Cisco firewalls provide adaptable security services for operation-critical network environments by using the integrated stateful failover capabilities within the module. Network traffic can be sent automatically to a hot standby module in the event of a failure, while maintaining concurrent connections with automated state synchronization between the primary module and the standby module.

Network Address Translation (NAT) and Port Address Translation (PAT)—Cisco firewalls provide NAT and PAT services that conceal IP addresses of internal networks and expand network address space for internal networks.

Denial-of-service (DoS) attack prevention—Cisco firewalls protect the firewall and networks behind them from attempts to gain access, which can bring a network to a halt.

Cisco PIX Device Manager (PDM) 2.1 support—PDM is a browser-based Java applet you can use to configure the Firewall Services Module.

PDM must be downloaded and installed for the Firewall Services Module release 1.1. Refer to the "Upgrading the PDM" section on page 3-10 of the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note for download and installation information.

The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1 image. You can download the image from CCO to upgrade PDM if necessary.

When the Firewall Services Module software is the platform, PDM will display modified screens for features not supported by the module. To use the PDM to configure the module, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.

The following PIX firewall features are not supported by the module:

Virtual private networks (VPN) (The module supports IPSec VPN only for management purposes.)

Intrusion detection system (IDS) syslog messages.

Cisco Secure Policy Manager (CSPM)

Conduits

DHCP (Dynamic Host Configuration Protocol) client

Specifications and System Limitations

Table 2 lists the specifications and system limitations of the FWSM.

Table 2 FWSM Specifications and System Limitations  

Specification Type
Specification Names
Description
Physical Attributes

Modules per switch

Maximum of four modules per switch

If you are using failover, you can still have only four modules per switch, even if two of them are in standby mode.

 

Memory

1 GB RAM

128 MB Flash memory

 

Bandwidth

CEF256 module with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus

Feature Limits

Filtering servers

16 Websense Enterprise filtering servers

Managed System Resources

IPSec management connections, concurrent

5 connections

 

TCP1 or UDP2 connections between any two hosts, including connections between one host and multiple other hosts, concurrent and rate

999,900 connections

100,000 connections per second

 

Fixup connections, rate

10,000 per second

 

PC based fixup connections, rate

10,000 per second

 

Host connections, concurrent

256,000

 

SSH3 management connections, concurrent

5 connections

 

System messages, rate

20,000 per second

 

Telnet management connections, concurrent

5 connections

 

NAT translations, concurrent

256,000

Fixed System Resources

NAT statements

1,000 statements

 

High-performance firewall

5 GBps (aggregated)

 

Concurrent connections.

1 million

 

Packets-per-second.

3 million pps

 

New connections per second for HTTP, DNS, and enhanced Simple Mail Transfer Protocol (SMTP).

7,000

 

VLAN interfaces (no physical interfaces on the module).

100

 

Static NAT statements

1,000 statements

 

Global statements

1,000 statements

 

Shun statements

2,000 statements. The FWSM supports at most 2000 shuns - that number is contingent upon finite hardware resources and cannot be increased.

 

Alias statements

1,000 statements

 

User authentication sessions, concurrent

5,000 sessions

 

User authorization sessions, concurrent

150,000 sessions

Maximum 15 sessions per user.

 

ARP4 table entries, concurrent

64,000 entries.

 

Route table entries, concurrent

32,000 entries.

 

Packet reassembly, concurrent

30,000 fragments.

Rules

Filter Rules, Fixup and Filter statements combined.

3,000 rules and statements.

 

Established CLI Rules

1,000 rules.

 

Established data

1,000 implicit rules used by TCP and UDP fixups to allow back channels.

   

3,000 statements.

 

AAA Rules

3,000 rules, 1,000 rules for authentication, 1K rules for authorization, and 1,000 rules for accounting.

 

ICMP5 , Telnet, SSH, and HTTP6 Rules

1,000 rules.

 

ACEs

72,000 ACEs (best case).

1 Transmission Control Protocol

2 User Datagram Protocol

3 Secure Shell

4 Address Resolution Protocol

5 Internet Control Message Protocol

6 HyperText Transfer Protocol


Firewall Module and PIX Differences

The FWSM is a separate implementation from the PIX and has these differences:

The system option (sysopt) service for inbound and outbound connections is not supported in the FWSM.

Fragmentation is disabled by default on the FWSM.

By default, FWSM access lists are defined as deny any any.

PIX and the PIX Device Manager (PDM) support a Telnet timeout up to 60 minutes. The FWSM supports timeout up to 1440 minutes.

CSCea25486

The FWSM behavior has been changed. Overlapping or redundant static address translation entries are no longer accepted. An error is generated and the overlapping or redundant static address is not added to the configuration.

Workaround: None.

CSCdx93864

The FWSM tears down all the connections from or to the shunned IP address, even if specific connection parameters have been specified in the applied shun command. This behavior is different from that of PIX. In the FWSM implementation, when the shun is applied with full connection parameters (source IP, destination IP, source port, destination port and protocol), all connections from or to the source IP address are torn down.

Workaround: None.

CSCdx91902

An attempt to assign an access list to the nat (interface) 0 access-list command that contains protocol or port numbers fails and generates an error message. The behavior for the nat (interface) 0 access-list command differs from that of PIX. For the FWSM, the access list being configured with the nat 0 access-list command cannot contain protocol or port numbers. Only access lists that have no rules with protocols or port numbers will be accepted as part of the nat (interface) 0 access-list command.

Workaround: Configure only those access lists that have rules with no protocols or port numbers.

CSCdx81768

The FWSM does not report the most used connection count. This value is also not reported by the SNMP agent Firewall MIB. The show connection count command displays only the current number of connections and not the most used connections.

Workaround: None.

CSCdx14768

The clear nameif command is not supported and displays an error message.

Workaround: Use the no nameif command. (See caveat CSCdx14699).

CSCdx14699

You cannot change the interface name once it is assigned using a nameif command. Trying to change the name of the interface using the nameif command results in an error message.

Workaround: Delete the old interface using the no nameif command, and assign it with a new name. All configuration parameters tied to that interface are lost when you run the no nameif command. (See caveat CSCdx14768).

New and Changed Information

The FWSM runs on Cisco IOS Software Release 12.1.(13)E or higher and the Catalyst operating system software release 7.5 and is supported by the Supervisor Engine 1a (Catalyst operating system only), Supervisor Engine 2 (Catalyst operating system and Cisco IOS) and an MSFC 2.

New Command Line Interface (CLI) additions support the FWSM in the Catalyst operating system. Refer to the Catalyst 6500 Series Command Reference (7.5) for descriptions of these commands.

Multiple VLAN interfaces are supported in Cisco IOS Release 12.2(14)SY and the Catalyst operating system software version 7.6(1).


Note To prevent traffic from bypassing the firewall, policy-routing may be required when enabling support for multiple VLAN interfaces on the switch.


To create multiple VLAN interfaces on the switch, use these commands:

For Cisco IOS software:

firewall multiple-vlan-interfaces 
no firewall multiple-vlan-interfaces
 
   

For the Catalyst operating system software:

set firewall multiple-vlan-interfaces {enable|disable}
 
   

The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1 image.

CSCdz51094

The command-line interface in the FWSM contains changes that add new functionality to manually trigger ACL compiling.

Workaround: None.

As part of the fix for CSCeb78838, the following syslog message is added in the FWSM 1.1(3) release.

Error Message    Syslog:440520 - ILS <msg_id> from <interface>:<ip/port> to 
<interface>:<ip/port> has wrong embedded address

Explanation    The ILS message source IP does not match the IP address embedded in the payload. This means that the client is more likely behind another NAT device that does not recognize ILS. The message is allowed through the firewall.

Recommended Action    This is a warning informational message. No action is required.

Limitations and Restrictions

The following apply:

The following features are currently not supported in this release but are planned for support in the next FWSM releases:

Support for Jumbo Frames

Auto-update Feature

Support for OSPF flood reduction feature

In FWSM release 1.1(2), static commands with overlapping addresses result in CLI errors. In FWSM 1.1(1), such configurations result in a warning message only. You may encounter this issue if the PIX MC (Management Center) is used to manage the FWSM. PIX MC generates additional static commands for end points of the network when it deploys a static command on a network. For example, when deploying the command static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0 0 0, PIX MC generates two additional rules: static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.255 0 0 followed by static (inside,outside) 1.1.1.255 1.1.1.255 netmask 255.255.255.255 0 0. This overlap results in CLI errors when deployed to FWSM 1.1(2).

A patch will be released for PIX MC to address this issue. The patch version will be PIX MC 1.1(1). With the patch, the PIX MC will not generate the two additional static commands if the device operating system is FWSM Release 1.1(1) or FWSM Release 1.1(2).

Caveats

These sections describe the following release caveats:

Open Caveats in Release 1.1(4)

Resolved Caveats in Release 1.1(4)

Open Caveats in Release 1.1(3)

Resolved Caveats in Release 1.1(3)

Open Caveats in Release 1.1(2)

Resolved Caveats in Release 1.1(2)

Open Caveats in Release 1.1(1)

Resolved Caveats in Release 1.1(1)

Open Caveats in Release 1.1(4)


Note For a description of caveats resolved in FWSM software release 1.1(4), see the "Resolved Caveats in Release 1.1(4)" section.


This section describes known limitations that exist in the FWSM software release 1.1(4).

CSCef16829

302001 and 302002 TCP connection system messages are not being generated consistently.

Workaround: None.

CSCef16466

System message 304001 is not being generated consistently.

Workaround: None.

CSCef05615

The maximum number of the translation slots (xlates) limit has been reached in the FWSM, and all resources are used.

Workaround: Enter the show xlate count command to determine if the maximum limit of translation slots (xlates) is reached.

CSCef00261

DNS connections that are initiated by an outbound DNS resolve request are not closing as soon as the reply from the server is received. Instead, the connections are subjected to general UDP timeouts.

Workaround: None.

CSCee89629

Under stress traffic continuing for long periods of time with SNMP traps and logging enabled may cause the FWSM to lose memory with no recovery.

Workaround: None.

CSCee69451

Fixup RPC does not work with the NFS version 2 UDP port mapper.

Workaround: None.

CSCed83253

If you have a Global Pool defined for NAT and one global statement for PAT, the FWSM intermittently begins assigning the same NAT address to multiple inside hosts.

Workaround: Enter the clear xlate command to resolve the issue.

CSCec58341

When using the FWSM software release 1.1(2), an error stating "The flash device is in use by another task" may occur when you enter the show conf or write mem commands. When this message is logged, the module has only one session active (console), which cannot be halted.

Workaround: Reload the FWSM

Resolved Caveats in Release 1.1(4)


Note For a description of caveats open in FWSM software release 1.1(4), see the "Open Caveats in Release 1.1(4)" section.


This section describes the resolved caveats in FWSM software release 1.1(4).

CSCef17283

The NP 3 loses its ingress buffers and gets stuck.

CSCef08101

Use of manual commit mode with large ACLs may cause the FWSM to crash.

CSCee95021

After several days of normal operation of FWSM 1.1(3.17) all NPs (including NP 3) may get stuck and no further packet processing is possible.

The show tech command displays the following errors"

------------------ show interface stats -------------
Interface stats query failed. Try again.
------------------ Fast Path (1) Stats --------------
ERROR: np_logger_query request for FP Stats failed
------------------ Fast Path (2) Stats --------------
ERROR: np_logger_query request for FP Stats failed
------------------ Slow path info ------------------
ERROR: np_logger_query request for retreiving Slow Path Stats failed
 
   

If the FWSM that crashes is used in a failover pair, then both modules become active, causing interruption of networks services. The traffic causing this situation is currently unknown.

Workaround: None.

CSCee77634

The ACL memory in NP 3 gets depleted with a 400 line ACL and 200 AAA entries. The AAA statements which are the last set of entries added to ACL memory are deleted when the module runs out of ACL memory.

Whenever the ACL memory is exhausted, a message is printed on the console and a syslog message with ID: 106024 is generated. In this case the message did not get printed. Improved memory utilization with some minor optimizations fixes this problem.

Workaround: None.

CSCee70314

If you configure the FWSM to permit TFTP or Oraserv (ports 69,1525), the module opens up a UDP vulnerability in the Firewall (1.1.x release). This vulnerability can lead to any UDP packets making it across the firewall even if there are ACLs configured to deny such packets.

Workaround: Deny ports 69 and 1525 using access-lists.

CSCee66825

The FWSM stops logging to syslog server(s), and crashes in the logger thread.

CSCee62839

Standby FWSM crashed and remained in failed state after reloading

CSCee54891

With logical update enabled, in some rare situations, a standby blade may experience a watchdog timeout while processing a specific message. Standby encounters a watchdog timeout and crashes. Problem seen in some very rare situations with logical update enabled.

Workaround: None.

CSCee34971

Large ACL compilation cause failover problem. The problem does not occur when you reload the standby FWSM. It is only when you reload the active FWSM (and it does not make a difference if it is the secondary or the primary unit) that this problem occurs.

Workaround: Use the no fail active command on the active FWSM.

CSCee34015

The fixup H323, H225, and 1720 is not working properly when it is disabled at bootup. If you run a no fixup h323 h225 1720 command, save the configuration, reload the FWSM, and then run the fixup h323 h225 1720 command the fixup appear to not be working properly. Debug h323 events will not display.

Workaround: Reboot the FWSM to resolve this issue.

CSCee29865

The FWSM crashes one or two times per day on FIXUP SIP. with the following traceback:

------------
Thread Name: udp_sip (Old pc 0x00235cf2 ebp 0x0c51934c)
 
   
Traceback:
0: 005142e5
1: 00229dae
2: 0022a628
3: 0022cafa
4: 00138c1e
5: 00139067
6: 0013e9d3
7: 00140d07
------------
 
   

Workaround: None.

CSCee28584

When running the show console command (included in the show tech command) from a remote SSH management session, the SSH session may hang and cause high CPU use on the module until the SSH session is terminated through another management session.

Using another management tool for example Telnet, console through the switch, and so on), allows you to get the show console command that displays that a very long line is present.

Workaround: Use the Telnet or console to manage the module instead of SSH.

CSCee24308

FWSM running 1.1.3 crashed during a simultaneous multi-user access.

CSCee23146

When pushing big configurations with custom scripts, the inside interface stops responding to ICMP. Oracle cluster fails over because the Oracle database servers use ICMP as the keep-alive mechanism. Also when both FWSMs are on-line, as master and slave modules, the push takes much longer than when only one module is online.

Workaround: Break the configuration into smaller parts and push the smaller parts. Or, use a pause between pushes of ACLs to the different interfaces.

CSCee22117

Standby FWSMs running software release 1.1.3.14 crash at bootup with the logical update (LU) enabled.

Workaround: Disable the logical update (LU) or failover module. We recommend that you upgrade to a later software version.

CSCee21959

FWSM crashed in h323_ras thread.

Workaround: Disable the H323 RAS fixup with the no fixup protocol h323 ras 1718-1719 command

CSCee12218

The sysopt connection tcpmss bytes command has no effect on the FWSM.

Workaround: None.

CSCee09684

Some UPS devices with network management through a Telnet session have an unusual TCP/IP stack. The SYN-ACK segment from such devices may also have the PUSH flag set. The FWSM drops these packets causing the Telnet session through the FWSM to the UPS to fail.

Workaround: None.

CSCee05560

When connecting a FWSM as the standby module, the active module detects the standby module and sends the configuration to it. However, the compilation fails with a memory error. The compilation will complete properly if compilation is done through the config net command.

Workaround: None.

CSCee05440

Standby FWSM crashes at the send_xlate_query_to_np.

CSCee02795

Compilation of ACL fail with no error. Uploading several ACLs or ACEs to the FWSM fails the compilation with no errors sent. Using big files with ACLs or ACEs with groups, may exhaust No errors are displayed until the module is reloaded.

Workaround: Use fewer ACLs or ACEs.

CSCed87620

The FWSM syslog does not display the UDP connection ID. There is no UDP connection ID displayed at UDP logs so it is not possible to determine which teardown message belongs to which built message.

Workaround: None.

CSCed87613

The FWSM syslog does not show the UDP syslog information. Duration of UDP connections and transferred bytes are not displayed.

Workaround: None.

CSCed87609

The FWSM syslog prints incorrect information. The syslog shows connection duration is 0 although a finite time has elapsed for that connection.

Workaround: None.

CSCed81366

When using FWSM with WS-X6816-DFC3A module, it may take up to 5 minutes for the failover and the stateful failover does not work.

Workaround: None.

CSCed76775

The output of the show pdm history feature xlate command does not always display the correct number of xlates in use and the most used xlates. The numbers differ from the actual number of xlates represented in the output of the show xlate count command. Because of this situation, when you graph the number of xlates in use, and those xlates most used in the PDM, the output is incorrect.

Workaround: Use the output from the show xlate count command. There is no current workaround when graphing PDM xlates.

CSCed76739

The show xlate command does not always display all xlates. You can count the number of xlates in the output of the show xlate command and it does not add up to the number represented in the output of the show xlate count command.

Workaround: Use the show local-host command, or use show xlate interface interface command.

CSCed71423

The aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ command when used on the FWSM causes all TCP traffic to stop passing through the module. UDP traffic still operates correctly. This situation only occurs when AAA accounting is used without AAA authentication or authorization. When all three AAA methods are used together, TCP traffic does not appear affected. This defect occurs on FWSM software releases 1.1(2)5 and 1.1(3).

Workaround: None.

CSCed70659

When the active FWSM is powered down, the traffic does not resume through the new active module.

Workaround: None.

CSCed57167

Sometimes during a corner case, the FWSM crashes in the i82543_timer thread when receiving a message on the EOBC port.

Workaround: None.

CSCed56932

The FWSM does not currently support OSPF Type 10 (Opaque) LSAs. If the FWSM has OSPF neighbors that are passing Type 10 LSAs, the FWSM currently advertises that it will accept them, but drops them when they are received. This situation causes the FWSM to stay in a loading state with the OSPF neighbor that is sending the Type 10 LSAs.

Workaround: Remove traffic engineering configurations on the FWSM's OSPF neighbors. Or, place the FWSM and it's neighbors in their own OSPF area, so that Type 10 LSAs are not included in that area. The FWSM can now advertise that it does not support Type 10 LSAs.

CSCed56580

During the initial TCP session established through the FWSM, if the inside server NAT responds with 2 simultaneous SYN-ACK packets, the final ACK for session establishment is not permitted back through the FWSM.

Workaround: None.

CSCed50344

When using cut-through authentication and you configure a finite value for the inactivity timer, you must re-authenticate each time the configured inactivity timer has elapsed, though the inactivity timer has not yet expired. For example, connections you have set up have not been idle or you have set up new connections. This problem was observed in FWSM software release 1.1.3.

Workaround: None.

CSCed47425

Applying configuration changes to ACLs using the manual-commit mode causes traffic on the interface to which that ACL had been bound to be dropped for some time This problem exists only while using manual-commit mode.

This problem applies to users or the management tools running in the manual-commit mode to apply ACL configuration changes to the module.

Workaround: Use the following command sequence ensure that traffic loss is not observed while making changes with manual-commit mode until the fix is available in a later release.

1. Enter manual-commit mode

2. Run the no access-list blah command

3. Add new ACEs with the same name to reflect the modified access-list

4. Run the access-list commit command or the access-list mode auto-commit command to go back into auto-commit mode.

5. Update or reapply the access-group binding to bind blah to the original interface.

In this sequence, traffic on the interface to which blah was attached is getting dropped in step2 until the access-group binding is reapplied in step5.

CSCed43840

Fixup lookup fails with port ranges.

Workaround: None.

CSCed31238

The FWSM drops WINS traffic if the packets are sourced from a client on a higher security level interface, destined to a server on a lower security level interface.

Workaround: If you are not using NAT, disable the NetBIOS fixup using the no fixup protocol netbios command.

CSCed22209

When using Policy based NAT (NAT ifc 0 access-list) on FWSMs, not all connections are copied to the standby. In particular fixup specified connections (for example, FTP data connections from the FIXUP protocol FTP) do not appear in the xlate table of the secondary module and they fail following a failover event.

Workaround: Use straight NAT ifc n network,mask constructs.

CSCed19419

Some traffic stops passing through the FWSM that relies on statics in a failover environment. If the no failover active command is run, the statics disappear on the FWSM on which this command was run. If this command is run on the primary or active module and then run on the secondary or active module, the primary module resumes the role of the active module and the statics will not exist.

If the statics are reconfigured into the active FWSM, the Unable to download Static Entry message is displayed. This problem only exists in fWSM software release 1.1(3.4).

Workaround: Reload both FWSMs at the same time then ensure that the statics remain by running the show config command.

CSCed15690

If you are using a stateful failover pair of FWSMs running software releases 1.1.(3) and 1.1.(3)3 and you initiate an a FTP session through the active blade, when the primary blade fails the FTP session stays up but the data transfer is terminated. Observing the host's connection through the secondary module only the control channel can be seen as open. Connecting through the active secondary module, and then initiating a GET for the file the transfer begins. When you observe the connection status between the two FWSMs, the secondary module is lacking the data connection which is present on the primary module.

Workaround: None.

CSCec89158

When configuring a FWSM running software release 1.1.x with the service resetinbound or service resetoutside commands the module does not send a reset back when the denied SYN packet is received. The module however, will perform the standard reset for non-syn packets where no connection is built for this flow.

Workaround: None.

CSCec81482

Normal priority threads are being starved. If this situation occurs, a counter is incremented allowing you to determine what conditions result in starvation and perhaps implement some corrective actions. You must allow the normal priority queue to process for every 8 processing runs of the high priority queue in which there are still high priority threads that have not yet run. If there are no high priority threads hogging the CPU, the behavior is the same as the currently running scheduler.

Workaround: Change the process scheduler to allow the normal priority threads to run.

CSCec76399

Under rare circumstances, the FWSM may crash with a thread name: h323_ras. In some cases a packet was intended for the FWSM for a connection which should have been outdated.

Workaround: If you are not passing H323 RAS messages through the FWSM, then disable the H323 RAS fixup using the no fixup protocol h323 ras 1718-1719 command.

CSCec72379

Sessions drop on TN3270 users running through the FWSM. The TCP timeout was changed from 1 hour to 8 hours and the connections time ranged from dropping within 5 minutes to staying up to just over 1 hour.

Workaround: None.

CSCec67902

Some access-lists failed to be downloaded to then network processor causing the FWSM to fail at the next reboot.

Workaround: None.

CSCec66799

Only the first established command entered into the FWSM will actually take effect. All other established commands are ignored. For example, if these commands are entered into the FWSM:

FWSM(config)# established tcp 514 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535
FWSM(config)# established tcp 513 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535
FWSM(config)# established tcp 512 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535
FWSM(config)# established tcp 23 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535
FWSM(config)# established tcp 22 0 permittto tcp 6000-6010 permitfrom tcp 1024-65535
FWSM(config)# established tcp 21 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535
 
   

Only the first command for the outbound TCP connection port 514 works.

Workaround: None.

CSCec62023

The FWSM stops forwarding traffic at the slow path when AAA authentication and authorization are configured, and there is a high number of users generating traffic.

Workaround: Reload the FWSM.

CSCec58457

When using FWSM software release 1.x currently the syslogs all denied packets when using syslog ID: 106023. This situation includes packets that are dropped because of the implicit deny ip any any statement at the end of every access-list. This syslog also is logged if no access-list is applied to an interface, because the FWSM defaults to deny all traffic if no ACL is applied. This behavior is inconsistent with PIX and Cisco IOS.

Workaround: The behavior of the FWSM will be modified in a future release so it no longer logs implicitly denied packets. If you want to syslog all denied packets you can add an explicit deny all ACE as the last entry in their ACLs. For example:

WSM(config)# access-list <acl> deny ip any any
 
   

CSCec49782

TFTP connections may begin to fail through the FWSM because there is a limit of 1,000 TFTP connections through the FWSM at any one time. The FWSM has a system limitation of 1,000 established nodes and each TFTP connection uses an established node. When the TFTP connection is torn down, the established node should also be removed.

Because of this caveat, TFTP connections can be torn down without removing their associated established node. If this happens several times, no new TFTP connections can be created because no established nodes are available. In this situation, no syslog is generated to alert you that this has occurred. The TFTP connection fails, with no indication as to why. To verify that this problem has occurred, run the show np 3 stats command, and look for the following line:

--> Est<->HO Errors        : 850  <---
 
   

If this number is non-zero, there is a good chance you are running into this problem.

Workaround: Clear the local-host table using the clear local-host command.


Note This command may not clear all of the established nodes in all of the scenarios.


CSCec45573

New vulnerabilities in the OpenSSL implementation for SSL have been announced. An affected network device, running an SSL server based on the OpenSSL implementation, may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable, to this vulnerability, even if it is configured to not authenticate certificates from the client.

This advisory is posted at this URL:

http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml.

Workaround: Refer to the advisory URL for work arounds that are available to mitigate the effects of these vulnerabilities.

CSCec36996

In rare circumstances, two instances of the same network object might be observed in an object group. The object group is involved in complex access-lists, which requires a lot of CPU resources during the addition of the new members to object group.

The root cause of this problem is that too processing continued too long during the access-list compilation.

Workaround: To dramatically decrease the ACL compile time, delete the object that is listed multiple times, from the CLI, then replace that object. Wait until the operation completes.

CSCec34413

The FWSM performs through-traffic authentication by matching traffic against an access-list. Caveat CSCeb83847 indicated that the only valid ACEs in a aaa authentication match ACL statement are for FTP, Telnet, HTTP, or TCP/0 which is not correct. Any ACE that is created should be valid when applied to a aaa authentication match ACL command statements. The FWSM should behave as follows:

If the FWSM receives a packet that matches an ACE that is applied to a aaa authentication match ACL statement, then if the ACE is a deny the packet is passed to the next process.

If the ACE is a permit then check is made to verify the source IP is already authenticated. If the SRC IP is authenticated, the packed is passed to the next process.

If SRC IP is not authenticated and the packet is an FTP, Telnet, or HTTP, the you will receive a prompt for Authentication

If packet is not one of the above, the packet is dropped.

Workaround: None.

CSCec18770

The FWSM write standby command on the primary FWSM causes failover to occur on the secondary module.

Workaround: None.

CSCec13506

If the FWSM is started up with the configuration having an interface in the shut down state, error messages appear on the console during startup.

Workaround: None.

CSCec07318

The NFS mount takes a long time to succeed or fails because the NFS client is on a lower security interface relative to the NFS server.

Workaround: Configure the NFS client on a higher security interface relative to the NFS server.

CSCec03643

When making calls using gateways to the SIP (SMDS Interface Protocol) proxy, UDP and TCP proxy calls fail to set up, or there is no voice path.

Workaround: Do not use gateways with the SIP proxy.

CSCeb35030

When you enter the config net command with the tftp-server outside 172.17.241.99 /we command in the configuration, the FWSM crashes when the configuration file contains a write mem command.

Workaround: None.

CSCeb16395

Configuring different ICMP types in an access- list not accepted

Workaround: None.

CSCea62152

When running in a failover configuration, the FWSM does not replicate connections at the second failover because the state of the connection is lost. This condition applies only to those connections that remain alive through both failovers. Both the FTP and RSH connections consist of a control and data channel that are linked. All other connections are considered as control channel only. Connections are being replicated for one of the following reasons:

a. A new connection is established (control or data).

b. Packets are exchanged over an existing connection.

c. Data channels without a parent control channel are not replicated.

Workaround: None.

Open Caveats in Release 1.1(3)


Note For a description of caveats resolved in FWSM software release 1.1(3), see the "Resolved Caveats in Release 1.1(3)" section.


This section describes known limitations that exist in the FWSM software release 1.1(3).

CSCec24882

During failover interface testing when the shutdown command is sent manually, testing continues, and the interface state is reported as "unknown." The interface status should be reported as "Link Down," and the test should not be performed on the interfaces.

Workaround: None.

CSCec22386

The no routerid ip add routing command does not remove the router identification under OSPF because the routerid syntax is incorrect.

Workaround: Use the no router-id syntax.

CSCec21934

When the message digest key is configured it cannot be removed using the no ospf message-digest-key key md5 cisco command because the syntax is incorrect.

Workaround: Use the no ip ospf message-digest-key keyid command syntax.

CSCec09288

No video can be seen using IP TV. The UDP packets seem to be dropped when access-lists are applied to allow only the needed traffic to flow through the FWSM.

Workaround: None.

CSCec07318

The NFS mount takes a long time to succeed or fails because the NFS client is on a lower security interface relative to the NFS server.

Workaround: Configure the NFS client on a higher security interface relative to the NFS server.

CSCec03643

When making calls using gateways to the SIP (SMDS Interface Protocol) proxy, UDP and TCP proxy calls fail to set up, or there is no voice path.

Workaround: Do not use gateways with the SIP proxy.

CSCeb17912

The FWSM does not reply to the Address Resolution Protocol (ARP) if ARP is sourced from a non-connected network.

Workaround: Add a specific route or static ARPs on the MSFC.

CSCeb13501

The PIX Device Manager (PDM) performance monitor graphs display only zero values except for the performance monitor intervals. This condition occurs because the performance monitor interval and the PDM poll interval are set to different values.

Workaround: Configure the PDM poll and performance monitor interval to the same value.

CSCea75037

When the interface IP address is modified, the interface static entry continues working with the old IP address but not with the new IP address.

Workaround: Remove and reconfigure the interface static line after the interface IP address has been changed.

CSCea62152

When running in a failover configuration, the FWSM does not replicate connections at the second failover because the state of the connection is lost. This condition applies only to those connections that remain alive through both failovers. Both the FTP and RSH connections consist of a control and data channel that are linked. All other connections are considered as control channel only. Connections are being replicated for one of the following reasons:

a. A new connection is established (control or data).

b. Packets are exchanged over an existing connection.

c. Data channels without a parent control channel are not replicated.

Workaround: None.

CSCeb82034

When overlapping static statements are specified, the static entries cannot be removed from the configuration.

Workaround: Avoid using overlapping network addresses in different static statements, or change the order of the static statements in the configuration.

CSCeb82030

The maximum idle time that can be configured for a connection is 18 hours and 12 minutes. If a timeout is configured for a time that is greater than 18 hours and 12 minutes, the timeout wraps around and has a value of 18 hours and 12 minutes.

Workaround: Configure a maximum idle time value lower than 18 hours and 12 minutes.

CSCeb81845

The show conn command displays connections with the idle timeout larger than the timeout configured.

Workaround: None.

CSCeb61644

When configuring the OSPF processes and the SVI interfaces on both the MFSC and the FWSM to perform MD5 authentication, the OSPF process in the FWSM becomes stuck in the loading state and cannot reach the full state. The output of the show ip ospf neighbor command displays this information:

Neighbor ID     Pri    State           Dead Time      Address       Interface
x.x.x.x          1    LOADING/DR        0:00:33       y.y.y.y        outside
 
   

This syslog message displays:

409005: Invalid length 1504 in OSPF packet from y.y.y.y (ID x.x.x.x), outside

This situation occurs when the LS update packets from the MFSC are fragmented and both of the OSPF neighbors are configured to perform MD5 authentication.

Workaround: Do not use MD5 authenticating. Use clear text authentication, or do not configure authentication. Cisco IOS releases that do not fragment LS updates do not cause this problem on the FWSM.

CSCec02829

If a protocol is not associated to the AAA server group when using the aaa-server tag protocol tacacs/radius command, any new server group is always considered as the TACACS server.

If a radius server is specified with the aaa-server tag [(if_name)] host ip_address [key] [timeout seconds] command and the tag used is not associated with the radius protocol, AAA authentication, authorization, or accounting fail because the firewall assumes that the AAA server is a TACACS server and attempts to make requests to port 49 on the specified server.

Workaround: Always create a server group by associating it with the required protocol before assigning servers to that group, as in this example:

FWSM(config)# sh aaa
FWSM(config)# sh aaa-
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local
FWSM(config)# aaa- TEST_RADIUS (dmz) host 10.6.0.3 ciscoradius time 2
FWSM(config)# sh aaa-
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa-server TEST_RADIUS protocol tacacs+ 
aaa-server TEST_RADIUS (dmz) host 10.6.0.3 ciscoradius timeout 2 [ACTIVE]
FWSM(config)# 
 
   

CSCec01062

If SIP messages are split across multiple TCP segments, the FWSM does not take any action (such as NAT or connection pre-allocation) on them.

Workaround: Do not use Network Address Translation (NAT) or Port Address Translation (PAT) and disable the fixup SIP using the no fixup protocol sip 5060 command.

CSCec19761

Outbound TFTP requests fail if PAT is using an interface IP address that is configured on the FWSM. The TFTP file download works correctly with other PAT IP addresses.

Workaround: None.

CSCec13506

If the FWSM is started up with the configuration having an interface in the shut down state, error messages appear on the console during startup.

Workaround: None.

Resolved Caveats in Release 1.1(3)


Note For a description of caveats open in FWSM software release 1.1(3), see the "Open Caveats in Release 1.1(3)" section.


This section describes the resolved caveats in FWSM software release 1.1(3).

CSCec05977

When failover is configured, using a write standby command resets the configurations on the secondary FWSM.

Workaround: None.

CSCeb86257

With some configuration and with fragmented ICMP, HTTP, FTP traffic, and RTSP, the network processors lose their ingress buffers, causing both FWSMs to become active or causing the secondary FWSM to report as failed.

Workaround: None.

CSCeb78583

When using show run and write mem commands from two simultaneous sessions into the FWSM, and when the show run command completes first, the write mem command fails in cfglck.c line 76 upon completion.

Workaround: Perform CLI commands from only one session at a time.

CSCeb76295

The FWSM in a stateful failover configuration may not replicate TCP connections correctly. This behavior shows up in configurations where the NAT 0 ACL is used.

Workaround: Use NAT 0 or statics.

CSCeb70377

When two FWSMs are used with stateful failover, unnecessary failovers can occur, caused by the garbage collection thread on the standby module. When a translate (xlate) process ages to one hour, the standby FWSM constantly queries the process to verify if the process is still in use or if the process can be torn down. During this time, the failover hello messages are dropped, resulting in a failover.

Workaround: Disable stateful failover.

CSCeb60286

Stateful synchronization does not operate correctly after switchover. When there is a switchover due to a short communication failure between the active and the standby FWSM, the logical unit (LU) flag is not set correctly on the network processors (NPs) after the switchover, which stops the stateful synchronization from the active FWSM to the standby FWSM.

Workaround: Remove the stateful link configuration, and add it back on the active FWSM with the no failover link stateful and failover link stateful commands.

CSCeb54271

If there is an ACL with an access-list entry using object-groups, and it expands to a large number of ACL lines (up to 10,000-12,000), then when this configuration is synchronized through failover, some commands that follow after the ACE might be missing on the standby FWSM after the synchronization.

Workaround: Do not use ACE with object groups that expand to a large number (up to 10,000-12,000).

CSCeb45715

The FWSM fails when performing two write terminal or show running commands in concurrently running sessions that are on the same FWSM with pager enabled.

Workaround: Change the number of pager lines in the configuration to a different value, or disable the pager completely.

CSCeb32385

When there is an overflow with randomization that causes large file transfers to fail intermittently, this situation indicates that the sequence number has not been calculated correctly.

Workaround: Disable randomization on related address translation.

CSCeb31327

Changing the object group entry does not allow the access list to properly compile.

Workaround: Remove and reapply the ACL.

CSCeb14311

If the timeout reauthentication (uauth) absolute session is disabled (value 00:00:00), and inactivity is enabled (any value greater than 00:00:00), the FWSM still times out every uauth session immediately after the authentication.

Workaround: Increase the absolute timeout to the maximum value to minimize the effect of reauthenticating frequently.

CSCea84521

The first interface shuts down without an IP address and packets from the processor complex (PC) are dropped when fixup-enabled traffic fails.

Workaround: Configure the IP address on the first interface.

CSCea77343

If AAA authentication and HTTP fixups are both enabled, the original URL requested by the client is modified by the FWSM, making the URL unreachable after the user has successfully been authenticated.

Workaround: Disable HTTP fixup.

CSCea74979

A no nameif command on the FWSM for any nameif statement resets the fragment size from the configured value to the default of 1.

Workaround: Reconfigure the fragment size on the interfaces.

CSCea58768

When performing the show running command from multiple sessions into the same FWSM module, upon completion of the second command, the FWSM reboots.

Workaround: Avoid performing commands from multiple simultaneous sessions into the same FWSM module.

CSCdz11349

Connections to a server are interrupted during a standby reboot, causing the following conditions:

If the secondary (standby) FWSM is reloaded when booting up, as it is receiving its configuration from the active FWSM, it sends out ARP requests (using the active IP addresses) for any servers configured in the configuration, for example, syslog server, TACACS+ server, and so on.

Hosts that see the ARP request go out from the standby FWSM (with the active IP addresses) update their ARP table and associate the standby module MAC addresses with the active IP addresses. This condition results in packet loss because the clients that update their ARP table will now forward packets to the standby FWSM, which drops the packets.

If the secondary FWSM is active, and the primary FWSM is reloaded upon startup, the primary FWSM sends out packets (using its burned-in MAC address [BIA]). This condition occurs because the packets are sourced from the primary FWSM before it realizes it is in standby mode and should be using the secondary FWSM MAC addresses.

The MAC-to-Port mapping in the CAM table on the Catalyst 6500 switch (or the Catalyst 7600 router) is incorrectly populated. The switch forwards packets destined to the active FWSMs MAC address to the primary FWSM (in standby mode), and the packets are dropped.

Workaround: None.

CSCdx14755

Static or connected routes from non-OSPF interfaces cannot be redistributed The FWSM supports the OSPF routing protocol and allows at most two-OSPF processes to run at one time. The FWSM allows redistribution only between OSPF domains. In FWSM release 1.1(1), there is no support to redistribute RIP or static routes into the OSPF domain (or the reverse).

Workaround: There is no workaround for re-distribution between the RIP and OSPF domains. To redistribute static routes into the OSPF domain, one OSPF process must be started on the OSPF interfaces, which then allow the associated routes to redistribute into the existing OSPF domain.

Open Caveats in Release 1.1(2)


Note For a description of caveats resolved in FWSM software release 1.1(2), see the "Resolved Caveats in Release 1.1(2)" section.


This section describes known limitations that exist in the FWSM software release 1.1(2).

CSCea53736

Configuring a NAT rule on interface number 32 may fail.

Workaround: Configure a dummy interface as the interface number 32.

CSCea51993

After upgrading the image from 1.1(2) to 1.1(2), the FWSM may fail to boot up.

Workaround: Upgrade the FWSM application partition (AP) image from the maintenance partition (MP).

CSCea49340

If you run commands like show ip ospf simultaneously from multiple sessions, this action could cause the FWSM to malfunction.

Workaround: Do not run the same commands from multiple sessions.

CSCea47186

If a SSH session is disconnected because of a session timeout, the FWSM may still show the session with IP address 0.0.0.0 as connected.

Workaround: None.

CSCea27881

Syslog ID 109003 does not specify the IP addresses correctly for command authorization.

Workaround: None

CSCea25990

During authentication of traffic, the following message may be printed on the console:

uauth_procline:null uap->proxy
 
   

Workaround: None

CSCea17890

The following auth-prompt command help message is incorrect:

Usage:[no | clear] auth-prompt [prompt | accept | reject] "<prompt text>" 

The help message should not contain quotation marks and should appear as:

Usage:[no | clear] auth-prompt [prompt | accept | reject] <prompt text>
 
   

Workaround: Do not use quotation marks (" ") when specifying the prompt text.

CSCea08088

If an access-list specified in a route-map is removed, then the next configured access-list is added into the route-map.

Workaround: Remove the errant ACL and reapply the correct ACL.

CSCea07741

Matching by route-source or next hop in route-maps does not work on the FWSM

Workaround: Do not configure route-sources or next hops in route-maps.

CSCdz75298

If an area range is specified with the range being a subnet of a connected route, then that connected route fails. Hosts located on the failed interface are not reachable unless there is another more specific route available.

Workaround: Specify an area range which is not a subnet of connected interface.

CSCdz71636

For AAA authenticated HTTP connections on the FWSM, the module changes the CRLF to LF, even if the client sends a CRLF. However, the FWSM behavior is still compliant with RFC1945.

Workaround: None

CSCdz54939

When an ACL is configured with a source port specified for a match rule in AAA, the source port is ignored.

Workaround: Do not use a source port in the AAA configuration.

CSCdz43131

After an FTP connection is closed, the FIN+ACK packet is dropped.

Workaround: None.

CSCdz11349

If a logging host command is configured on the standby module and is saved on the compact flash memory, any existing connections on the active module to the configured logging server get interrupted during a standby reboot.

Workaround: Do not have a logging host command saved on the standby module's compact flash memory.

CSCdz10577

Although adjacency is in the full state, the FWSM OSPF database goes out of synchronization for an LSA, which may result in a missing route.

Workaround: Issuing a clear ip ospf process_id process command rectifies the problem.

CSCdz06297

Sometimes a nameif, no nameif, nameif, ip address command sequence causes the connected route entry for the interface to be lost. The IP address of the interface is set correctly.

Workaround: Reissue the ip address command with the same parameters.

CSCdz05858

The ip address command is case sensitive. You must use case-insensitive names for interfaces.

Workaround: None.

CSCdz04484

The Windows 2000 FTP server connection is dropped after a switchover. This problem occurs because the Windows 2000 FTP server closes the connection after a few unsuccessful retries. As a result, the FTP data connection is dropped.

Workaround: None.

CSCdy88467

OSPF may not transition from the EXCHANGE to the FULL state.

Workaround: Reset the OSPF process by issuing the clear ip ospf pid process command.

CSCdy84020

Packets belonging to authentication traffic that requires fragmentation may not be fragmented.

Workaround: None.

CSCdy73409

When using the clear xlate command, connections are cleared but those required to be accounted for (as specified in the aaa account ... command) do not generate the corresponding STOP record.

Workaround: None

Resolved Caveats in Release 1.1(2)


Note For a description of caveats open in FWSM software release 1.1(2), see the "Open Caveats in Release 1.1(2)" section.


This section describes caveats that have been resolved in FWSM software release 1.1(2).

CSCea1832

The return TFTP connection from the client on the inside of the firewall to the server on the outside of the firewall fails when an FWSM is in the path.

Workaround: None.

CSCdz75675

The FWSM does not release the console after you send a show access-list command.

Workaround: None.

CSCdz75304

The interface configuration synchronization times out too soon.

Workaround: None.

CSCdz74169

When configuring ACLs for UDP with a port number specified, the display is incorrect. When a port number is not specified, the display is correct. The configuration is synchronized to the standby module the first time. After a switchover, the configuration does not synchronize to the new active module. This problem is not seen while configuring an ACL for permitting TCP.

Workaround: None.

CSCdz71414, CSCdy72108, CSCdy69069

The wr mem command requires several minutes to complete.

Workaround: None.

CSCdz71154

If an OSPF redistribution access list has been configured, after clearing all access lists you may not able to configure any new access lists.

Workaround: Reboot the module.

CSCdz69224

An internal stack error may occur, and the secondary module may continue to reboot when the traffic through the module includes HTTP, FTP, UDP with fragmentation, and UDP with protocol 85 and protocol 170.

Workaround: None.

CSCdz65676

A memory allocation error occurs with HTTP, FTP, UDP, fragmentation UDP, protocol 85, and protocol 170 traffic flowing through the module.

Workaround: None.

CSCdz62114

When removing named interfaces (nameifs) from the active console, the parse_thread_helper reports "NO valid ifc found for vlan <vlan id>" causes a "Disabling failover" message due to the number of interfaces that are not consistent on the active and standby modules.

Workaround: None.

CSCdz55901

During an AAA authorization configuration attempt, after removing the aaa authentication enable console NT_tacacs command and attempting to continue configuration after a Telnet login, the FWSM enters debugging mode.

Workaround: None.

CSCdz55648

Failover occurs when reconfiguring the failover LAN primary module.

Workaround: To recover modules from the failure, use the no failover command on both modules. Configure one module as the primary to active module, activate failover on the secondary module, and then reload the secondary module. Avoid the failure with the no failover command running on both modules. Reconfigure the modules as primary and secondary modules. First enable the primary failover module, then the secondary module, which will get the configuration synchronization from the primary module.

CSCdz51968

Buffers that are 1550 bytes long are lost, and errors are displayed on the console.

Workaround: None.

CSCdz49400

When configuring AAA on connections through the FWSM on VLANs higher than 255, AAA does not work. Any time the source interface of the traffic that is to be authenticated is higher than 255, the username and password prompts do not appear, and the connection is closed.

Workaround: None.

CSCdz48886

With HTTP and UDP traffic, the FWSM fails in scp_check_resp_packet while downloading VLANs from the switch.

Workaround: None.

CSCdz48877

During the configuration with an existing DHCPD address pool, an internal error occurred when a new DHCPD address pool was assigned.

Workaround: None.

CSCdz48506

A user can access the FWSM through a Telnet connection without authentication.

Workaround: None.

CSCdz47194

When using the LOCAL username database as an authentication function for SSH sessions to the FWSM console, the authentication fails.

Workaround: None.

CSCdz45925

The FWSM debug process begins when you access the console, leave the username field blank, and type in any password using the SSH client application.

Workaround: None.

CSCdz44289

When an SSH session is made to FWSM, the 109005 or 109006 syslog messages that are displayed are incorrect.

Workaround: None.

CSCdz43874

The FWSM is unable to reach hosts defined with the static command because of overlapping addresses.

Workaround: None.

CSCdz41758

When one IP address is used when both NAT and PAT are defined with the static command, the FWSM generates the "LU allocate xlate failed" syslog message on the standby module after the failover switchover completes.

Workaround: None.

CSCdz40491

The FWSM fails with HTTP, FTP fragmentation, UDP, TCP, protocol 85, and protocol 170 traffic flowing through the module.

Workaround: None.

CSCdz39752

The minimum transmission unit (MTU) number is taken as an as signed number. Traffic is dropped when setting for the MTU greater than 32767 bytes.

Workaround: None.

CSCdz39525

Due to an internal error, the FWSM fails in the Block.c location during test.

Workaround: None.

CSCdz38847

The crypto command-line interface is not intuitive and does not give all options, as other commands do.

Workaround: None.

CSCdz38213

If a total of 1024 ICMP, SSH, or Telnet commands have been configured since the last time the module booted (even though the current number of commands are much less), you will not be able to add anymore rules without rebooting the module.

Workaround: None.

CSCdz38115

An error occurs when the shut and no shut commands are used on the logical unit interface in the network processor during FTP traffic.

Workaround: None.

CSCdz36292

The service command is not supported.

Workaround: None.

CSCdz36154

Established connections do not relearn the MAC address if the MAC address changes.

Workaround: None.

CSCdz30792

When receiving a link state advertisement (LSA) with a large number of links into the router LSA, OSPF on the FWSM stops loading.

Workaround: None.

CSCdz30349

The FWSM accepts a 32-bit integer for an area when using the router ospf command, but it displays the integer as a 31-bit integer when using the show router ospf command.

Workaround: None.

CSCdz28610

Both the primary and secondary module fail during the failover process due to an internal error.

Workaround: None.

CSCdz25395

The show local command applied to an active FWSM displays connections as 0/0 when there are 220 connections configured.

Workaround: None.

CSCdz25210

With PIX Device Manager (PDM) running, a secondary module can enter the debug process at the "print_metric_history" location after issuing the no failover active and no failover commands on the active primary module.

Workaround: None.

CSCdz21440

A new product object ID was added for the FWSM.

Workaround: None.

CSCdz19612

Command-line interface lines longer than 200 characters cause the module to fail.

Workaround: None.

CSCdz18901

When running a clear config all command on the standby module, the active module reboots.

Workaround: None.

CSCdz17388

OSPF can be configured from the enable mode. OSPF should only be configured from the configuration submode like other FWSM commands, for example, the nameif command.

Workaround: None.

CSCdz14980

If you use the static command with an embryonic limit, and the client (lower security) interface used in the command has a VLAN that is numerically greater than 255, connections that are intercepted will not mature.

Workaround: When configuring an embryonic limit with the static command, make sure that the client (lower security) interface VLAN is numerically less than or equal to 255.

CSCdz14182

The syslog 201002 shows the wrong value for the number of embryonic connection counts and total connection counts.

Workaround: None.

CSCdz13830

Specifying set or match statements for route maps with multiple sequence numbers does not work.

Workaround: Do not configure route maps with multiple sequence numbers. Use only one sequence number, and specify multiple set or match statements for that sequence.

CSCdz13724

Configuring AAA "exclude" rules does not exempt the intended hosts or networks as it should.

Workaround: Configure the "exclude" rules before the "include" rules as follows:

a. Configure the rules in any order.

b. Enter the show aaa command.

c. Copy the rules into a clipboard.

d. Enter the clear aaa command.

e. Paste the rules back into the command-line interface prompt, and they are now ordered.

CSCdz13712

Configuration in the FWSM for AAA user policy protocols can be done in two different ways:

Directly specifying the hosts required to pass the user policy server (AAA server) using the following command:

    aaa authentication include telnet inside 10.6.25.0 255.255.255.0 10.8.89.40 
255.255.255.255 TACACS+
 
   

Or, using an ACL previously configured on the module so that when matched by the new connections, it triggers the AAA server query, as shown by the following commands:

    access-list aaa permit tcp any any
    aaa authentication match aaa inside TACACS+
 
   

Only one of these two methods can be used without mixing the two types of rules. When switching from one format to another, the command-line interface parser complains in some cases that the system does not support hybrid mode, although no AAA rule is configured at that time.

Workaround: Use the clear aaa command, and configure the AAA rules again.

CSCdz12953

When the security level associated to two already defined interfaces is modified from the original values, any configuration that uses those security levels is not automatically updated. For example, the static command assumes inbound or outbound traffic based on the security levels for that port. If the security levels are reversed using the nameif command, these security levels are not automatically fixed. Such configuration causes problems in the FWSM.

Workaround: If the security level for a nameif command has to be modified, use a no nameif command for that interface first, followed by the nameif command with the new security level.

CSCdz11127

After clearing the ARP table on the FWSM, any HTTP connection that arrives at the FWSM and needs authentication will not receive the username and password prompt for 30 seconds. The same situation occurs if there is no ARP entry in the FWSM for the host that requires authentication. The behavior is corrected after approximately 30 seconds, and the HTTP connections are then authenticated.

Workaround: None.

CSCdz09913

When an address translation is created for AAA traffic, under certain conditions the translations do not get timed out when all connections are torn down, even after the timeout period has expired. Eventually these translations are removed, but the collection process may take a number of hours.

Workaround: Use the clear xlate command to clear that translation.

CSCdz06670

A Telnet session from either the route processor or an external host to the FWSM fails when AAA traffic is present.

Workaround: Use the secure shell (SSH) to connect to the firewall, or reduce the amount of AAA traffic until you complete the Telnet session.

CSCdz06535

When nameif or no nameif commands are issued continuously during configuration synchronization between two FWSM modules, a reboot may occur when one of the FWSM modules is on standby.

Workaround: Wait for the configuration synchronization to complete and then issue the nameif or no nameif commands.

CSCdz06478

For UDP connections on port 111, the module is applying the TCP timeout instead of the UDP connection timeout.

Workaround: None.

CSCdz06350

When sending traffic (AAA or HTTP authentication) and then disabling the HTTP fixup, the module experiences an internal error.

Workaround: None.

CSCdz05311

Certain sequences of events (like switchovers under heavy stress, disabling and enabling logical update link continuously) can result in stateful (connection) information not getting replicated from the active to the standby module.

Workaround: Disable failover on the standby module, and then reenable it.

CSCdz05019

Some syslog messages are not rate-limited, even after you have configured rate limiting for the syslog level to which the syslog belongs.

Workaround: Configure the rate limit for the specific syslog ID using the message option.

CSCdy89217

When there are ambiguous NAT commands issued, the error message "LU allocate xlate failed" is seen on the standby module. This error message is displayed only when the wr standby command is specified.

The following example shows a NAT configuration that could trigger this action:

 nat (inside) 11 40.10.1.1 255.255.255.255 0 0
 nat (inside) 11 40.10.1.0 255.255.255.0 0 0
 
   

where 40.10.1.1 is overlapped in both of the NAT configurations.

Workaround: None.

CSCdy87943

Outgoing OSPF router link state advertisements (LSA) are restricted to a length of 1300 bytes. For most deployments this is not a problem, but in some cases the router LSA being generated for an area exceeds this limit.

Workaround: To reduce the size of the LSA, do the following:

Use tighter network commands to select only the required interfaces

Partition interfaces into areas.

Align NAT pools on subnet boundaries as far as possible.

CSCdy82175

When configuring console authentication (a subset of AAA), and the authentication command is issued with the wrong syntax after the mandated location for the console keyword, the authentication is internally translated to a wrong command. Later attempts to remove that command fail.

For example, the following syntax is correct:

FWSM(config)# aaa authentication http console TACACS+
FWSM(config)# show aaa
aaa authentication http console TACACS+
 
   

The following syntax is incorrect:

FWSM(config)# aaa authentication http inbound 0.0.0.0 0.0.0.0 TACACS+
FWSM(config)# show aaa
aaa authentication http console TACACS+
FWSM(config)# no aaa authentication http console TACACS+
FWSM(config)# show aaa
aaa authentication http console TACACS+
FWSM(config)#
 
   

Workaround: Enter the command that was first issued, preceded by the no keyword, or use clear aaa authentication or the clear aaa commands to clear the related AAA configuration.

CSCdy78024

Whenever application inspection "fixup" for FTP is enabled and an FTP session is terminated from the client, the FWSM always generates the syslog message number 106015.

Workaround: None.

CSCdy77731

When OSPF is configured in the FWSM to have a virtual link and a not-so-stubby-area (NSSA) in the same routing process, upon removal of the virtual link the type 4 LSAs may be applied to the NSSA. The application of type 4 LSAs to the NSSA results in warnings being displayed in other routers connected to the FWSM in the NSSA. This caveat is not known to have any other adverse affect on functionality.

Workaround: None.

CSCdy75936

When configuring together AAA authentication and "fixup" for the HTTP protocol, the fixup is not applied to the first user connection (the connection that is prompted for a username password).

Workaround: Use the virtual HTTP feature.

To use the virtual HTTP feature on the FWSM, you must do the following:

Define the virtual HTTP address in the outside interface (an internet real address that any internet user should be able to contact, similar to a global IP address).

Provide a static port entry from this outside virtual address to any address located in any interface other than the outside (even a fake address, as long as there is a route for this fake address through an interface different than the outside one).

Have a AAA rule for this virtual HTTP address.

CSCdy75129

Incorrect behavior occurs for the high availability (HA) switchover.

Workaround: None.

CSCdy72131

The timeout command does not get replicated to the standby module if a partial command is issued, for example: time conn 5.

Workaround: Use the full form of the command instead. For example: timeout conn 5.

CSCdy70462

The no mtu interface_name mtu_value command does not reset the interface MTU to the default value, which is 1500 bytes.

Workaround: Use the mtu interface_name 1500 command to set the interface MTU to the default value of 1500 bytes.

CSCdy67187

Configuring the command authorization database with the aaa authentication match acl_name rules configured generates an error. Using PDM to configure the command authorization and AAA authentication results in the same error.

Workaround: If the configuration is being done through FWSM command-line interface, configure the AAA authentication rules instead of the match access-list syntax as follows:

aaa authentication include tcp iside 123.45.67.0 255.255.255.0 group_tag

If you are using the PDM application for configuration, use the previous rule type and configure the AAA rule through the PDM command-line interface window.

CSCdy63569

A failure on an active module does not show failover with 50 percent failed interrupts in the show fail command display.

Workaround: None.

CSCdy63509

If the username is configured on the system, the following message gets printed on the standby module during wr standby command action:

Username exists. Only privilege level can be updated for existing usernames. Username 
addition failed.
 
   

Workaround: Issue a clear username command on the standby module before issuing a wr standby command on the active module.

CSCdy63099

Connections get synchronized in standby mode, even if the logical unit (LU) interface is in shutdown.

Workaround: None.

CSCdy61929

In the FWSM, the moduleIpAddress command returns the incorrect value.

Workaround: None.

CSCdy60658

When OSPF and failover are configured on the module, the following message is displayed on the standby firewall when the network...area command for OSPF is abbreviated:

"FO unreplicable:cmd=ne"
 
   

Workaround: Enter the network ... area command again without abbreviation.

CSCdy59930

Configuring the NAT 0 ACL and regular NAT in the same interface is not supported in this release. Such a configuration causes packets on the interface to use the wrong translation.

Workaround: None.

CSCdy58481

During a TFTP download of the image, when a configuration synchronization takes place, the download does not complete successfully.

Workaround: None.

CSCdy58194

Single-session performance problems should not affect behavior on the modules.

Workaround: None.

CSCdy43943

Extra spaces for connected routes display in the console output.

Workaround: None.

CSCdy19755

Issuing the ca generate rsa key size command on the active module sometimes causes switchover to the standby module. The RSA key generation algorithm (started by the ca generate rsa key size command) may converge correctly. A convergence delay happens if the size is set to 1024 bytes or 2048 bytes. If the failover poll time is set to a small value (for example:3 seconds), a switchover may occur because the active module is busy generating the key and not responding during a poll, causing the standby to take over.

Workaround: Disable failover on the active module and the standby module before generating the key to avoid switchover. Failover can be reenabled once the key generation operation is complete.

CSCdx80521

New connections through the FWSM are not allowed, but existing connections continue to go through. When a TCP syslog server is unreachable, the module prevents new connections. However, once the connectivity with the TCP syslog server is re-established, new connections still do not pass.

Workaround: Run the no logging on command to allow the new connections through the FWSM to resume. Remove the configuration for the failed syslog server, and re-enable the logging.

CSCdx20282

The FWSM does not support the inside interface as the default interface for the URL server. The inside interface is an optional firewall interface in the FWSM.

Workaround: Define the interface when entering the url-server statement.

Open Caveats in Release 1.1(1)


Note For a description of caveats resolved in FWSM software release 1.1(1), see the "Resolved Caveats in Release 1.1(1)" section.


This section describes known limitations that exist in the FWSM software release 1.1(1).

CSCea08088

If an access-list specified in a route-map is removed then the next configured access-list is added into the route-map.

Workaround: Remove the errant ACL and reapply correct ACL.

CSCea07741

Matching by route-source or next hop in route-maps does not work on FWSM.

Workaround: None.

CSCdz75298

If an area range is specified, with the range being a subnet of a connected route, then the route for the connected route is missed. If there is no other more specific route for hosts on that interface, the hosts are not reachable

Workaround: Specify an area range which is not a subnet of the connected interface.

CSCdz54939

When ACL is configured with a source port specified for the match rule in AAA, AAA does not check the source port field.

Workaround: None.

CSCdz43131

After an FTP Connection is closed, the FIN+ACK packet is dropped.

Workaround: None.

CSCdz14980

When a static port is configured with an embryonic limit and the client (lower security) interface used in the static command has a VLAN that is numerically greater than 255, connections that are intercepted on this static port will not mature.

Workaround: When configuring a static port with an embryonic limit, make sure that the client (lower security) interface VLAN is numerically less than or equal to 255.

CSCdz14182

The syslog 201002 shows the wrong value for the number of embryonic connection counts and total connection counts.

CSCdz13830

Specification of set or match statements for route maps with multiple sequence numbers does not work.

Workaround: Do not configure route maps with multiple sequence numbers. Use only one sequence number, and specify multiple set or match clauses for it.

CSCdz13724

Configuring AAA `exclude' rules do not exempt the intended hosts or networks as it should under some conditions.

Workaround: Configure the `exclude' rules before the `include' rules. for example by doing:

Configuring the rules in any order,
Typing the show aaa command,
Copying the rule into a clipboard,
Typing the clear aaa command
Pasting the rules back into the command-line interface prompt (and they are now ordered).

CSCdz13712

Configuration in the FWSM for AAA user policy protocols can be done in two different ways:

Directly specifying the hosts required to pass the user policy server (AAA server):

    aaa authentication include telnet inside 10.6.25.0 255.255.255.0
    10.8.89.40 255.255.255.255 TACACS+
 
   

or, using an ACL previously configured on the module that when matched by the new connections, triggers the AAA server query.

    access-list aaa permit tcp any any
    aaa authentication match aaa inside TACACS+
 
   

Only one of these two methods can be used without mixing the two type of rules. When switching from one format to another, the command-line interface parser complains in some cases that system does not support hybrid mode (`do not support hybrid configuration') even though no AAA rule is configured at that time.

Workaround: Do `clear aaa' and configure the intended AAA rules again.

CSCdz12953

When the security level associated to two already define interfaces are modified from their original values, any configuration that uses those security levels is not automatically updated. For example, the static command assumes inbound or outbound based on the security levels for that port. If the security levels are reversed using the nameif command, these commands are not automatically fixed. Such configuration could lead to some problems in the FWSM.

Workaround: If the security levels for a nameif command has to be modified, use a no nameif command for that interface first, followed by nameif command with the new security level.

CSCdz11349

If a logging host command is configured on the standby module's configuration saved on flash, any existing connections on the active module to the configured logging server gets interrupted during a standby reboot.

Workaround: Do not have a logging host command saved on the standby module's flash.

CSCdz11127

After clearing the ARP table on the FWSM, any HTTP connection that arrives at the FWSM needing authentication will not receive the username and password prompt for 30 seconds. The same situation occurs if there is no ARP entry in the FWSM for the host that requires authentication. After approximately 30 seconds the behavior is corrected and the HTTP connections starts being authenticated.

Workaround: None.

CSCdz10577

Under some rare conditions the FWSM OSPF database goes out of synchronization for an LSA, although adjacency is in full state which may result in a missing route.

Workaround: Issuing a clear ip ospf process_id process command rectifies the problem.

CSCdz09913

When an xlate is created for AAA traffic, under certain conditions, the xlates do not get timed out once all connections are torn down, even after the timeout period. Eventually these xlates are garbage collected but it may take some hours.

Workaround: Use the clear xlate command to clear that xlate.

CSCdz06670

Under heavy load a Telnet to the firewall fails intermittently. This occurs when the firewall is subject to heavy AAA load.

Workaround: Use SSH to connect to the firewall, or temporarily reduce the amount of AAA traffic.

CSCdz06535

When many nameif or no nameif commands are issued continuously during configuration synchronization, a reboot on standby may occur.

Workaround: Wait for the configuration synchronization to complete and then issue the nameif or no nameif commands.

CSCdz06297

Connected route entry for a firewall interface is missing. Sometimes a nameif, no nameif, nameif, ip address command sequence results in the connected route entry for the interface to be lost. The IP address of the interface is set correctly.

Workaround: Reissue the ip address command with the same parameters.

CSCdz05858

The ip address command cannot differentiate between two interfaces with names that differ only in the case of the letters used in the name, for example between INSIDE and inside.

Workaround: Use case-insensitive names for interfaces.

CSCdz05311

Certain sequence of events (like switchovers under heavy stress, disabling and enabling logical update link continuously) can disrupt stateful (connection) information from getting replicated from the active to the standby module.

Workaround: Disable failover on the standby module, and then reenable it.

CSCdz05019

Some syslog messages do not get rate limited, even after configuring rate limiting for the syslog level to which the syslog belongs.

Workaround: Configure the rate limit for the specific syslog ID using the message option if the level option for that syslog ID does not work.

CSCdz04484

After a switchover, the data connection for an FTP connection is dropped by the Windows 2000 FTP server. This problem occurs because the Windows 2000 FTP server closes the connection after a few unsuccessful retries. As a result, the FTP data connection is dropped.

Workaround: None.

CSCdy89217

When there are ambiguous NAT commands issued, the following error message will appear on the standby module:

LU allocate xlate failed 
 
   

This error message is seen only when the wr standby command is specified.

The following is a sample NAT configuration that could trigger this action:

 nat (inside) 11 40.10.1.1 255.255.255.255 0 0
 nat (inside) 11 40.10.1.0 255.255.255.0 0 0
 
   

where 40.10.1.1 is overlapped in both the NAT configurations.

Workaround: None.

CSCdy88467

The OSPF process gets stuck in exchange and adjacency does not go to the FULL state.

Workaround: Reset the OSPF process by issuing the clear ip ospf pid process command.

CSCdy87943

The following message is printed when LSAs generated for an area exceed the limit:

OSPF:Too many secondary addresses or globals 
 
   

Outgoing OSPF router LSAs are restricted to a length of 1300 bytes. For most deployments this will not be a problem, but in some cases the router LSA being generated for an area exceeds this limit.

Workaround: To reduce the size of the LSA:

Use tighter network commands to select only the required interfaces

Partition interfaces into areas

Align NAT pools on subnet boundaries as far as possible

CSCdy85431

Configuring large number of fixup and filter rules causes the active FWSM to switch over to standby mode. This problem is seen when a large number of fixup and filter rules are added to an active FWSM and the failover poll frequency is configured as a low value.

Workaround: Disable failover while configuring filter and fixup rules.

CSCdy84020

Packets belonging to authentication traffic that requires fragmentation may not be fragmented.

Workaround: None.

CSCdy83957

When a data-channel is opened with a sequence number close to the maximum 32-bits value, the subtraction of the random delta sequence number might lead to a carry problem. The TCP state machine will not recognize the final acknowledge and the connection stays in the 2-FIN state. The connection is aged-out depending on when the 2-FIN state time out.

Workaround: None.

CSCdy82175

When configuring console authentication (a subset of AAA), and the command is entered with incorrect syntax where the console keyword should be, the authentication is internally translated to a wrong command, and later attempts to remove that command, will fail.

This example shows the correct syntax:

FWSM(config)# aaa authentication http console TACACS+
FWSM(config)# show aaa
aaa authentication http console TACACS+
 
   

This example shows the incorrect syntax:

FWSM(config)# aaa authentication http inbound 0.0.0.0 0.0.0.0 TACACS+
FWSM(config)# show aaa
aaa authentication http console TACACS+
FWSM(config)# no aaa authentication http console TACACS+
FWSM(config)# show aaa
aaa authentication http console TACACS+
FWSM(config)#
 
   

Workaround: Type the same command that was first issued with the no keyword in front, or use the clear aaa authentication or clear aaa commands to clear the related AAA configuration.

CSCdy77731

When OSPF in the FWSM is configured to have a virtual link and an NSSA in the same routing process, upon removal of the virtual link, type 4 LSAs may be injected in the NSSA. This results in warnings being displayed in other routers connected to FWSM in the NSSA. This caveat is not known to have any other adverse affect on functionality.

Workaround: None.

CSCdy75936

When configuring together AAA authentication and fixup for the HTTP protocol, the fixup is not applied to the first user connection (the connection that is prompted for a username password).

Workaround: Use the virtual HTTP feature.

To use the virtual HTTP feature on the FWSM you must do the following:

Define the virtual HTTP address in the outside interface (an internet real address, and hence, any internet user should be able to contact it - similar to a global IP address).

Provide a static port entry from this outside virtual address to any address located in any other interface than the outside (even a fake address, as long as there is a route for this fake address through an interface different than the outside one).

Have a AAA rule for this virtual HTTP address.

CSCdy72131

The timeout command does not get replicated to standby if a partial command is issued, for example: time conn 5.

Workaround: Use the full form of the command. For example: timeout conn 5.

CSCdy72108

The wr mem command entered on the active module will occasionally take a long time (3 minutes) to complete. This situation causes the active module to switch to the standby or failed state and the standby module to switch to the active state. After some time (3 minutes) the new standby comes out of the failed state and continue to act as a normal standby.

Workaround: None.

CSCdy70695

If authentication (AAA) traffic is directed to a particular local host, the displayed connection count for some of those local hosts (output of the show local-host command) may be more than the maximum connection limit configured for those local hosts.

Workaround: None.

CSCdy70462

The no mtu interface_name mtu_value command does not reset the interface MTU to the default (1500) value.

Workaround: Use the mtu interface_name 1500 command to set the interface MTU to the default value of 1500 bytes.

CSCdy69069

Sometimes when the wr mem command is issued from a PDM session, the command may take several minutes, but eventually it completes.

Workaround: None.

CSCdy67187

Configuring the command authorization database with the aaa authentication match acl_name rules configured generates an error. Using PDM to configure the command authorization and AAA authentication results in the same error.

Workaround: If the configuration is being done through FWSM command-line interface, configure the AAA authentication rules instead of the match access-list syntax as follows:

aaa authentication include tcp iside 123.45.67.0 255.255.255.0 group_tag

If you are using the PDM application for configuration, use the previous rule type and configure the AAA rule through the PDM command-line interface window.

CSCdy66521

When the system is under heavy stress, some show commands may result in partial or no results.

Workaround: Repeat the command.

CSCdy66211

Under heavy HTTP traffic that requires URL-filtering, the URL filtering server status on the FWSM toggles between the active and failed states. The FWSM generates the following syslog messages when toggling the status.

304007:URL Server not responding, ENTERING ALLOW mode 
304008:LEAVING ALLOW mode, URL Server is up
 
   

Because of a large number of pending URL status request messages, the URL filtering server sometimes fails to send a reply to keep alive messages sent by the FWSM. This situation causes the FWSM to report the URL server status as failed. The URL server status comes back to the active state after a keepalive response is received from the URL filtering server.

Workaround: None.

CSCdy64149

Sometimes the PDM application fails to load the configuration from the FWSM if the PDM host is located multiple Layer-3 hops away from the module.

Workaround: Launch PDM from a host that is on the same subnet as the FWSM interface.

CSCdy63509

If the username is configured on the system, the following message gets printed on the standby module during wr standby command action:

Username exists. Only privilege level can be updated for existing usernames. Username 
addition failed.
 
   

Workaround: Issue a clear username command on the standby module before issuing a wr standby command on the active module.

CSCdy63334

When the FWSM is configured as a designated router (DR), it may fail to refresh the Network LSA (link state advertisement) for an area. On occasion, the Network LSA for interfaces, where the module is configured as designated router (DR), is missing from all routers in the same area.

Workaround: Do not configure the module as a designated router (DR). By default, the module does not boot as the designated router (DR). The default OSPF priority of an interface is set to 0 for the module.

CSCdy61294

Heavy stress caused by HTTP, SMTP, FTP, UDP, and ICMP traffic passing through the module can introduce intermittent communication loss between the active and standby modules. Any switchover caused by the failover active or the no failover active commands can result in configuration synchronization failure and a reboot on the new standby module.

Workaround: None.

CSCdy60921

The show route command displays both an OSPF route and a static route. The command should show only the static route. The routing occurs correctly through the static route.

Workaround: None.

CSCdy60658

The FO unreplicable:cmd=net message is displayed on the standby firewall when the network...area command for OSPF is abbreviated. This message occurs when OSPF and failover are configured.

Workaround: Enter the network ... area command again without abbreviation.

CSCdy59930

Configuring the NAT 0 ACL and regular NAT in the same interface is not supported in this release. Such a configuration will cause packets on the interface to use the wrong translation.

Workaround: None.

CSCdy49865

Under stress, the connection count shown by the show local-host command may not be accurate. The number of connections shown on the local host may be more than the actual connections that exist at that given time. This situation occurs under stress, as some control messages may be lost within the system, causing the connection count in the local host to be out of sync with the actual number of connections. This condition is eventually resolved by the garbage collection process.

Workaround: None.

CSCdy38008

The SSH management connection to the FWSM appears to hang while downloading an image to the Flash. The SSH connection recovers once the copying is complete. You will not see the copy progressing while doing the same through a Telnet management connection. There are no other side effects.

Workaround: None.

CSCdy35628

When reloading the module, the switch may not boot the module and may deny it power.

Workaround: Use these commands on the Route Processor console:

Router#> configure-terminal
Router(config)# no power enable module module_num
Router(config)# power enable module module_num
 
   

CSCdy21695

Under heavy stress with traffic flowing to the NP slowpath, valid fragmented traffic may be seen as overlapping fragments and may be dropped.

Workaround: None.

CSCdy19755

Issuing ca generate rsa key size command on the active sometimes causes switchover. The RSA key generation algorithm (started by the ca generate rsa key size command) may take up to three minutes to converge, as it is based on a random seed. This happens if the size is set to 1024 or 2048. In this case, if failover poll time is set to a small value (for example: three seconds), a switchover may occur. This condition occurs because the active module is busy generating the key preventing the module from responding which causes the standby to take over.

Workaround: Disable failover on the active and standby modules before generating the key to avoid switchover. Failover can be reenabled once the key generation is done.

CSCdy16778

When the interface static command is configured, the fragmented echo replies that are sent in that interface with the same IP address as the interface are dropped. This condition occurs only when the interface keyword is used along with the static command and when the destination IP address is the same as the interface IP address.

Workaround: None.

CSCdx93864

The FWSM disables all connections from or to the shunned IP address, even if specific connection parameters have been specified in the applied shun command. This behavior is different from that of PIX, where if full connection parameters are passed, only that connection is torn down and all the other connections from or to the source (shunned) IP address do not pass traffic (are starved).

Once the shun is removed from the starved connection, all shunned connections that are not timed out will resume passing traffic. In the FWSM implementation, even if the shun is applied with full connection parameters (source IP, destination IP, source port, destination port and protocol), all connections from or to the source IP address are disabled.

Workaround: None.

CSCdx91902

An attempt to assign an access list to the nat (interface) 0 access-list command that contains protocol or port numbers will fail and will generate an error message. The behavior for the nat (interface) 0 access-list command differs from that of PIX. For the FWSM, the access list being configured with the nat 0 access-list command cannot contain protocol or port numbers. In PIX, such an access list is accepted. However, the protocol and port numbers are ignored when used for NAT. In the FWSM, only access lists that have no rules with protocols or port numbers will be accepted as part of the nat (interface) 0 access-list command.

Workaround: Configure only those access lists that have rules with no protocols or port numbers.

CSCdx81768

The FWSM does not report the most used connection count. This value is also not be reported by the SNMP agent Firewall MIB. The show connection count command displays only the current number of connections and not the most used connections.

Workaround: None.

CSCdx80521

New connections through the FWSM are not allowed, but existing connections continue to go through. When a TCP syslog server is unreachable, the module prevents new connections, as it is designed. However, once the connectivity with the TCP syslog server is re-established, new connections still do not pass.

Workaround: If you run the no logging on command, the new connections through the FWSM will resume. Remove the configuration for the failed syslog server, and re-enable the logging.

CSCdx30448

UDP connections are not counted when calculating the maximum connections configured for the static command. The connection count and connection count limit in the static command are for TCP connections only.

Workaround: None.

CSCdx30230

New and maximum connection limits specified with the NAT command-line interface are not used for outbound connections. These limits are only valid for inbound connections, even when they are specified along with the NAT command-line interface command.

Workaround: None. This is the correct behavior.

CSCdx20282

There is no support for the inside interface as the default interface for the URL server. The inside interface is an optional firewall interface in the FWSM.

Workaround: Define the interface when entering the url-server statement.

CSCdx19165

Debug output shows at the Telnet prompt before a user logs in.

Workaround: None.

CSCdx14768

The clear nameif command is not supported and displays an error message.

Workaround: Use the no nameif command. Refer to caveat CSCdx14699.

CSCdx14699

You cannot change the interface name once it is assigned using a nameif command. Trying to change the name of the interface using the nameif command results in an error message.

Workaround: Delete the old interface using the no nameif command, and assign it with a new name. All configuration parameters tied to that interface are lost when you run the no nameif command. (Refer to caveat CSCdx14768.)

Resolved Caveats in Release 1.1(1)


Note For a description of caveats open in FWSM software release 1.1(1), see the "Open Caveats in Release 1.1(1)" section.


There are no resolved caveats in FWSM software release 1.1(1).

Documentation Updates

This section contains update information for the Firewall Services Module (FWSM) software releases 1.1(1), 1.1(2), 1.1(3), and 1.1(4).

CSCef03274

System messages 109009 and 109014 documented in the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Guide are not applicable to the FWSM. These system messages are as follows:

Error Message    %FWSM-6-109009: Authorization denied from laddr/lport to 
faddr/fport (not authenticated) on interface int_name.

Explanation    This message indicates that the module is configured for AAA, and you attempted to make a TCP connection across the module without prior authentication.

Recommended Action    None.

Error Message    %FWSM-7-109014: uauth_lookup_net fail for uauth_in()

Explanation    A request to authenticate did not have a corresponding request for authorization.

Recommended Action    Ensure that both the AAA authentication and AAA authorization command statements are provided in the configuration.

CSCef02523

System messages 610001 and 610002 are invalid and should be removed from the documentation.

Error Message    %FWSM-3-610001: NTP daemon interface int_name: Packet denied from 
IP_addr

Explanation    An NTP packet was received from a host that does not match one of the configured NTP servers. The module is an NTP client only; it is not a time server and does not respond to NTP requests.

Recommended Action    None.

Error Message    %FWSM-3-610002: NTP daemon interface int_name: Authentication 
failed for packet from IP_addr

Explanation    The received NTP packet failed the authentication check.

Recommended Action    Ensure that both the module and the NTP server are set to use authentication and have the same key number and value.

Workaround: None.

CSCee92564

The following system log message is not applicable to the FWSM 1.1(3) image.

Error Message    %FWSM-1-106022: Deny protocol connection spoof from src_addr to 
dest_addr on interface int_name

Explanation    This message indicates that a connection exists, and a packet matching the connection arrives on a different interface from the interface on which the connection began. For example, if you start a connection on the internal interface, but the module detects the same connection arriving on a perimeter interface, then either the module has more than one path to a destination, which is known as asymmetric routing and is not supported on the module, or an attacker is attempting to append packets from one connection to another as a way to break into the module. In either case, the module displays this message and drops the connection.

Recommended Action    This message indicates that the ip verify reverse-path command is not configured. Check to ensure that routing is not asymmetric.

CSCee34893

The FWSM 1.1(x) documentation incorrectly state the following:

You cannot establish IPSec tunnels across the firewall; any tunnel initiated by a VPN client on another switch should terminate at the Firewall Services Module.

It is possible to establish IPSec tunnels through FWSM. The FWSM does not allow VPN tunnels to terminate on the FWSM for traffic destined to addresses other than the FWSM; only management traffic to the FWSM is allowed. VPN tunnels established from a VPN client to a VPN server on the other side of the FWSM are allowed if you configure the FWSM to allow VPN traffic.

Related Documentation

For more detailed installation and configuration information, refer to the following publications:

For additional information about the Catalyst 6500 and Cisco 7600 Series Firewall Services Module, refer to the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Guide.

For additional information about Catalyst 6500 series switches and command-line interface (CLI) commands, refer to the following:

Site Preparation and Safety Guide

Regulatory Compliance and Safety Information for the Catalyst 6500 Series and Cisco 7600 series Switches

Catalyst 6500 Series Switch Installation Guide

Catalyst 6500 Series Switch Quick Software Configuration Guide

Catalyst 6500 Series Switch Module Installation Guide

Catalyst 6500 Series Switch Software Configuration Guide

Catalyst 6500 Series Switch Command Reference

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide

Catalyst 6500 Series Switch Cisco IOS Command Reference

ATM Software Configuration and Command ReferenceCatalyst 5000 Family and Catalyst 6500 Series Switches

System Message Guide—Catalyst 6500 Series, 5000 Family, 4000 Family, 2926G Series, 2948G, and 2980G Switches

For information about MIBs, refer to this URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Release Notes for Catalyst 6500 Series Switches and Cisco 7600 router for Cisco IOS Release 12.1(13)E

Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.

For detailed hardware configuration and maintenance procedures, refer to the Catalyst 6500 Series Switch Module Installation Guide.

The following documents are available for the Catalyst 6500 family switches running Catalyst operating system software:

Release Notes for Catalyst 6000 Family Software Release 7.x

Catalyst 6500 Series Switch Documentation Map

Catalyst 6500 Series Switch Configuration Guide (7.5)

Catalyst 6500 Series Switch Command Reference (7.5)

System Message Guide—Catalyst 6500 Series Switches (7.5)

For additional information about the PIX software, refer to the following:

Cisco PIX Firewall Release Notes Version 6.1(1)

Cisco PIX Device Manager Installation Guide, Version 2.1

Cisco PIX 501 Firewall Quick Start Guide

Cisco PIX Firewall Hardware Installation Guide

Cisco PIX Device Manager Installation Guide

Cisco PIX Firewall and VPN Configuration Guide

Cisco PIX Firewall Command Reference

Cisco PIX Firewall System Log Messages

Cisco IOS Software Documentation Set

Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.