Guest

Cisco Services Modules

Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, 4.1(x)

  • Viewing Options

  • PDF (232.8 KB)
  • Feedback

Table of Contents

Release Notes for the Catalyst 6500 Series and Cisco 7600 Series , Software Release 4.1(x)

Important Notes

New Features

New Features in Release 4.1(6)

New Features in Release 4.1(1)

Chassis System Requirements

Catalyst 6500 Series Minimum Requirements

Cisco 7600 Series Minimum Requirements

Management Support

Software License Information

Limitations and Restrictions

Open Caveats

Resolved Caveats

Resolved Caveats in Release 4.1(15)

Resolved Caveats in Release 4.1(14)

Resolved Caveats in Release 4.1(13)

Resolved Caveats in Release 4.1(12)

Resolved Caveats in Release 4.1(11)

Resolved Caveats in Release 4.1(10)

Resolved Caveats in Release 4.1(9)

Resolved Caveats in Release 4.1(8)

Resolved Caveats in Release 4.1(7)

Resolved Caveats in Release 4.1(6)

Resolved Caveats in Release 4.1(5)

Resolved Caveats in Release 4.1(4)

Resolved Caveats in Release 4.1(3)

Resolved Caveats in Release 4.1(2)

Resolved Caveats in Release 4.1(1)

Related Documentation

Hardware Documents

Software Documents

Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.1(x)

March 2014

This document contains release information for FWSM Release 4.1(1) through 4.1(15).

This document includes the following sections:

Important Notes

  • For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM.
  • You can disable the limited TCP normalization support for FWSM using the no control-point tcp-normalizer command.
  • When you log in to the system execution space from the switch in multiple context mode, a feature introduced in FWSM Release 3.2 lets you use authentication using a AAA server or local database. Previously, the only method of authentication available was to use the login password defined in the system configuration. The new authentication method is enabled by the aaa authentication telnet console command in the admin context. If you upgrade to Release 3.2 and later, and have this command already in the admin context configuration, then authentication for the system execution space is enabled using the specified server or local database, even if you did not intend to enable it. To use the login password instead, you must remove the aaa authentication telnet console command in the admin context.
  • Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
  • In 3.x, when you used the set connection command for an access list ( match access-list ), then connection settings were applied to each individual ACE; in 4.0 and later, connection settings are applied to the access list as a whole.

New Features

This section includes the new features for FWSM releases.


Note There are no new features in FWSM Releases 4.1(2) through 4.1(5) nor in Releases 4.1(7) through 4.1(10).


New Features in Release 4.1(6)

Table 1 lists the new feature for FWSM Release 4.1(6).

 

Table 1 New Feature for FWSM Release 4.1(6)

Feature
Description

Increased SNMP packet size

Increased maximum SNMP response size to 1400, which makes it easier to poll multiple OIDs in a single query. Past FWSM design restricted the packet size of SNMP responses to 484 bytes.

New Features in Release 4.1(1)

Table 2 lists the new features for ASDM Versions 6.2(1)F through 6.2(3)F. These features were introduced in Version 6.2(1)F. There are no new features for Version 6.2(2)F and 6.2(3)F. All features apply to FWSM Version 4.1(1), as well.

 

Table 2 New Features for FWSM Version 4.1(1)

Feature
Description
Platform Features

Separate hostnames for primary and secondary blades

This feature lets you configure a separate hostname on the primary and secondary FWSMs. If the secondary hostname is not configured, the primary and secondary hostnames are the same.

We modified the following screen: Configuration > Device Setup > Device Name/Password .

Firewall Features

Creation of UDP sessions with unresolved ARP in the accelerated path

If you configure the FWSM to create the session in the accelerated path even though the ARP lookup fails, then it will drop all further packets to the destination IP address until the ARP lookup succeeds. Without this feature, each subsequent UDP packet goes through the session management path before being dropped by the accelerated path, causing potential overload of the session management path.

We modified the following screen: Configuration > Firewall > Advanced > TCP Options .

DCERPC Enhancement: Remote Create Instance message support

In this release, DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance RPC messages.

No screens were modified.

Reset Connection marked for Deletion

You can now disable the sending of a reset (RST) packet for a connection marked for deletion. Starting in this release, reset packets are not sent by default. You can restore the previous behavior, so that when the FWSM receives a SYN packet on the same 5-tuple (source IP and port, destination IP and port, protocol) which was marked for deletion, it will send a reset packet.

We modified the following screen: Configuration > Firewall > Advanced > TCP Options .

PPTP-GRE Timeout

You can now set the timeout for GRE connections that are built as a result of PPTP inspection.

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts .

IPv6 support in ASDM

ASDM now supports configuration of IPv6.

Management Features

Turning on/off names in Syslog messages

This feature enables users to choose whether or not to apply name translation while generating syslogs to the console, syslog server, and FTP syslog server.

We modified the following screen: Configuration > Logging > Logging Setup .

Shared Management Interface in Transparent Mode

You can now add a management VLAN that is not part of any bridge group. This VLAN is especially useful in multiple context mode where you can share a single management VLAN across multiple contexts.

We modified the following screen: Configuration > Interfaces > Add/Edit Interface .

Teardown Syslog Enhancement

New syslogs were added for when a connection is torn down.

We introduced the following syslog messages: 302030 through 33.

SNMP Buffer enhancement

With this enhancement, SNMP requests will be handled more efficiently, so that the allocated blocks for SNMP are freed up quickly, thus leaving enough blocks for other processes.

No screens were modified.

Troubleshooting Features

Crashinfo enhancement

The crashinfo enhancement improves the reliability of generating crash information.

No screens were modified.

Packet Capture Wizard

The FWSM uses the Packet Capture Wizard to implement a packet sniffer on the FWSM. Cisco TAC might request captures from you to troubleshoot a problem. These captures may be in PCAP format for download and further analysis on products like TCPDUMP or Ethereal.

We modified the following screen: Wizards > Packet Capture Wizard > Capture Wizard .

Upgrading or Downgrading the Software

This section describes how to upgrade to the latest version, and includes the following topics:


Note For CLI procedures, see the ASA release notes.


Viewing Your Current Version

The software version appears on the ASDM home page; view the home page to verify the software version of your FWSM.

Upgrading from 2.x or 3.x

Starting in Release 4.0(1), many commands are migrated to new commands (for example, the http-map commands are converted to policy-map type inspect http commands).

If you upgrade from 2.x or 3.x, the configuration is converted. This converted configuration is not saved to memory until you save the configuration by clicking Save at the top of the window.

If you try to downgrade to 2.x or 3.x using a converted configuration, many commands will be rejected. Moreover, if you add access lists to the 4.x configuration to take advantage of larger access list memory space, then downgrading could result in an inability to load all the new access lists.

If you want to downgrade, be sure to copy a saved 2.x or 3.x configuration to the starting configuration before you reload with the 2.x or 3.x image.

Upgrading the Operating System and ASDM Images

This section describes how to install the ASDM and operating system (OS) images to the current application partition .


Note If the FWSM is running Version 4.0 or later, then you can upgrade to the latest version of ASDM (and disconnect and reconnect to start running it) before upgrading the OS.

If the FWSM is running a version earlier than 4.0, then use the already installed version of ASDM to upgrade both the OS and ASDM to the latest versions, and then reload.


To install and start using the new images, perform the following steps:

Detailed Steps


Step 1 From the Tools menu, choose Tools > Upgrade Software from Cisco.com .

In multiple context mode, access this menu from the System. For 6.2F, this menu item is located under Tools > Software Updates.

The Upgrade Software from Cisco.com Wizard appears.


Note If you are running ASDM Version 5.2 or lower, then the Upgrade Software from Cisco.com Wizard is not available. You can download the software from the following URL:

http://www.cisco.com/cisco/software/type.html?mdfid=277413409&flowid=246

Then use Tools > Upgrade Software.


Step 2 Click Next .

The Authentication screen appears.

Step 3 Enter your Cisco.com username and password, and click Next .

The Image Selection screen appears.

Step 4 Check the Upgrade the FWSM version check box and the Upgrade the ASDM version check box to specify the most current images to which you want to upgrade, and click Next .

The Selected Images screen appears.

Step 5 Verify that the image file you have selected is the correct one, and then click Next to start the upgrade.

The wizard indicates that the upgrade will take a few minutes. You can then view the status of the upgrade as it progresses.

The Results screen appears. This screen provides additional details, such as whether the upgrade failed or whether you want to save the configuration and reload the FWSM.

If you upgraded the FWSM version and the upgrade succeeded, an option to save the configuration and reload the FWSM appears.

Step 6 Click Yes .

For the upgrade versions to take effect, you must save the configuration, reload the FWSM, and restart ASDM.

Step 7 Click Finish to exit the wizard when the upgrade is finished.


 

Downgrading From 4.1

This section describes how to downgrade from 4.1, and includes the following topics:

Important Notes

If you configure the shared management VLAN feature that was introduced in 4.1(1), this feature is not supported when you downgrade to a pre-4.1(1) release.

See the following issues when you use this feature, and then downgrade:

  • The interface configuration for the shared VLAN is accepted in the first context configuration in which it appears, but is rejected in subsequent transparent mode contexts.
  • For these subsequent contexts, if the startup-config has the management VLAN configuration defined directly after another VLAN configuration for through traffic, then the name and security level associated with the (rejected) shared management VLAN is erroneously applied to the immediately preceding VLAN.

Workaround : Remove the interface configuration for the shared VLAN from all contexts before you downgrade.

For example, you have the following configuration in 4.1:

interface Vlan100
nameif outside
bridge-group 5
security-level 0
 
interface Vlan101
nameif dmz
security-level 100
management-only
ip address 10.90.90.4 255.255.255.0 standby 10.90.90.5
 

After downgrading, the shared management interface vlan101 command is rejected if it was already used in another context; so the nameif dmz and security-level 100 commands are applied to VLAN 100, overwriting the original nameif and security-level commands. (The VLAN 101 management-only and ip address commands are rejected because they are not allowed for the interface vlan command pre-4.1). The resulting VLAN 100 configuration is the following:

interface Vlan100
nameif dmz
bridge-group 5
security-level 100
 

Downgrading

This section describes how to downgrade the ASDM and operating system (OS) images to the current application partition.

To install and start using the old images, perform the following steps:

Detailed Steps


Step 1 If you have a Cisco.com login, you can obtain the old OS and ASDM images from the following website:

http://www.cisco.com/cisco/software/type.html?mdfid=277413409&flowid=246

Step 2 If you configured shared management VLANs for transparent mode contexts, see the “Important Notes” section to remove the configuration for each context.

Step 3 From the Tools menu, choose Tools > Software Updates > Upgrade Software from Local Computer .

The Upgrade Software from Local Computer dialog box appears.

Step 4 (Optional) To downgrade ASDM, from the Image to Upload drop-down list, choose ASDM .

ASDM Version 6.2F is backwards compatible with previous versions, so you do not need to downgrade ASDM.

Step 5 Enter the local path to the file on your PC or click Browse Local Files to find the file on your PC.

Step 6 Click Upload Image . The uploading process might take a few minutes; make sure you wait until it is finished.

Step 7 To downgrade your FWSM image, repeat Step 3 through Step 6, except choose FWSM from the Image to Upload drop-down list.

Step 8 You are prompted to reload. Click OK .


 

Chassis System Requirements

You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in these release notes as the “switch.” The switch includes a switch (the supervisor engine) as well as a router (the MSFC 2).

The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.


Note The Catalyst operating system software is not supported.

The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static VLANs. However, the WAN port can connect to the MSFC, which can connect to the FWSM.


The FWSM runs its own operating system.


Note Because the FWSM runs its own operating system, upgrading the Cisco IOS software does not affect the operation of the FWSM.


This section includes the following topics:

Catalyst 6500 Series Minimum Requirements

The following versions are the minimum required versions. Versions higher than those listed are also supported. Table 3 shows the supervisor engine version and software.

 

Table 3 Support for FWSM 4.1 on the Catalyst 6500

FWSM Features:
Supervisor Engines1
PISA Integration
Route Health Injection
Virtual Switching System
Cisco IOS Software Release

15.1(1)SY and higher

720-10GE

No

Yes

Yes

15.1(1)SY and higher

720

No

Yes

No

15.1(1)SY and higher

SUP2T

No

Yes

Yes

15.0(1)SY and higher

720-10GE

No

No

No

15.0(1)SY and higher

720

No

No

No

15.0(1)SY and higher

SUP2T

No

Yes

Yes

12.2(33)SXJ and higher

720-10GE

No

Yes

Yes

12.2(33)SXJ and higher

720

No

Yes

No

12.2(33)SXJ and higher

32

No

No

No

12.2(18)SXF and higher

720, 32

No

No

No

12.2(18)SXF and higher

2, 720, 32

No

No

No

12.2(33)SXI and higher

720-10GE

No

Yes

Yes

12.2(33)SXI and higher

720, 32

No

Yes

No

12.2(18)ZYA

32-PISA

Yes

No

No

Cisco IOS Software Modularity Release

12.2(18)SXF4

720, 32

No

No

No

1.The FWSM does not support the supervisor 1 or 1A.

Cisco 7600 Series Minimum Requirements

The following versions are the minimum required versions. Versions higher than those listed are also supported. Table 4 shows the supervisor engine version and software.

 

Table 4 Support for FWSM 4.1 on the Cisco 7600

FWSM Features:
Supervisor Engines2
PISA Integration
Route Health Injection
Virtual Switching System
Cisco IOS Software Release

12.2(33)SRD6

720-3C-1GE

No

No

No

12.2(33)SRA

720, 32

No

No

No

12.2(33)SRB

720, 32

No

No

No

12.2(33)SRC

720, 32, 720-1GE

No

No

No

12.2(33)SRD

720, 32, 720-1GE

No

No

No

12.2(33)SRE

720, 32, 720-1GE

No

No

No

12.2(33)SRE2

720-3C-1GE

No

No

No

2.The FWSM does not support the supervisor 1 or 1A.

Management Support

The FWSM supports the following management methods:

  • Cisco ASDM—Software Release 6.2F supports FWSM software Release 4.1 features. ASDM is a browser-based configuration tool that resides on the FWSM. The system administrator can configure multiple security contexts. If desired, individual context administrators can configure only their contexts.
  • Command-line interface (CLI)—Access the CLI by sessioning from the switch or by connecting to the FWSM over the network using Telnet or SSH. The FWSM does not have its own external console port.

Software License Information

The FWSM supports the following licensed features:

  • Multiple security contexts. The FWSM supports two virtual contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:

20

50

100

250

  • BGP stub support.
  • GTP/GPRS support.

Limitations and Restrictions


Note These limitations and restrictions also exist in FWSM 3.x.


See the following limitations and restrictions on the FWSM:

  • The following features are not supported when you use TCP state bypass:

Application inspection—Application inspection requires both inbound and outbound traffic to go through the same FWSM, so application inspection is not supported with TCP state bypass.

AAA authenticated sessions—When a user authenticates with one FWSM, traffic returning via the other FWSM will be denied because the user did not authenticate with that FWSM.

  • Multiple context mode does not support most dynamic routing protocols. BGP stub mode is supported. Security contexts support only static routes or BGP stub mode. You cannot enable OSPF or RIP in multiple context mode.
  • Transparent firewall mode supports a maximum of eight interface pairs per context; however, when multiple bridge-group interfaces exist in a single context, inspection may not work properly. We recommend that you create a separate context for traffic that requires inspection.
  • For transparent firewall mode, you must configure a management IP address per interface pair.
  • The outbound connections (from a higher security interface to a lower security interface) from an interface that is shared between the contexts can only be classified and directed through the correct context if you configure a static translation for the destination IP address. This limitation makes cascading contexts unsupported, because configuring the static translations for all the outside hosts is not feasible.
  • When a large number of VLANs are configured to receive multicast streams, multicast traffic can be received on and forwarded from the first 100 VLANs configured on the FWSM, but VLANS beyond the first 100 might not forward multicast traffic.
  • The CPU-intensive commands, such as copy running-config startup-config (the same as the write memory command), might affect system performance, including reducing the successful rate of inspection and AAA connections. When a CPU-intensive action completes, the FWSM might produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might unexpectedly reach the maximum rate. We recommend using these commands during low traffic periods. Other CPU-intensive actions include the show arp command, polling the FWSM with SNMP, loading a large configuration, and compiling a large access list.
  • Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
  • During URL filtering at high rates, the HTTP connection to the server through the FWSM might not complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled. To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block 128 command in single mode. (CSCsj00658)
  • SIP application inspection does not match regular expressions specified in the message-path against a second or larger instance of the VIA SIP Header. Check whether your purpose is accomplished by matching the regular expression specified in the message-path against the first VIA: SIP Header. (CSCso69892)
  • SIP calls with a SIP URI length greater than 256 characters are dropped by the FWSM. Make the SIP User Agent make SIP calls with a SIP URI length less than 256 characters. (CSCsm37291)
  • If the FWSM uses EIGRP, and receives multiple equal-cost routes to the same destination, it installs all of them in the EIGRP topology table. But the FWSM fails to install all the equal-cost routes into the routing table. (CSCso98423)
  • The ENTITY-MIB is not available in the non-admin context. Use the IF-MIB for queries in the non-admin context.

Open Caveats

The caveats listed in Table 5 are open in the latest maintenance release.

If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from later releases. For example, if you are running Release 4.1(1), then you need to add the caveats in this section to the resolved caveats from 4.1(2) and above to determine the complete list of open caveats.

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 5 Open Caveats

Caveat
Description

CSCtc19367

Discrepancy between max xlate count and show global usage most used cnt

CSCte02131

show xlate count and show global usage on standby do not match

CSCte08789

FWSM generates Corrupted crashinfo file

Resolved Caveats

This section contains resolved caveats in each maintenance release and includes the following topics:

Resolved Caveats in Release 4.1(15)

The following caveats were resolved in Release 4.1(15) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 6 Resolved Caveats in FWSM Release 4.1(14)

Caveat
Description

CSCuj16824

FWSM with cut-through proxy crashes in thread tacplus_get.

CSCuj21240

FWSM assertion and reload due to TACACS authentication.

Resolved Caveats in Release 4.1(14)

The following caveats were resolved in Release 4.1(14) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 7 Resolved Caveats in FWSM Release 4.1(14)

Caveat
Description

CSCsr17262

Inconsistent information on ‘clear local host-all’ in parser and document.

CSCtg67303

‘show logging’ in system context causes vPif_isVpifNumValid message.

CSCug32986

‘show np3 acl tree-dump’ showing incorrect values, at times all zero.

CSCug36501

Change of acl-partition of context cause denial of ICMP traffic to FWSM.

CSCuh86018

FWSM: After failover, skinnyv17 messages decoded as skinnyv0.

Resolved Caveats in Release 4.1(13)

The following caveats were resolved in Release 4.1(13) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 8 Resolved Caveats in FWSM Release 4.1(13)

Caveat
Description

CSCue65757

FWSM: Additional inspect statements in standby on certain procedure.

CSCue65785

vPif_isVpifNumValid:pifNum out of range! message in the show conn output.

CSCuf47624

FWSM Traceback in d2_receive_thread.

Resolved Caveats in Release 4.1(12)

The following caveats were resolved in Release 4.1(12) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 9 Resolved Caveats in FWSM Release 4.1(12)

Caveat
Description

CSCub52268

FWSM: Auth proxy, when user logs out Authen In Progress increments.

CSCuc82649

VSS/FWSM - failover - multicast commands not being config synced

CSCuc96578

FWSM: Conn-max limit enforced incorrectly when conn-rate-limit defined

CSCud16814

Traceback in IPv6 ND Thread

CSCue39138

FWSM crashes after configuring the nameif command

CSCue45879

FWSM drops out of order TCP packets with HTTP inspect and normalizer

Resolved Caveats in Release 4.1(11)

The following caveats were resolved in Release 4.1(11) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 10 Resolved Caveats in FWSM Release 4.1(11)

Caveat
Description

CSCsj16497

FWSM need to periodically requery TCP syslog hosts that are down

CSCua43458

FWSM traceback in thread fast_fixup with inspect dcerpc enabled

CSCua62648

FWSM running 4.1.7 crashes in thread name snp_timer_thread

CSCub61725

snmp caused memory leak in FWSM

CSCuc25948

ASDM- ACL hit count stayed 0 with FWSM

CSCuc39360

FWSM fails to send EIGRP Replies for more than 13 prefixes

Resolved Caveats in Release 4.1(10)

The following caveats were resolved in Release 4.1(10) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

  • CSCth78926 —Adding and removing a host-based route using the route-monitor command causes a page fault

Symptom :

When you specified a host-based route (rather than a network-based route) to monitor alternate path routing, then removed the host-based route, FWSM generated a page fault. When configuring a host-based route for route monitoring, FWSM checked its static route table to verify whether any existing routes matched the IP address and mask of the new route. FWSM maintains a list of matching routes in the route monitor table. When FWSM found only one matching entry in the static route table, it set the next route entry to NULL in the route monitor table.

When you removed a route from monitoring, FWSM checked the route monitor table for matching entries without first validating whether the next route entry existed; therefore, causing FWSM to generate a page fault.

Conditions :

1. Use the route-monitor command to specify a host-based route to monitor.

2. Remove the host-based route.

Resolution :

FWSM validates whether the next route entry exists in the route monitor table before attempting to remove the entry.

  • CSCtr94155 —FWSM generates system log message FWSM-7-710005 when processing a snmpwalk request from the SNMP server

Symptom :

FWSM generates message FWSM-7-710005 when it receives an SNMP request with an empty payload. Additionally, it also generated message FWSM-7-710005 when it received a valid SNMP query (a request that had a non-zero length).

Conditions :

The SNMP server sends a snmpwalk request to FWSM.

Resolution :

Before generating message FWSM-7-710005, FWSM verifies that the message length of an SNMP query equals zero by initializing the value to in_packet_len.

  • CSCtz42093 —FWSM crashes with assertion “0” failed: thread “ssh”, file “malloc.c”, line 3802

Symptom :

FWSM crashed with the following assertion:

assertion “0” failed: thread “ssh”, file “malloc.c”, line 3802

FWSM crashed with this assertion when you deleted an entry in an access list configured with the route-inject command. FWSM crashed because it was clearing routes for the wrong type of route before it deleted the entry from the access list.

Conditions :

Delete a entry in an access list associated with route injection.

Resolution :

FWSM correctly clears route health injection (RHI) routes associated with the access list entry being deleted.

  • CSCtz75570 —System log message FWSM-3-211001 did not provide enough information

Symptom :

FWSM only displayed the message “Memory allocation Error” for message FWSM-3-211001. Message FWSM-3-211001 is a generic message that FWSM generates when resources are not available for any service. It is common for FWSM to generate this message for all the application inspection modules.

Conditions :

A malicious host tried to establish SIP connections, such that it triggered a memory resource problem for the corresponding application inspection service.

Resolution :

Message FWSM-3-211001 is enhanced to provide the API name of the corresponding service that is experiencing the memory resource problem:

FWSM-3-21100: Memory allocation Error in module moduel_name .

  • CSCto80642 —FWSM removed static ARP entries after 60 seconds when the network processor was oversubscribed

Symptom :

FWSM encountered problems when the NP was oversubscribed due to nonexistence IP addresses. Configuring a static ARP entry when the NP was oversubscribed caused FWSM to add the entry to the control plane ARP table and send the request to the NP to update its ARP table; however, FWSM then removed the entry from the ARP table and the running configuration. FWSM removed the entry when the timer expired after 60 seconds as if it was a dynamic entry. This problem affected only the destination host that received the SYN flood.

Conditions :

A static ARP entry is configured when the NP is oversubscribed due to nonexistence IP addresses.

Resolution :

FWSM no longer automatically removes a static ARP entry when the NP is oversubscribed. Instead, when FWSM creates the dynamic entry, then it checks whether the static entry already exists in the ARP table. If the entry exists, FWSM exits from the process.

  • CSCua67121 —FWSM crashed with the ci/console thread, the console session thread for user input/output

Symptom :

FWSM crashed when sending SIP invite packets at the rate of 35,000 packets per second and simultaneously executing the show sip command to check the SIP sessions. Displaying that many sessions on the console took long enough that the watchdog timer expired and ended the thread, which caused FWSM to crash.

Conditions :

1. Increase the SIP invite timeout to 30 minutes.

2. Send SIP entries at the rate of 350,00 per second.

3. Simultaneously, execute the show sip command.

Resolution :

FWSM checks the watchdog timer setting when displaying the SIP session data and, if it determines that the timer will expire, FWSM suspends the process.

Resolved Caveats in Release 4.1(9)

The caveats listed in Table 11 were resolved in Release 4.1(9) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 11 Resolved Caveats in FWSM Release 4.1(9)

Caveat
Description

CSCei38791

no access-list x ? gives error

CSCts02267

FWSM - Remove “dns” keyword from CLI for static policy NAT

CSCts50980

FWSM not forwarding multicast fragments >8792 bytes

CSCtz37106

IPv6 static route CLI push to fwsm through CSM fails

CSCtu29020

Traceback in Thread Name ssh

CSCtx80666

FWSM 4.1.7 crashes while removing contexts

CSCtx80776

pings are counted for conn-max cumulatively

CSCty24997

warn the usage while configuring set connection tcp timeout

CSCty49940

FWSM np completion-unit disabled after deleting context

CSCtz01442

FWSM parser change: Disallowing DNS Guard with ASR Groups

Resolved Caveats in Release 4.1(8)

The caveats listed in Table 12 were resolved in Release 4.1(8) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 12 Resolved Caveats in FWSM Release 4.1(8)

Caveat
Description

CSCtn27129

FWSM crashed in np_cls_download_process when adding Policy NAT ACEs

CSCtq39473

FWSM crashes under thread name EIGRP-IPv4: PDM

CSCtr52678

FWSM can not set the MSS value on IPV6 packets

CSCtr74381

URL Filtering fails if data appended to HTTP GET header

CSCts38551

Fastpath NP ARP Entries not Timed Out from CP in Transparent Mode

CSCts68298

FWSM: CLI should reject multicast address for next hop IP

CSCtt94371

FWSM tcp syslogging creates many connections when server goes down

CSCtu02674

Enh:DCERPC inspection doesnt support RCI messages for all the scenorio's

CSCtw45873

Remove asserts in IPv46 API

CSCtw56411

FWSM software traceback on thread name doorbell_poll

Resolved Caveats in Release 4.1(7)

The caveats listed in Table 13 were resolved in Release 4.1(7) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://www.cisco.com/support/

 

Table 13 Resolved Caveats in FWSM Release 4.1(7)

Caveat
Description

CSCso92808

CUPC fails to transmit port 50001 due to reassembly limit of 8192

CSCtr38044

Memory leak in 0x008881e5

CSCtr60971

Max DHCP Relay Server allowed is 10;FWSM gives error when adding 10th

CSCtr75137

FWSM 4.1 memory leak snmp in binsize 576 pc = 0x00ab40f7

Resolved Caveats in Release 4.1(6)

The caveats listed in Table 14 were resolved in Release 4.1(6) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 14 Resolved Caveats in FWSM Release 4.1(6)

Caveat
Description

CSCsk71402

fwsm - cannot add static mac-address-table entry

CSCtb31446

fast path NP Hard assert causes FWSM to pause indefinitely

CSCtg02624

Traceback with call http_proxy_send_form_page

CSCti25015

route-monitor: inconsistency of metric after second gateway recovery

CSCti93353

FWSM dns doctroring might over-write embedded ip addresses it should not

CSCtj31001

FWSM does not pass Jumbo IPV6 packets

CSCtl01291

FWSM 3.2 - deny-flow-max stuck when denied is not at 4096

CSCtl06095

FWSM allowing some tcp non-syn pkts to pass when there is no conn

CSCtl76091

Issuing commands for mcast displaying the same database crashes FWSM.

CSCtl92927

crash at 0xb5b9f2 in Thread name ssh

CSCtn83135

NAT failure for data channel connections in Transparent FW mode

CSCto31630

EHN:Increase packet size for SNMP response on FWSM

CSCto43960

FWSM: DCERPC inspection of packet with multiple segments fails

CSCto56305

FWSM nested traceback in thread name doorbell poll (NP2 PC 0x5ba1)

Resolved Caveats in Release 4.1(5)

The following caveats were resolved in Release 4.1(5) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

  • CSCtk61424—OpenSSL Ciphersuite Downgrade and J-PAKE Issues

Symptom :

The device may be affected by an OpenSSL vulnerabilities described in CVE-2010-4180 and CVE-2010-4252.

Conditions :

Device configured with any feature that uses SSL.

Workaround :

Not available

PSIRT Evaluation :

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.1/3.8:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C

CVE IDs CVE-2010-4180 and CVE-2010-4252 have been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCtl21186—Cmd authorization fails for certain commands on fallback to LOCAL db

Symptom :

Certain commands like 'show running-config', 'show interface' are allowed to be executed by users with lower privilege-level when fallback has occured.

Conditions :

1. Fallback to LOCAL is configured

2. All FWSM commands are assigned their default privilege levels in LOCAL db.

3. Users with lower privilege-level than 15 login into privileged-exec mode and execute 'show running-config' or 'show interface' commands, and some config commands.

Workaround :

none.

PSIRT Evaluation :

The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.0/5.0:

https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVE ID CSCtl94142 has been assigned to document this issue.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

  • CSCtl84952—SCCP inspection DoS vulnerability

A vulnerability exists in the Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. Devices are affected when SCCP inspection is enabled.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-fwsm

Note: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the vulnerability described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-fwsm

• CSCtn04571—Breakage in dcerpc inspection code

Symptom :

RCI response is not processed correctly. Enabling dcerpc debugs shows that the signature 'MEOW' is not found.

Conditions :

Processing RCI response.

Workaround :

None.

Resolved Caveats in Release 4.1(4)

The caveats listed in Table 15 were resolved in software Release 4.1(4). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 15 Resolved Caveats in Release 4.1(4)

Caveat ID
Descriptions

CSCsu64376

Standby reloads when 'tcp' added to obj-grp used by ACL having port 0

CSCtf84419

Multiple policy-nat statements might not match right until ACL recompile

CSCth72685

FWSM np completion-unit disabled after reboot however in startup config

CSCth74635

FWSM may crash in thread “fast_fixup” with inspect dcerpc enabled

CSCti38339

FWSM may reload with traceback in Thread Name: skinny

CSCti41683

Inspect FTP doesn't work if class for TCP bypass is checked against

CSCtj21761

term pager command affects all sessions and future sessions

CSCtj29249

Transparent FWSM doesn't send RST for data with state-bypass configured

CSCtj46839

RTSP streaming problems through FWSM

CSCtj62348

FWSM: management-access command orphaned if configured intf is removed

CSCtj78005

After removing service-policy state-bypass flag not updated in np vlan

CSCtk19326

FWSM 4.0 may fail to send RST for non-syn TCP segment with no connection

CSCtk62630

FWSM: Copying optimized ACL to running config results in incomplete ACL

Resolved Caveats in Release 4.1(3)

The caveats listed in Table 16 were resolved in software Release 4.1(3). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 16 Resolved Caveats in Release 4.1(3)

Caveat ID
Descriptions

CSCtc23265

Add best effort failover support for TCP proxy

CSCtf87102

Access-list optimization w/ discontinuous masks does not work correctly

CSCtg64606

Some Special IPV6 addresses can not be handled by FWSM well

CSCtg66395

FWSM doesn't NAT Audio stream of SIP connection

CSCtg91966

Unicast RPF statistics cannot be cleared

CSCth10381

FWSM: Discrepancy between sh perfmon vs sh service-policy output

CSCth48464

Secondary Pinhole not opened for SDP two-media connections

CSCth49514

Regular translation creation failed errors on forcing switchover

CSCth51877

Reactivatoin-mode depletion does not work correctly on FWSM

CSCth52880

Http inspection protocol violation when content lenght > 2684000000

CSCth64565

FWSM 3.2.10 sunrpc-server command doesn't work host IP and network mask

CSCth71469

Traceback in 'fast_fixup' Thread Due to DCERPC Inspection

CSCth86890

Snmpwalk on the admin ctx shows only failover ip in ipAdEntAddr table

CSCth95284

FWSM 4.0.11 might crash at Thread Name: PAT XlateCache

Resolved Caveats in Release 4.1(2)

The caveats listed in Table 17 were resolved in software Release 4.1(2). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 17 Resolved Caveats in Release 4.1(2)

Caveat ID
Description

CSCsf01863

Syslog 302013 does not show user field properly

CSCtc54126

SIP media connections stays at connection table after closed call

CSCtd19411

cut-through proxy in transparent sends invalid ACK before SYN-ACK

CSCtd46324

FWSM software reloads on doorbell_poll while deleting a dns session

CSCtd72287

FWSM: unexpectedly reloads in Thread Name: MGCP

CSCtd94681

FWSM re-uses some PAT translation ports too frequently

CSCte25307

Telnet NOOP command sent to FWSM causes next character to be dropped

CSCte48165

Broken single ip address feature for more than 1 “virtual” protocols use

CSCte49110

FWSM setting DF bit on reassembled skinny packet

CSCte51034

FWSM doesnt failover static routes pointing to its own interface

CSCte66339

policy-map names exceeding 16 characters leak memory upon ACE addition

CSCte70411

IPv6 object-group does not allow nested objects

CSCte85951

Memory leak with HTTP inspection and “match” commands in policy-map

CSCtf15459

FWSM: about 15 seconds continuous traffic drops when active is reloaded

CSCtf27583

FWSM: May crash in Thread name fast-fixup - due to inspect dcerpc

CSCtf31676

Secondary Active FWSM Creates a Context Using BIA MAC

CSCtf41503

FWSM sends a ACK with wrong TCP options.

CSCtf49704

FWSM software forced reloads in - Thread Name: websns_snd

CSCtf51696

SQL*Net Inspection Opens Pinholes Based on Non-Redirect Messages

CSCtf57135

fwsm 3.2 - deny-flow-max stuck when denied is not at 4096

CSCtf73798

CheckHeaps crash after SSH command

CSCtf77950

SNMP - Interfaces not recognised by snmpwalk to FWSM

CSCtf83964

FWSM OSPF neighbors stuck in LOADING state for long time

CSCtf92566

IPv6 fragment packet dropped with “Invalid udp length”

CSCtf94490

Unable to query SNMP OID cufwUrlfServerStatus on FWSM

CSCtg01772

FWSM stops traffic forwarding by changing static route's distance metric

CSCtg14948

FWSM DHCPrelay intermittent failures

CSCtg17279

In shared vlan scenario destination NAT might break communication.

CSCtg31044

client_port field is not rewritten in the RTSP SETUP reply

CSCtg35889

NP1/2 Lockup on standby FWSM

CSCtg60275

Configuring conflicting static NAT causes failover fail and sync config

Resolved Caveats in Release 4.1(1)

The caveats listed in Table 18 were resolved in software Release 4.1(1). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

 

Table 18 Resolved Caveats in Release 4.1(1)

Caveat ID
Description

CSCsk12223

FWSM unexpectedly reloads on Thread name ssh

CSCsx26083

ENH: FWSM DCERPC inspection doesn't support 'Remote Create Instance' msg

CSCsx79204

PPTP GRE connections do not have configured idle timeout set

CSCsz81503

FWSM Bidir forwarding fails after reload

CSCta44620

Software Forced reset in fast_fixup with multiple FTP connections

CSCta58702

FWSM pause indefinitely due to high icmp traffic through 2 mgt sessions

CSCta60764

Cut-thru-proxy:certificate error after completion of intial authenticati

CSCta64836

Firewall blade unexpectdly reloads with traffic

CSCta64957

No new connections on after failover with a particular NAT configuration

CSCta68828

FWSM forming OSPF adjacency with 5 seconds delay

CSCta73803

concurrent snmpwalk across many contexts causes loss of 16384 blocks

CSCta74788

Incorrect xlate replicated to standby for same security interface

CSCtb03565

FWSM corrupts ICMP time to live exceeded with MPLS TAG

CSCtb03929

snmp polling of NP data should not exhaust all 16k blocks

CSCtb14966

SunRPC inspection drops GETPORT reply packet

CSCtb18628

routing Route-monitor not update the routing table with same metric routes

CSCtb18847

data-path NP 3 pause indefinitely with established command

CSCtb23513

Authentication in progress sessions not removed with DACLs

CSCtb34170

Static PAT causing failure for traffic from inside

CSCtb49352

FWSM Cert Enrollment doesnt work with SCEP

CSCtb49822

url-filtering http traffic with segmented GET blocked by url-filtering configuration

CSCtb76719

Meaning of Flags 's' and 'S' is Reversed in 'show conn detail' Output

CSCtb88893

Transparent mode FWSM, Active passing braodcast arp from standby

CSCtc02363

RTSP inspect incorrect IP address translation in URL headers

CSCtc12597

FWSM software forced reload in Thread Name: ACL Cache during SNMP Poll

CSCtc32047

FWM sends RST instead of silently drop packets

CSCtc36009

TCP reset option incorrectly appears in set connection timeout command

CSCtc36050

capture feature shows ICMP payload modified by firewall when it is not

CSCtc36380

FWSM corrupts ICMP checksum in ICMP unreachable packets

CSCtc36651

FTP fails in Active/Active mode when two contexts not active on same FW

CSCtc38617

TCP Sequence Numbers Randomized for TCP State Bypassed Conns

CSCtc40207

Standby transparent FWSM might send arp request using active MAC

CSCtc68193

snmp query for any OID under 1.3.6.1.2.1. causes np xlate query

CSCtc71533

IPv6 object-group does not allow group-objects

CSCtc72148

WS-C6506-E-FWM/ High CPU usage

CSCtd23101

FWSM access-list optimization cause missing lines

CSCtd42763

logging FWSM: Syslog 111005 does not print when exiting config mode

CSCtd60672

FWSM fails to compile ACL when custom partition size used with failover

CSCtd62290

FWSM: TACACS+ CMD Accounting packets have a Caller-ID field of 0.0.0.0

CSCtd73676

Only one virtual protocol can be configured with the “virtual” command

CSCtd78604

FWSM: ACLs missing after adding items to object-groups

CSCtd86296

logging FWSM: Need to extend syslog message %FWSM-2-106024

CSCte48563

NP3 pauses due to duplicate xlate created for identity traffic

Related Documentation

See the following sections for related documentation:

Hardware Documents

See the following related hardware documentation:

  • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation and Verification Note
  • Catalyst 6500 Series Switch Installation Guide
  • Catalyst 6500 Series Switch Module Installation Guide

Software Documents

See the following related software documentation:

  • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
  • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference
  • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages
  • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
  • Release Notes for Cisco ASDM
  • Open Source Software Licenses for FWSM
  • Catalyst 6500 Series Cisco IOS Software Configuration Guide
  • Catalyst 6500 Series Cisco IOS Command Reference

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.