Feedback
|
Table Of Contents
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
Understanding How the Firewall Services Module Works
Multiple Firewall Services Module Configuration
Specifications and System Limitations
Installing the Firewall Services Module
Memory and Storage Requirements
Installing and Removing the Module
Configuring the Switch Interface
Catalyst Operating System Software
Firewall Services Module and PDM Restrictions
Platform and Browser Requirements
Installing or Upgrading the PDM
Setting up a Single-Chassis Configuration
Setting Up a Dual-Chassis Configuration
Receiving Requests and Sending Syslog Traps
Compiling Cisco Syslog MIB Files
Using the Firewall and Memory Pool MIBs
Configuring OSPF Routing Support
Configuring OSPF Interface Parameters
Configuring OSPF Area Parameters
Configuring Route Summarization Between OSPF Areas
Configuring Route Summarization when Redistributing Routes into OSPF
Changing the OSPF Administrative Distances
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Displaying OSPF Update Packet Pacing
Area Border Router Type 3 LSA Filtering
Monitoring and Maintaining OSPF
Configuring IPSec for Management
Administering the Firewall Services Module
Administering the Software Images
Logging into the Application Software
Logging into the Maintenance Software
Changing and Recovering Passwords
Changing the Application Partition Passwords
Changing the Maintenance Partition Passwords
Recovering the Application Partition Passwords
Recovering the Maintenance Partition Passwords
Resetting the Firewall Services Module
Resetting the Module with Cisco IOS Software
Resetting the Module with Catalyst Operating System Software
Troubleshooting the Firewall Services Module
Firewall Services Module and PIX Commands
System Message Log Differences
Memory and Resource Allocation
Standards Compliance Specifications
Cisco IOS Software Documentation Set
Obtaining Documentation and Submitting a Service Request
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
WS-SVC-FWM-1-K9
This publication describes how to install and configure the Firewall Services Module (FWSM) in the Catalyst 6500 series switches and Cisco 7600 Optical Services Router (OSR). See the "Related Documentation" section for more information about software configuration for the switch.
Throughout this publication, the Firewall Services Module (FWSM) is referred to as "the module"
Note
For translations of the warnings in this publication, see the "Safety Overview" section and refer to the Regulatory Compliance and Safety Information for the Catalyst 6500 series switches.
Contents
This publication consists of these sections:
•
Installing the Firewall Services Module
•
Administering the Firewall Services Module
•
Firewall Services Module and PIX Commands
•
Standards Compliance Specifications
•
Obtaining Documentation and Submitting a Service Request
Overview
This section describes the Catalyst 6500 Series Firewall Services Module, how it operates, how to manage it. This chapter contains these sections:
•
Understanding How the Firewall Services Module Works
•
Specifications and System Limitations
Before You Begin
To help you get started using the Firewall Services Module, refer to this roadmap:
Note
The Firewall Services Module uses many of the same commands as the PIX application software.
Refer to Table 10 for information on these commands.
Table 11 lists the Cisco IOS commands for the module.
Table 12 lists the new commands specific to the module. These commands are described in Command Reference
Table 13 lists the PIX commands that were changed for the module.
Table 14 lists the PIX commands that are not used by the module.
Table 15 lists the PIX commands used by the module and their PIX version.
Understanding How the Firewall Services Module Works
Firewalls protect an internal (inside) network, such as a data center, from unauthorized access by users on an external (outside) network, such as the public Internet.
Note
The term inside refers to networks or network resources protected by the firewall. The term outside refers to networks not protected by the firewall.
You also can protect one or more networks, also known as demilitarized zones (DMZs). DMZs are those portions of the network that contain resources which you may want to allow access to for specified users. Access to a DMZ is usually more restricted than access to the outside network, but less restricted than access to the inside network.
A DMZ allows you to protect your network resources that need to be accessed by users on the public Internet, for example, mail servers or web servers. By placing them in a DMZ, you obtain some protection without jeopardizing the resources on your internal network.
Connections between the inside and outside and DMZ networks are controlled by the module through the firewall using a network-modeled protection scheme based upon a configuration and security policy. By implementing a security policy, you can ensure that all traffic from the protected networks only passes through the firewall to the unprotected network. You also can control who accesses the networks and with which services. Features on the module allow you to control how your security policy is used.
The security policy determines the security level, which allows you to isolate networks that are assigned the same security level from each other. To route traffic between different networks, you assign each network a different security level. A lower security level provides less protection for the interface than a higher security level. The security levels to your networks can range from 0 to 100.
All interfaces connecting the inside, outside, and DMZ networks through the module are virtual and logical Layer 3 interfaces consisting of a VLAN, an IP address, and a security level. The module supports 100 firewall interfaces. All traffic between these VLANs is protected and controlled. Because the module supports multiple interfaces, you can create one or more DMZ networks.
The Firewall Services Module is a fabric-enabled module that connects to both the Catalyst 6500 bus and the switch fabric module if one is present. The Firewall Services Module does not require a Switch Fabric Module to function.
The module has a 6 Gbps dot1q EtherChannel connection to the backplane where the hosts of the various security zones are connected to ports on the Catalyst 6500 chassis.
The module can be configured in a multiple, failover, or redundant configuration.
Figure 1 shows a firewall configuration. The Multilayer Switch Feature Card (MSFC) is used as a router on the network inside the firewall. The MSFC is connected to only one of the controlled firewall interfaces. All other router interfaces configured on the MSFC are considered to be the same security level as the interface to which the MSFC is connected. For example, traffic between VLAN 201 and VLAN 202 is routed directly.
Figure 1 Firewall Services Module Configuration
Multiple Firewall Services Module Configuration
Figure 2 shows multiple modules that are located in the same switch, and how they can operate independently. There is no restriction to the number of modules installed in the same switch. The network requirements and topology determine the configuration.
Figure 2 Multiple Firewall Services Module Configuration
In a multiple-module configuration, the following conditions apply:
•
Modules cannot share the same firewall interface definition. Separate VLANs must be defined for each module.
•
Multiple modules in the same chassis do not share loads or synchronize states among each other unless they are configured as active or standby modules.
•
Two modules in the same chassis or two modules that are in separate chassis can be configured to maintain firewall protection in case either module fails. When one module (active) fails, another (standby) immediately takes its place.
Redundancy Failover
The failover configuration has these features:
•
A dedicated logical interface is created for failover communication. No failover cable is required in this configuration as is required in the PIX configuration.
•
All firewall interfaces between the active module and standby module are separated from each other in Layer 2. The interfaces on the active module must be present on the standby module and the trunk must be configured to pass all VLANs.
•
Both the active module and standby module have corresponding interfaces in the same VLAN.
•
When the active module fails, the switchover to the standby module is transparent to other nodes in the network. After switchover, all interfaces on the new active module have the IP addresses and the MAC addresses of the interfaces of the failed module.
The module can be configured to use stateful failover as shown in Figure 3. Stateful failover allows you to maintain the operating state for the connection during the failover from the primary module to the standby module.
Figure 3 Stateful Failover Configuration
When a failover occurs, each module changes its state. The new active module begins accepting traffic. The new standby module assumes the failover IP and MAC addresses of the module that was previously the active module. Because network devices do not detect a change in these addresses, there are no ARP entries changed nor is there a time out anywhere on the network.
Be sure that both modules have the same software version, VLAN configuration, Flash memory, and RAM or the configuration copied to the standby module will not work. After you configure the primary module and provide the failover link, the primary module automatically copies the configuration over to the standby module.
Note
We recommend that you separate the failover and logical update interfaces into separate links. Packets on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and failover LAN interfaces the same.
Figure 4 shows two modules located in separate chassis: one module is designated as the active module and the other module is designated as the standby module.
Figure 4 Firewall Services Module Multiple Configuration in a Network
In this multiple-module configuration, the following conditions apply:
•
A dedicated logical interface is created for failover communication. No failover cable is required in the configuration as is required in the PIX configuration.
•
All firewall interfaces between the active module and standby module are separated from each other by Layer 2 requiring at least a 1-gigabit link between them. Performance is limited to the link throughput. For better performance, we recommend that you provide up to a 6-gigabit IEEE 802.1q EtherChannel link.
•
Both of the switches have an identical definition of the firewall interfaces on the MSFC.
•
There is a dedicated failover interface between the active module and the standby module used for the stateful failover. This interface synchronizes the states between the active module and the standby module.
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
•
Switch fabric compatibility.
•
Interface configuration that can be done through both the native Cisco IOS command-line interface and the module command-line interface.
•
PIX 6.0-based feature set and some 6.2 features.
•
LAN failover active or standby (both intra- or inter-chassis).
•
Dynamic routing, Open Shortest Path First protocol (OSPF) (the module maintains its own OSPF tables), and Routing Information Protocol (RIP).
•
IPSec for management only.
•
Command authorization.
•
Object grouping.
•
URL filtering enhancement—The module checks the outgoing URL requests with the policy defined on a Websense, Windows NT, or UNIX-based server. The module either permits or denies the connection depending on the response from the server, which matches a request against a list of website characteristics that are considered inappropriate for business use.
•
Support for PIX 6.0 application inspection which ensures the secure use of applications and services. Application inspection rules are configured using the fixup command, which is why application inspection is called "fixup."
Note
Throughout this document, the term "fixup" applies to application inspection and configuring the application inspection process or application inspection rules.
•
Support for Lightweight Directory Access Protocol (LDAP) or Input [buffer] Limiting Scheme (ILS) fixup for NetMeeting.
•
Security—Cisco firewalls provide the latest in security technology, ranging from stateful inspection firewalls to content-filtering capabilities that help protect your network environment from future attacks. Another security feature is the Adaptive Security Algorithm (ASA), which maintains the firewalled areas between the networks controlled by the firewall.
The stateful, connection-oriented ASA creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. You can control all inbound and outbound traffic by applying security policies to each connection table entry.
•
Reliability—Cisco firewalls provide adaptable security services for operation-critical network environments by using the integrated stateful failover capabilities within the module. Network traffic can be sent automatically to a hot standby module in the event of a failure, while maintaining concurrent connections with automated state synchronization between the primary module and the standby module.
•
Network Address Translation (NAT) and Port Address Translation (PAT)—Cisco firewalls provide NAT and PAT services that conceal IP addresses of internal networks and expand network address space for internal networks.
•
Denial-of-service (DoS) attack prevention—Cisco firewalls protect the firewall and networks behind them from attempts to gain access, which can bring a network to a halt.
•
Cisco PIX Device Manager (PDM) 2.1 support—PDM is a browser-based Java applet you can use to configure the Firewall Services Module.
–
PDM must be downloaded and installed for the Firewall Services Module release 1.1. Refer to the "Upgrading the PDM" section on page 3-10 of the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note for download and installation information.
–
The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1 image. You can download the image from CCO to upgrade PDM if necessary.
When the Firewall Services Module software is the platform, PDM will display modified screens for features not supported by the module. To use the PDM to configure the module, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
•
Virtual private networks (VPN) (The module supports IPSec VPN only for management purposes.)
•
Intrusion detection system (IDS) syslog messages.
•
Cisco Secure Policy Manager (CSPM)
•
Conduits
•
DHCP (Dynamic Host Configuration Protocol) client
Specifications and System Limitations
Table 1 lists the specifications and system limitations of the FWSM.
Table 1 FWSM Specifications and System Limitations
Specification Type Specification Names Description Physical AttributesModules per switch
Maximum of four modules per switch.
If you are using failover, you can still only have four modules per switch even if two of them are in standby mode.
Memory
•
1 GB RAM.
•
128 MB Flash memory.
Bandwidth
CEF256 line card with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus.
Feature LimitsFiltering servers
16 Websense Enterprise filtering servers.
Managed System ResourcesIPSec management connections, concurrent
5 connections.
TCP1 or UDP2 connections between any two hosts, including connections between one host and multiple other hosts, concurrent and rate
999,900 connections.
100K connections per second.
Fixup connections, rate
10,000 per second.
PC based fixup connections, rate
10K per second.
Host connections, concurrent
256K
SSH3 management connections, concurrent
5 connections.
System messages, rate
20K per second.
Telnet management connections, concurrent
5 connections.
NAT translations, concurrent
256K.
Fixed System ResourcesNAT statements
1K statements.
High-performance firewall
5 GBps (aggregated).
Concurrent connections.
1 million
Packets-per-second.
3 million pps
New connections per second for HTTP, DNS, and enhanced Simple Mail Transfer Protocol (SMTP).
7K
VLAN interfaces (no physical interfaces on the module).
100
Static NAT statements
1K statements.
Global statements
1K statements.
Shun statements
2K statements. The FWSM supports at most 2000 shuns - that number is contigent upon finite hardware resources and cannot be increased.
Alias statements
1K statements.
User authentication sessions, concurrent
5K sessions.
User authorization sessions, concurrent
150K sessions.
Maximum 15 sessions per user.
ARP4 table entries, concurrent
64K entries.
Route table entries, concurrent
32K entries.
Packet reassembly, concurrent
30,000 fragments.
RulesFilter Rules, Fixup and Filter statements combined.
3K rules and statements.
Established CLI Rules
1K rules.
Established data
1K implicit rules used by TCP and UDP fixups to allow back channels.
3K statements.
AAA Rules
3K rules. 1K rules for authentication, 1K rules for authorization, and 1K rules for accounting.
1K rules.
ACEs
72K ACEs (best case).
1 Transmission Control Protocol
2 User Datagram Protocol
3 Secure Shell
4 Address Resolution Protocol
5 Internet Control Message Protocol
6 HyperText Transfer Protocol
Front Panel Description
The front panel includes a STATUS LED and SHUTDOWN button. (See Figure 5)
Figure 5 Firewall Services Module Front Panel
STATUS LED
The STATUS LED indicates the operating states of the module. Table 2 describes the LED operation.
SHUTDOWN Button
CautionDo not remove the module from the switch until the module has shut down completely and the STATUS LED is orange or off. You can damage the module if you remove it from the switch before it completely shuts down.
To avoid corrupting the compact Flash memory, you must correctly shut down the module before you remove it from the chassis or disconnect the power. This shutdown procedure is initiated normally by commands entered at the supervisor engine CLI prompt or the module CLI prompt.
If the module fails to respond to these commands properly, you must use the SHUTDOWN button on the front panel to initiate the shutdown procedure. Use a small pointed object (such as a paper clip) to push the button.
The shutdown procedure may require several minutes. The STATUS LED turns orange when the module shuts down.
Module Specifications
Table 3 describes the specifications for the module.
Safety Overview
Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may harm you. A warning symbol precedes each warning statement.
Warning
This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device.
Warning
Waarschuwing Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.
Warning
Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).
Warning
Attention Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d'avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.
Warning
Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information (Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät geliefert wurde.
Warning
Avvertenza Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento Regulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.
Warning
Advarsel Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av deadvarslene som finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.
Warning
Aviso Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information (Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.
Warning
¡Advertencia! Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.
Warning
Varning! Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du varamedveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information (Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.
Installing the Firewall Services Module
This section describes how to install the Firewall Services Module including the software and hardware requirements.
This chapter contains these sections:
•
Installing and Removing the Module
System Requirements
This section describes the software and hardware requirements for the module.
Memory and Storage Requirements
There are no additional memory or storage requirements for this module. The module contains the following memory:
•
1 GB RAM
•
128 MB compact Flash
Software Requirements
Table 4 lists the Firewall Services Module software versions supported by Catalyst operating system and Cisco IOS software.
Hardware Requirements
Before you can use the Catalyst 6500 series and Cisco 7600 series Firewall Services Module, you must have a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a Supervisor Engine 2 (Catalyst operating system and Cisco IOS) and an MSFC 2, and any module with ports to connect server and client networks.
Note
Before installing the module, you must install the Catalyst 6500 series switch chassis and at least one supervisor engine. For information on installing the switch chassis, refer to the Catalyst 6000 Family Installation Guide.
Required Tools
These tools are required to install the module in the Catalyst 6500 series switches:
•
Flat-blade screwdriver
•
Phillips-head screwdriver
•
Wrist strap or other grounding device
•
Antistatic mat or antistatic foam
Whenever you handle the module, always use a wrist strap or other grounding device to prevent electrostatic discharge (ESD).
Installing and Removing the Module
Warning
During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.
All Catalyst 6500 series switches support hot swapping, which allows you to install, remove, replace, and rearrange modules without turning off the system power. For more information on removing the module from a switch, see the "Removing a Module" section.
When the system detects that a module has been installed or removed, the system automatically runs diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes system operation.
This section describes how to install and verify the operation of the Firewall Services Module in the Catalyst 6500 series switches and contains the following sections:
Slot Assignments
The Catalyst 6006 and 6506 switch chassis have six slots, the Catalyst 6009 and 6509 switch chassis have nine slots, and the Catalyst 6513 switch chassis has thirteen slots.
Note
The Catalyst 6509-NEB switch has vertical slots, which are numbered 1 to 9 from right to left. Install the modules with the component side facing to the right.
Each slot is used as follows:
•
Slot 1 is reserved for the supervisor engine.
•
Slot 2 can be used for a redundant supervisor engine in case the supervisor engine in slot 1 fails.
•
If a redundant supervisor engine is not required, slots 2 through 6 on the 6-slot chassis, (slots 2 through 9 on the 9-slot chassis, and slots 2 through 13 on the 13-slot chassis) are available for switching modules, such as the Firewall Services Module.
•
The empty slots require filler plates, which are blank switching-module carriers, to maintain consistent airflow through the switch chassis.
Removing a Module
This section describes how to remove an existing module from a chassis slot.
Warning
During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.
Warning
Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system.
Warning
Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments.
To remove a supervisor engine or module from the chassis, perform these steps:
Step 1
Disconnect any network interface cables attached to the supervisor engine or module.
Step 2
Verify that the captive installation screws on all of the modules in the chassis are tight.
This step ensures that the space created by the removed module is maintained.
Note
If the captive installation screws are loose, the electromagnetic interference (EMI) gaskets on the installed modules will push the modules toward the open slot, reducing the opening size and making it difficult to install the replacement module.
Step 3
Loosen the two captive installation screws on the supervisor engine or module.
Step 4
Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the following set of substeps:
Horizontal slots
a.
Place your thumbs on the left and right ejector levers, and simultaneously rotate the levers outward to unseat the module from the backplane connector.
b.
Grasp the front edge of the module and slide the module part of the way out of the slot. Place your other hand under the module to support the weight of the module. Do not touch the module circuitry.
Vertical slots
a.
Place your thumbs on the ejector levers located at the top and bottom of the module, and simultaneously rotate the levers outward to unseat the module from the backplane connector.
b.
Grasp the edges of the module, and slide the module straight out of the slot. Do not touch the module circuitry.
Step 5
Place the module on an antistatic mat or antistatic foam, or immediately reinstall it in another slot.
Step 6
If the slot is to remain empty, install a module filler plate to keep dust out of the chassis and to maintain proper airflow through the chassis.
Warning
Blank faceplates (filler panels) serve three important functions: they prevent exposure to hazardous voltages and currents inside the chassis; they contain electromagnetic interference (EMI) that might disrupt other equipment; and they direct the flow of cooling air through the chassis. Do not operate the system unless all cards and faceplates are in place.
Installing a Module
This section describes how to install modules in the Catalyst 6500 series switches.
CautionTo prevent ESD damage, handle modules by the carrier edges only.
Warning
During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could shock yourself.
Warning
Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments.
Warning
Before you install, operate, or service the system, read the Site Preparation and Safety Guide. This guide contains important safety information you should know before working with the system.
To install a supervisor engine or module in the chassis, perform these steps:
Step 1
Choose a slot for the supervisor engine or module.
Step 2
Verify that there is enough clearance to accommodate any interface equipment that you will connect directly to the supervisor engine or module ports. If possible, place modules between empty slots that contain only module filler plates.
Step 3
Verify that the captive installation screws are tightened on all modules installed in the chassis.
This action ensures that the EMI gaskets on all modules are fully compressed in order to maximize the opening space for the new module or the replacement module.
Note
If the captive installation screws are loose, the EMI gaskets on the installed modules will push adjacent modules toward the open slot, reducing the opening size and making it difficult to install the replacement module.
Step 4
Remove the module filler plate by removing the two Phillips pan-head screws from the filler plate. To remove a module, refer to "Removing a Module" section.
Step 5
Fully open both ejector levers on the new or replacement module. (See Figure 6.)
Figure 6 Positioning the Module in a Horizontal Slot Chassis
Step 6
Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the following sets of substeps:
Horizontal slots
a.
Position the supervisor engine or module in the slot. (See Figure 6.) Make sure that you align the sides of the module carrier with the slot guides on each side of the slot.
b.
Carefully slide the supervisor engine or module into the slot until the EMI gasket along the top edge of the module makes contact with the module in the slot above it and both ejector levers have closed to approximately 45 degrees with respect to the module faceplate. (See Figure 7.)
Figure 7 Clearing the EMI Gasket in a Horizontal Slot Chassis
c.
Using the thumb and forefinger of each hand, grasp the two ejector levers and press down to create a small (0.040 inch [1 mm]) gap between the module's EMI gasket and the module above it. (See Figure 7.)
CautionDo not press down too hard on the levers. They will bend and be damaged.
d.
While pressing down, simultaneously close the left and right ejector levers to fully seat the supervisor engine or module in the backplane connector. The ejector levers are fully closed when they are flush with the module faceplate. (See Figure 8.)
Figure 8 Ejector Lever Closure in a Horizontal Slot Chassis
Note
Failure to fully seat the module in the backplane connector can result in error messages.
e.
Tighten the two captive installation screws on the supervisor engine or module.
Note
Make sure the ejector levers are fully closed before tightening the captive installation screws.
Vertical slots
a.
Position the supervisor engine or switching module in the slot. (See Figure 9.) Make sure that you align the sides of the switching-module carrier with the slot guides on the top and bottom of the slot.
Figure 9 Positioning the Module in a Vertical Slot Chassis
b.
Carefully slide the supervisor engine or module into the slot until the EMI gasket along the right edge of the module makes contact with the module in the slot adjacent to it and both ejector levers have closed to approximately 45 degrees with respect to the module faceplate. (See Figure 10.)
c.
Using the thumb and forefinger of each hand, grasp the two ejector levers and exert a slight pressure to the left, deflecting the module approximately 0.040 inches (1 mm) to create a small gap between the module's EMI gasket and the module adjacent to it. (See Figure 10.)
Figure 10 Clearing the EMI Gasket in a Vertical Slot Chassis
CautionDo not exert too much pressure on the ejector levers. They will bend and be damaged.
d.
While pressing on the ejector levers, simultaneously close them to fully seat the supervisor engine or module in the backplane connector. The ejector levers are fully closed when they are flush with the module faceplate. (See Figure 11.)
Figure 11 Ejector Lever Closure in a Vertical Slot Chassis
e.
Tighten the two captive installation screws on the module.
Note
Make sure the ejector levers are fully closed before tightening the captive installation screws.
Verifying the Installation
This section describes how to verify the module installation.
To verify that the system acknowledges the new module and has brought it online, enter the show module [mod-num | all] command.
This example shows the output of the show module command:
Router# show moduleMod Slot Ports Module-Type Model Sub Status--- ---- ----- ------------------------- ------------------- --- --------1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok2 2 6 Firewall Service Module WS-SVC-FWM-1 no okRouter#When the module initially boots, by default it runs a partial memory test. To perform a full memory test, enter the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory size.
Table 5 lists the memory test time and approximate boot time for a long memory test.
This example shows how to do a full memory test for module 5:
Router(config)# hw-module module 5 reset mem-test-fullUsing the CLI
The software interface for the module is the Cisco IOS command-line interface accessed through a Telnet connection to the switch or through the switch console interface. Refer to the Catalyst 6500 Series IOS Software Configuration Guide and the Catalyst 6500 Series Software Configuration Guide for details.
To understand the Cisco IOS command-line interface and Cisco IOS command modes, refer to Chapter 2, "Command-Line Interfaces," in the Catalyst 6500 Series IOS Software Configuration Guide.
Unless your switch is located in a fully trusted environment, we recommend that you configure the module through a Telnet connection using Secure Shell (SSH) encryption.
You can session into the module from the switch console and configure the firewall. Session is a Telnet interface through the Ethernet out-of-band channel (EOBC) of the switch backplane.
You can also make a Telnet connection into the module from a specified host and on a specific interface. Telnet support for this host should be configured or enabled from the module console.
Console output is redirected to all active Telnet sessions. When no Telnet session is available, the output is saved to a buffer. The buffer output can be subsequently examined when you make a Telnet connection into the module.
The module application software is similar to the Cisco PIX firewall software. This publication describes only the commands unique to the Firewall Services Module. For information about the PIX commands, refer to the PIX documentation at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm
Getting Started
This section describes how to begin configuring the Firewall Services Module from the CLI and contains these sections:
Configuration Overview
This section describes the Firewall Services Module configuration and contains these sections:
•
Configuring the Switch Interface
The Firewall Services Module can be used in a variety of topologies depending on the needs of your network. For example, in a data center you may want to provide access control or segregate your security domains. The security domain can be a collection of servers with the same security level. Within that domain, multiple subnets or server farms can exist.
When you configure the Firewall Services Module to function on the perimeter of the network, the module can provide access control to the inside network as a whole, or segregate multiple security zones through VLAN interfaces of different security levels. The security zones can be either in the same network or can define the boundaries of multiple customer networks.
The Firewall Services Module configuration has the following characteristics:
•
Each firewall interface is a Layer 3 interface.
•
Each firewall interface has a fixed VLAN.
•
The switch MSFC is used as a router connected to only one of the module interfaces (SVI).
•
The module views all networks (or subnetworks) beyond an interface as belonging to the same security level.
•
Traffic from all of the non-firewall VLANs in the switch (those not recognized by the module) is routed through the MSFC without being stopped by the firewall.
You can configure the module in various situations by selecting the firewall features that meet the requirements of a particular network. Figure 12 shows a typical firewall configuration.
Figure 12 Firewall Configuration
Configuring the Switch Interface
This section describes the basic configuration steps performed on the switch and the Firewall Services Module.
Cisco IOS Software
To set up the configuration on the switch using the Cisco IOS CLI, follow these general tasks:
:
Note
To prevent trunks from carrying firewall VLANs, enter this command:
switchport trunk allowed vlan {add | except | none | remove} vlan1, [, vlan [, vlan [,...]]]}This example shows how to configure the switch interface:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# vlan 55Router(config-vlan)# vlan 56Router(config-vlan)# vlan 57Router(config-vlan)# exitRouter(config)# firewall vlan-group 50 55-57Router(config)# firewall vlan-group 51 70-85Router(config)# firewall module 8 vlan-group 50-51Router(config)# int vlan 55Router(config-if)# ip address 55.1.1.1 255.255.255.0Router(config-if)# no shutRouter(config-if)# endRouter# show firewall vlan-groupGroup vlans----- ------50 55-5751 70-85Router# show firewall moduleModule Vlan-groups8 50,51,Router# show int vlan 55Vlan55 is up, line protocol is upHardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)Internet address is 55.1.1.1/24MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setARP type:ARPA, ARP Timeout 04:00:00Last input never, output 00:00:08, output hang neverLast clearing of "show interface" counters neverInput queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0Queueing strategy:fifoOutput queue :0/40 (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/secL2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytesL3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcastL3 out Switched:ucast:0 pkt, 0 bytes0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored4 packets output, 256 bytes, 0 underruns0 output errors, 0 interface resets0 output buffer failures, 0 output buffers swapped outRouter#Catalyst Operating System Software
To set up the configuration on the switch for the Firewall Services Module using the Catalyst operating system CLI, you must be in the proper Virtual Terminal Protocol (VTP) mode to create VLANs (server, transparent, or off modes all work) and then follow these general tasks:
:
This example shows how to configure the switch interface:
Console>(enable) enableConsole>(enable) set vlan 7, 11-15, 19-20 firewall-vlan 8Console> show vlan firewall-vlan 8Console> show vlan fire 8Secured vlans by firewall module 8:7 11-15,19-20Console>(enable) set vlan 8Sessioning into the Module
You can log into the module's maintenance partition or application partition.
Sessioning into the Maintenance Partition
To log into the module's maintenance partition, perform these steps:
Step 1
Telnet or log into the Catalyst 6500 series switch.
Step 2
At the CLI prompt, session into the maintenance software by entering this command:
Cisco IOS:
Router# session slot number processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance image
Note
The processor should always be set at 1.
Catalyst Operating System:
Console> session moduleThe default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
At the login prompt, enter root.
Step 4
Enter the password for the account at the password prompt:
Password: cisco
Note
If you have not changed the password from the factory-set default, a warning message is displayed. To change the password from the default, see the "Changing and Recovering Passwords" section for more information.
Step 5
If the module does not boot into the maintenance partition, reset the module by entering the following command:
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Router# reboot
Sessioning into the Application Partition
To log into the module's application partition, perform these steps:
Step 1
Telnet or log into the Catalyst 6500 series switch.
Step 2
At the CLI prompt, session into the application software by entering this command:
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit'at the remoteprompt to end the session Trying 127.0.0.81 ... OpenFWSM passwd:Welcome to the FWSM firewallType help or '?' for a list of available commands.FWSM>
Note
The processor should always be set at 1.
Catalyst Operating System:
Console (enable)# session moduleStep 3
If the module does not boot into the application partition, reset the module by entering the following command:
Cisco IOS:
Router# hw-module module slot_number reset cf:4Router# session slot module processor processorCatalyst Operating System:
Console (enable)# session moduleStep 4
At the login prompt, enter your user name.
Step 5
Enter the password for the account at the password prompt:
Password: password
Note
If you have not changed the password from the factory-set default, a warning message is displayed. To change the password from the default, see the "Changing and Recovering Passwords" section for more information.
Configuring the Module
To set up the configuration on the module, follow these tasks:
Command PurposeStep 1
FWSM(config)#hostname nameDefines the host name in the command line prompt.
Step 2
FWSM(config)# nameif vlan_number if_name security_levelSpecifies the interface name.
Step 3
FWSM(config)#ip address if_name ip_address maskDefines a local address for each interface.
Step 4
FWSM(config)#access-list acl_ID [deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator portDefines an access list. Refer to "Command Reference" section and theaccess-list and theaccess-list (ospf).
Step 5
FWSM(config)#access-group acl_ID in interface interface_nameDefines access groups.
Step 6
FWSM(config)#show nameifDisplays the configured interfaces.
Step 7
FWSM(config)#show ipDisplays the configured IP addresses.
Step 8
FWSM(config)#show access-lDisplays the configured access lists.
Note
You need to explicitly define access lists on every interface on the Firewall Services Module. By default, access lists are defined as deny any any.
This example shows how to configure the module:
FWSM(config)# hostname FWSMFWSM(config)# nameif 55 inside 100FWSM(config)# nameif 56 outside 0FWSM(config)# ip address inside 10.1.1.1 255.255.255.0FWSM(config)# ip address outside 55.1.1.2 255.255.255.0FWSM(config)# access-list 1 permit ip any anyFWSM(config)# access-group 1 in interface insideFWSM(config)# show nameifnameif vlan55 inside security100nameif vlan56 outside security0FWSM(config)# show ipSystem IP Addresses:ip address inside 10.1.1.1 255.255.255.0ip address outside 55.1.1.2 255.255.255.0ip address eobc 127.0.0.61 255.255.255.0Current IP Addresses:ip address inside 10.1.1.1 255.255.255.0ip address outside 55.1.1.2 255.255.255.0ip address eobc 127.0.0.61 255.255.255.0FWSM(config)# show access-listaccess-list 1; 1 elementsaccess-list 1 permit ip any any (hitcnt=0)FWSM(config)# show access-groupaccess-group 1 in interface insideFWSM(config)#Saving the Configuration
To save your configuration, use one of the following methods:
•
Store the configuration in Flash memory using the write memory command. You also can restore a configuration from Flash memory using the configure memory command.
•
List the stored configuration using the show configuration command.
•
List the running configuration using the write terminal command or show running command.
•
Store the configuration on a TFTP server using the tftp-server command to initially specify a host and the write net command to store the configuration.
Using PDM
Cisco PIX Device Manager (PDM) is a single-device graphical user interface (GUI) application that you can use to manage your Firewall Services Module. For detailed information about PDM, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
Note
The Firewall Services Module is not shipped with a preinstalled PDM 2.1 image. You can download the image from CCO. Refer to "Installing or Upgrading the PDM" section for download and installation information.
Note
Be sure that you have configured the firewall VLAN (SVI) on the MSFC and that the module is recognized by the switch. Refer to "Configuring the Switch Interface" section for more information.
PDM Overview
PDM is a signed Java applet that uses certificates and HTTP over SSL (HTTPS) to securely transmit all information between PDM and the Firewall Services Module. PDM performs the following functions:
•
Configures your module without using the module CLI. You do not need to know the CLI commands to use PDM.
•
Monitors the module with real-time graphs and data, including connection and throughput information. (You can also view up to five days of historical data.)
•
Monitors and configures modules individually. You can point your browser to different modules and administer them from a single workstation.
Firewall Services Module and PDM Restrictions
The module and PDM have the following operation restrictions:
•
These commands specific to the module are not supported by PDM 2.1:
–
Any OSPF configuration commands; they are ignored but not changed by PDM.
–
Any VPN configuration commands; they are ignored but not changed by PDM.
Refer to the PDM 2.1 release notes for the complete list of unsupported commands. The release notes are located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmrn21/pdmrn21.htm
Note
When running PDM 2.1 on the module, the Startup Wizard and VPN Wizard are not available.
Platform and Browser Requirements
PDM is supported in the following platforms and browsers:
•
Windows 2000, Windows NT 4.0, Windows 98, Windows ME, Windows XP Internet Explorer 5.0 or higher, or Netscape Navigator 4.51 or 4.7x, and at least 128 MB RAM
•
Sun workstation with Solaris 2.6 or higher with Netscape Navigator 4.51 or 4.7x
•
Red Hat Linux 7.0 or higher with Netscape Navigator 4.7x and at least 64 MB RAM
For details about PDM and its operation refer to the Cisco PIX Device Manager Installation Guide Version 2.1.
The installation guide is located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmig/index.htm
Setting Up the Module for PDM
Before you do this procedure, make sure you have installed the Firewall Services Module into the switch and you have completed the basic configuration described earlier in this chapter. Refer to the "Configuration Overview" section.
To set up the module to use the PDM application, follow these steps:
Step 1
Log into the Catalyst 6500 series switch where the Firewall Services Module is installed.
Step 2
Enter the enable mode, and then enter the configuration mode.
Step 3
Create a secure VLAN group by entering:
Cisco IOS:
Router# firewall vlan-group VLAN-group vlan-interfacesCatalyst Operating System
Console>(enable) set vlan vlan-range firewall-vlan module-numberStep 4
Map the secure VLAN group to the module by entering:
Cisco IOS only:
Router# firewall module module-number vlan-group VLAN-groupStep 5
Telnet to the module and enter the enable mode, and then enter the configuration mode.
Step 6
Run the setup CLI and follow the instructions as follows:
Router># enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# firewall vlan-group 5 10,20,50-51Router(config)# firewall module 3 vlan-group 5Router(config)# exitRouter# telnet 192.168.1.1Trying 192.168.1.1 ... OpenFWSM passwd:Welcome to the FWSM firewallType help or '?' for a list of available commands.FWSM# enablePassword:FWSM# configure terminalFWSM(config)# setupPre-configure FWSM Firewall now through interactive prompts [yes]?To complete this setup, follow the instructions that appear on the terminal.
Installing or Upgrading the PDM
To install or upgrade PDM on the module, enter this command:
copy tftp://location/pathname flash:pdmThis example shows how to install or upgrade PDM on the module:
FWSM# copy tftp://10.1.1.1/pdm-211.bin flash:pdm10.1.1.1 is the location of the TFTP server and the PDM image.
Verify that PDM was downloaded to the module.
Starting PDM
To start PDM, in your browser be sure you use the HTTP secure (https) command and type the following address:
https://IP address of FWSMThis example shows how to start PDM:
https://192.168.1.1192.168.1.1 is the IP address of one of the VLAN interfaces on the module.
You can now use the PDM 2.1 application to configure your Firewall Services Module. Access the PDM online help to use the application.
Configuring Firewall Services
This chapter describes how to configure firewall services and contains these sections:
•
Configuring Firewall Failover
•
Configuring OSPF Routing Support
•
Configuring IPSec for Management
Configuring Firewall Failover
Failover uses two modules that must have identical configurations. You can configure the modules in the following ways:
•
An intra-switch failover where two or more firewall modules are in a single chassis.
•
An inter-switch failover with a firewall module in each of two chassis.
Setting up a Single-Chassis Configuration
To set up failover on a single chassis, install two firewall modules on the same chassis and assign the same firewall VLAN group to both modules.
Figure 13 Failover Single Chassis Configuration
To configure failover in a single chassis, perform this task:
This example shows how to configure failover in a single chassis:
Router(config)# firewall vlan-group 10 10,20,30,40,50Router(config)# firewall module 4 vlan-group 10Router(config)# firewall module 6 vlan-group 10Setting Up a Dual-Chassis Configuration
To set up failover across two chassis, install a firewall module in each chassis and assign the same firewall VLAN group to both modules.
To set up a dual-chassis configuration, follow these tasks:
Figure 14 shows a dual-chassis configuration.
Figure 14 Failover Dual-Chassis Configuration
This example shows how to configure failover in two chassis:
Router1(config)# firewall vlan-group 10 10,20,30,40Router1(config)# firewall module 4 vlan-group 10Router2(config)# firewall vlan-group 20 10,20,30,40Router2(config)# firewall module 5 vlan-group 20Configuring Firewall Failover
For a failover configuration, both firewall modules need to have the same RAM and Flash memory size and be running the same software version.
To configure failover, follow these steps:
Step 1
Set up one module as the primary with a firewall configuration without failover.
Note
Do not add a firewall configuration on the secondary module because a configuration set on the secondary module is not synchronized to the active module. This configuration is cleared during the configuration synchronization from the active module.
Step 2
Create a dedicated logical interface for failover communication using the nameif vlan_id if_name security_level command.
Step 3
Configure the module as primary using the failover lan unit primary command.
Step 4
Define the failover interface using the failover lan interface if_name command.
Step 5
Specify the IP address for the primary failover interface using theip address if_name ip_addr mask command.
This is the IP address used by the primary module on failover interface
Step 6
Assign the IP addresses for all of the interfaces using the ip address if_name ip_address [mask] command.
Step 7
Specify the failover IP address for the secondary failover interface using the failover ip address if_name ip_addr command.
This is the IP address used by the secondary module on failover interface.
Step 8
Assign the failover IP addresses for all of the interfaces using the failover ip address if_name ip_addr command.
This command specifies the IP address used by the standby module on other firewall interfaces. The client hosts are not expected to use this IP address to communicate to the module.
Step 9
Enable failover on the primary module using the failover command.
Step 10
Store the failover configuration on the primary module in the Flash using the write memory command.
Note
This command is required to ensure that the module comes back online with the failover configuration after a reload (or after a failure recovery).
Step 11
When the primary module becomes the active module (use the show failover command to see the status), start the failover configuration on the secondary module.
Step 12
The secondary module should not have a firewall configuration. If you need to clear the configuration on the secondary module, use the clear configure all command.
Step 13
Enter the same set of failover commands on the secondary module by repeating Step 2 through Step 7.
The primary and the secondary module should have the identical failover configuration, except for the failover LAN module configuration.
Note
We recommend that you separate the failover and logical update interfaces into separate links. Packets on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and failover LAN interfaces the same.
Note
Make sure both primary and secondary modules have the identical definition for the failover interface.
Step 14
Use the ping command to check the connectivity between the primary and secondary module on the failover interface.
Enter the icmp permit 0 0 if_name command to configure the failover interface to allow the ping to go through the firewall.
Step 15
Save the failover configuration on Flash using the write memory command.
The secondary module should detect the primary module and then switch to standby. The firewall configuration is synchronized from the active module to the standby module.
Warning
Configuration replication is not performed from the standby module to the active module. Configurations are no longer synchronized.
Step 16
Enable failover on the secondary module using the failover command.
Step 17
To enable stateful failover, configure a dedicated interface for stateful failover using the failover link if_name command, which allows the state information to synchronize.
Note
We recommend that you separate the failover and logical update interfaces into separate links. Packets on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and failover LAN interfaces the same.
These example shows how to configure failover on a pair of FWSMs.
The modules are located in two different switches. A dedicated VLAN (vlan 4000) is created for the failover protocol. The following conditions apply:
•
Most of the configuration is performed on the primary module.
•
The primary module is designated using the failover lan unit primary command.
•
Shortly after entering the failover command, the primary module becomes active.
•
On the secondary module, using the nameif command, name only one interface. Use the interface that is dedicated to the failover protocol.
•
Assign the same IP address to the dedicated failover interface that you assigned to the primary unit (in this example: 10.40.40.1).
•
Assign the same address you used on the primary unit using the failover ip address command. In this example: 10.40.40.2).
This example shows how to configure the primary module:
FWSM(config)# show vlan30, 40, 4000FWSM(config)#FWSM(config)# fail lan unit priFWSM(config)# nameif 4000 fover 50FWSM(config)# nameif 30 outside 0FWSM(config)# nameif 40 inside 100FWSM(config)# ip address fover 10.40.40.1 255.255.255.0FWSM(config)# ip address inside 10.2.1.1 255.255.255.0FWSM(config)# ip address outside 10.11.1.2 255.255.255.0FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0FWSM(config)# fail ip address inside 10.2.1.2 255.255.255.0FWSM(config)# fail ip address outside 10.11.1.3 255.255.255.0FWSM(config)# fail lan int foverFWSM(config)# logg onFWSM(config)# logg monitor 7FWSM(config)# logg con 7111008: User 'enable_15' executed the 'logging con 7' command.FWSM(config)# no logg mess 111008FWSM(config)# no logg mess 111009FWSM(config)# fail105002: (Primary) Enabling failover.FWSM(config)#No Response from Mate. Switching to ActiveYou may begin configuring the standby module at this time.
Sync Process StartSync Process End709004: (Primary) End Configuration Replication (ACT)105003: (Primary) Monitoring on interface 2 waiting105003: (Primary) Monitoring on interface 1 waiting105004: (Primary) Monitoring on interface 2 normal105004: (Primary) Monitoring on interface 1 normal302010: 0 in use, 0 most used302010: 0 in use, 0 most usedThis example shows how to configure the standby or secondary module:
FWSM(config)# fail lan unit secFWSM(config)# nameif 4000 fover 50FWSM(config)# ip address fover 10.40.40.1 255.255.255.0FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0FWSM(config)# fail lan int foverFWSM(config)# failFWSM(config)# logg onFWSM(config)# logg mon 7FWSM(config)# logg con 7FWSM(config)# 111008: User 'enable_15' executed the 'logging con 7' command.Detected an Active mate. Switching to StandbySwitching to Standby.FWSM(config)#Beginning configuration replication from mate.This unit is in syncing state. 'failover' command will not be effective at this timeEnd configuration replication from mate.709006: (Secondary) End Configuration Replication (STB)Access Rules Download Complete: Memory Utilization < 1%105003: (Secondary) Monitoring on interface 2 waiting105003: (Secondary) Monitoring on interface 1 waiting105004: (Secondary) Monitoring on interface 2 normal105004: (Secondary) Monitoring on interface 1 normalThis example shows how to monitor the failover status on the primary and secondary modules:
Primary module:
FWSM(config)# show failFailover OnFailover unit PrimaryFailover LAN Interface foverReconnect timeout 0:00:00Poll frequency 15 secondsThis host: Primary - ActiveActive time: 29925 (sec)Interface outside (10.11.1.2): NormalInterface inside (10.2.1.1): NormalOther host: Secondary - StandbyActive time: 285 (sec)Interface outside (10.11.1.3): NormalInterface inside (10.2.1.2): NormalStateful Failover Logical Update StatisticsLink : Unconfigured.Secondary module:
FWSM(config)# show failFailover OnFailover unit SecondaryFailover LAN Interface foverReconnect timeout 0:00:00Poll frequency 15 secondsThis host: Secondary - StandbyActive time: 285 (sec)Interface inside (10.2.1.2): NormalInterface outside (10.11.1.3): NormalOther host: Primary - ActiveActive time: 30750 (sec)Interface inside (10.2.1.1): NormalInterface outside (10.11.1.2): NormalStateful Failover Logical Update StatisticsLink : Unconfigured.FWSM(config)#Using SNMP
You can monitor system events on the Firewall Services Module by using SNMP. You can read SNMP events, but information on the module cannot be changed with SNMP.
Use CiscoWorks for Windows or any other SNMP V1, MIB-II compliant browser to receive SNMP traps and browse a MIB. SNMP traps occur at UDP port 162.
Note
The Firewall Services Module does not support browsing of the Cisco syslog MIB.
You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending traps. Browsing involves doing an snmpget or snmpwalk of the MIB tree from the management station to determine values.
MIB Support
The Firewall Services Module supports the Cisco Firewall MIB and Cisco Memory Pool MIB.
The Firewall Services Module does not support the following in the Cisco Firewall MIB:
•
cfwSecurityNotification NOTIFICATION-TYPE
•
cfwContentInspectNotification NOTIFICATION-TYPE
•
cfwConnNotification NOTIFICATION-TYPE
•
cfwAccessNotification NOTIFICATION-TYPE
•
cfwAuthNotification NOTIFICATION-TYPE
•
cfwGenericNotification NOTIFICATION-TYPE
SNMP Traps
Traps are unsolicited "comments" from the managed device to the management station for specific events, such as link up, link down, and syslog event generation.
The snmp-server command causes the Firewall Services Module to send SNMP traps so that the module can be monitored remotely. Use snmp-server host command to specify which systems receive the SNMP traps.
An SNMP object ID (OID) for the module displays in SNMP event traps sent from the module. The Firewall Services Module provides system OID in SNMP event traps and SNMP mib-2.system.sysObjectID equal to the.(1.3.6.1.4.1.9.1.227) original PIX Firewall OID.
The module responds to an SNMP request from a management station and the module then sends an event notification trap.
The Firewall Services Module SNMP traps available to an SNMP management station are as follows:
•
Generic traps:
–
Link up and link down (VLAN connected to the interface or not)
–
Cold start
–
Authentication failure (mismatched community string)
•
Security-related events are sent through the Cisco Syslog MIB:
–
Global access denied
–
Failover syslog messages
–
syslog messages
Receiving Requests and Sending Syslog Traps
To receive requests and send traps from the Firewall Services Module to an SNMP management station, follow these steps:
Step 1
Identify the IP address of the SNMP management station by using the snmp-server host command.
Step 2
Set the snmp-server options for location, contact, and the community password as required.
If you only want to send the cold start, link up, and link down generic traps, and you only want to receive SNMP requests, no further configuration is required.
Step 3
Add an snmp-server enable traps command statement to the configuration.
Step 4
Set the logging level with the logging history command:
logging history debuggingWe recommend that you use the debugging level during initial setup and during testing. After setup, set the level from debugging to a lower value.
The logging history command sets the severity level for SNMP syslog messages.
Step 5
Start sending syslog traps to the management station using the logging on command.
Step 6
To disable sending syslog traps, use the no logging on command or the no snmp-server enable traps command.
Compiling Cisco Syslog MIB Files
To receive security and failover SNMP traps from the Firewall Services Module, compile the Cisco SMI MIB and the Cisco syslog MIB into your SNMP management application. If you do not compile the Cisco syslog MIB into your application, you receive only traps for link up or down, firewall cold start, and authentication failure.
To obtain the Cisco MIB files go to the following URLs:
•
http://www.cisco.com/public/mibs/v2/CISCO-FIREWALL-MIB.my
•
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-FIREWALL-MIB.my
•
http://www.cisco.com/public/mibs/v2/CISCO-MEMORY-POOL-MIB.my
•
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-MEMORY-POOL-MIB.my
•
http://www.cisco.com/public/mibs/v2/CISCO-SMI.my
•
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SMI.my
•
http://www.cisco.com/public/mibs/v2/CISCO-SYSLOG-MIB.my
•
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SYSLOG-MIB.my
To compile Cisco syslog MIB files into your browser using CiscoWorks for Windows (SNMPc), follow these steps:
Step 1
Obtain the Cisco syslog MIB files.
Step 2
Start SNMPc.
Step 3
Select Config>Compile MIB.
Step 4
Scroll to the bottom of the list, and select the last entry.
Step 5
Click Add.
Step 6
Find the Cisco syslog MIB files.
Note
With certain applications, only files with a .mib extension may show in the file selection window of the SNMPc. The Cisco syslog MIB files with the .my extension shown. In this case, you should manually change the .my extension to a .mib extension.
Step 7
Select CISCO-FIREWALL-MIB.my (CISCO-FIREWALL-MIB.mib) and click OK.
Step 8
Scroll to the bottom of the list, and select the last entry.
Step 9
Click Add.
Step 10
Locate the CISCO-MEMORY-POOL-MIB.my (CISCO-MEMORY-POOL-MIB.mib) file and click OK.
Step 11
Scroll to the bottom of the list, and click the last entry.
Step 12
Click Add.
Step 13
Locate the CISCO-SMI.my (CISCO-SMI.mib) file and click OK.
Step 14
Scroll to the bottom of the list, and select the last entry.
Step 15
Click Add.
Step 16
Locate the CISCO-SYSLOG-MIB.my (CISCO-SYSLOG-MIB.mib) file and click OK.
Step 17
Click Load All.
Step 18
Restart SNMPc if there are no errors. Otherwise check your configuration.
Using the Firewall and Memory Pool MIBs
You can poll failover and system status using the Cisco Firewall and Memory Pool MIBs. With the MIB tables, you can view failover status, memory usage, connection count, and system buffer usage.
Viewing Failover Status
The Cisco Firewall MIBs cfsHardwareStatusTable indicates whether failover is enabled, and which module is active. The Cisco Firewall MIB indicates failover status in two rows in the cfwHardwareStatusTable object. From the Firewall Services Module command line, you can view failover status using the show failover command. You can access the object table from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTableTable 6 lists which objects provide failover information.
Table 6 Failover Status Objects
Object Object Type Row 1: Returned if Failover is Disabled Row 1: Returned if Failover is Enabled Row 2: Returned if Failover is EnabledcfwHardwareType (table index)
Hardware
6 (primary module)1
6 (primary module)
7 (secondary module)
cfwHardwareInformation
SnmpAdminString
blank
blank
blank
cfwHardwareStatusValue
HardwareStatus
0 (not used)
active or 9 (active module) or standby or 10 (standby module)
active or 9 (active module) or standby or 10 (standby module)
cfwHardwareStatusDetail
SnmpAdminString
Failover Off
blank
blank
1 The type of returned values are shown in parentheses.
In the HP OpenView Browse MIB application's MIB values window, if failover is disabled, a sample MIB query displays the following information:
cfwHardwareInformation.6:cfwHardwareInformation.7 :cfwHardwareStatusValue.6 :0cfwHardwareStatusValue.7 :0cfwHardwareStatusDetail.6 :Failover OffcfwHardwareStatusDetail.7 :Failover OffIn this list, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0, and the cfwHardwareStatusDetail contains Failover Off, which indicates the failover status.
When failover is enabled, a sample MIB query displays the following information:
cfwHardwareInformation.6 :cfwHardwareInformation.7 :cfwHardwareStatusValue.6 : activecfwHardwareStatusValue.7 : standbycfwHardwareStatusDetail.6 :cfwHardwareStatusDetail.7 :In this listing, only the cfwHardwareStatusValue contains, either active or standby values to indicate the status of each module.
Verifying Memory Usage
You can determine how much free memory is available with the Cisco Memory Pool MIB. From the Firewall Services Module command line, use the show memory command to view the memory usage. The following is sample output from the show memory command:
Router(config)# show memory16777216 bytes total, 5595136 bytes freeYou can access the MIB objects from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTableTable 7 lists which objects provide memory usage information.
In the HP OpenView Browse MIB application's MIB values window, a sample MIB query displays the following information:
ciscoMemoryPoolName.1 :FWSM system memoryciscoMemoryPoolAlternate.1 :0ciscoMemoryPoolValid.1 :trueciscoMemoryPoolUsed.1 :12312576ciscoMemoryPoolFree.1 :54796288ciscoMemoryPoolLargestFree.1 :0In this list, the table index, ciscoMemoryPoolName, appears as the .1 value at the end of each subsequent object value. The ciscoMemoryPoolUsed object lists the number of bytes currently in use, 12312576, and the ciscoMemoryPoolFree object lists the number of bytes currently free 54796288. The other objects always list the values described in Table 7.
Viewing the Connection Count
You can view the number of connections in use from the cfwConnectionStatTable in the Cisco Firewall MIB. From the Firewall Services Module command line. Enter the show conn command to view the connection count. The following is sample output from the show conn command:
show connection count15 in useThe cfwConnectionStatTable object table can be accessed from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTableTable 8 lists which objects provide connection count information.
In the HP OpenView Browse MIB application's MIB values window, a sample MIB query displays the following information:
cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire firewallcfwConnectionStatDescription.40.7 :highest number of connections in use at any one time since system startupcfwConnectionStatCount.40.6 :0cfwConnectionStatCount.40.7 :0cfwConnectionStatValue.40.6 :15cfwConnectionStatValue.40.7 :15In this list, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent object.The table index, cfwConnectionStatType, appears as either .6 to indicate the number of connections in use or .7 to indicate the most used number of connections. The cfwConnectionStatValue object lists the connection count. The cfwConnectionStatCount object always returns 0 (zero).
Viewing System Buffer Usage
You can view the system buffer usage from the Cisco Firewall MIB in multiple rows of the cfwBufferStatsTable. The system buffer usage provides an early warning that the Firewall Services Module is reaching its capacity limit. On the command line, enter the show blocks command to view this information.
The following is sample output from the show blocks command to demonstrate how cfwBufferStatsTable is populated:
show blocksSIZE MAX LOW CNT4 1600 1600 160080 100 97 97256 80 79 791550 780 402 40465536 8 8 8You can view cfwBufferStatsTable at the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwBufferStatsTableTable 9 lists the objects required to view the system block usage.
Note
The three rows repeat for every block size listed in the output of the show blocks command.
In the HP OpenView Browse MIB application's MIB values window a sample MIB query displays the following information:
cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blockscfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startupcfwBufferStatInformation.4.8 :current number of available 4 byte blockscfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blockscfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startupcfwBufferStatInformation.80.8 :current number of available 80 byte blockscfwBufferStatInformation.256.3 :maximum number of allocated 256 byte blockscfwBufferStatInformation.256.5 :fewest 256 byte blocks available since system startupcfwBufferStatInformation.256.8 :current number of available 256 byte blockscfwBufferStatInformation.1550.3 :maximum number of allocated 1550 byte blockscfwBufferStatInformation.1550.5 :fewest 1550 byte blocks available since system startupcfwBufferStatInformation.1550.8 :current number of available 1550 byte blockscfwBufferStatValue.4.3: 1600cfwBufferStatValue.4.5: 1600cfwBufferStatValue.4.8: 1600cfwBufferStatValue.80.3: 400cfwBufferStatValue.80.5: 396cfwBufferStatValue.80.8: 400cfwBufferStatValue.256.3: 1000cfwBufferStatValue.256.5: 997cfwBufferStatValue.256.8: 999cfwBufferStatValue.1550.3: 1444cfwBufferStatValue.1550.5: 928cfwBufferStatValue.1550.8: 932In this list, the first table index, cfwBufferStatSize, appears as first number appended to the end of each object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5,or .8 after the first index. For each block size, the cfwBufferStatInformation object identifies the type of value and the cfwBufferStatValue object identifies the number of bytes for each value.
Using the ipAddrTable
When you use the SNMP ipAddrTable entry, all interfaces must have unique addresses. If interfaces have not been assigned IP addresses, by default, their IP addresses are all set to 127.0.0.1. Duplicate IP addresses cause the SNMP management station to loop indefinitely. If this situation occurs, assign each interface a different address. For example, you can set one address to 127.0.0.1, another to 127.0.0.2, and so on.
SNMP uses a sequence of GetNext operations to traverse the MIB tree. Each GetNext request is based on the result of the previous request. If two consecutive interfaces have the same IP 127.0.0.1 (table index), the GetNext function returns 127.0.0.1, which is correct. However, when SNMP generates the next GetNext request using the same result (127.0.0.1), the request is identical to the previous one, which causes the management station to loop infinitely. For example:
GetNext(ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1)With SNMP, the MIB table index must be unique for the agent to identify a row from the MIB table. The table index for ip.ipAddrTable is the module interface IP address, which requires that the IP address is unique. The SNMP agent might become confused and may return information of another interface (row), which has the same IP (index).
SNMP Usage Notes
The following notes apply:
•
The MIB-II ifEntry.ifAdminStatus object returns 1 if the interface is accessible. The object returns 2 if you administratively shut down the interface using the shutdown option of the interface command.
•
The SNMP ifOutUcastPkts nobject now correctly returns the outbound packet count.
•
Syslog messages generated by the SNMP module specify the interface name instead of an interface number.
•
The ifSpeed option is not supported and will always return a zero.
Configuring OSPF Routing Support
The Firewall Services Module can run two processes of Open Shortest Path First (OSPF) protocol simultaneously. Each of the OSPF processes runs on a different set of interfaces. RIP cannot be enabled on any of the same interfaces as the interfaces that OSPF is enabled on.
Redistribution between the two OSPF processes is supported. Redistribution between RIP and OSPF is not supported in the current release. Static and connected routes configured on OSPF-enabled interfaces on the Firewall Services Module can also be redistributed into the OSPF process. For further information on how to configure OSPF redistribution on the Firewall Services Module, please refer to the section "Configuring IP Routing Protocol-Independent Features" of the Cisco IOS IP and IP Routing Configuration Guide.'
OSPF allows the module to maintain its own routing table. The OSPF protocol provides the following features for the module:
•
Support of intra-area, interarea, and external (type I and Type II) routes.
•
Support of a virtual link being configured on or through the module.
•
OSPF link-state advertisement (LSA) flooding.
•
Authentication to OSPF packets (both password and MD5 authentication).
•
Support to configure the module as a designated router or a backup designated router. The module also can be set up as an area border router, however, the ability to configure the module as an autonomous system boundary router is limited to default information only (for example, injecting a default route).
•
Support for stub areas and not-so-stubby-area (NSSA).
•
Area boundary router type-3 LSA filtering.
Enabling OSPF
As with other routing protocols, to enable OSPF you need to create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range of IP addresses. To enable OSPF, follow these tasks, beginning in global configuration mode:
This example shows how to enable OSPF:
FWSM(config)# router ospf 2FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0Configuring OSPF Interface Parameters
Cisco OSPF implementation allows you to alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but some interface parameters must be consistent across all routers in an attached network. You configure the parameters by using the ospf hello-interval, ospf dead-interval, and ospf authentication-key interface configuration commands. Be sure that if you do configure any of these parameters, the configurations for all routers on your network have compatible values.
To specify interface parameters for your network, follow these tasks in interface configuration mode:
This example shows how to configure the OSPF interfaces:
FWSM(config)# router ospf 2FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0FWSM(config-router)# interface insideFWSM(config-interface)# ospf cost 20FWSM(config-interface)# ospf retransmit-interval 15FWSM(config-interface)# ospf transmit-delay 10FWSM(config-interface)# ospf priority 20FWSM(config-interface)# ospf hello-interval 10FWSM(config-interface)# ospf dead-interval 40FWSM(config-interface)# ospf authentication-key ciscoFWSM(config-interface)# ospf message-digest-key 1 md5 ciscoFWSM(config-interface)# ospf authentication message-digestFWSM(config-interface)# exitFWSM(config)# show ip ospfRouting Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 5. Checksum Sum 0x 26da6Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 1. 1 normal 0 stub 0 nssaExternal flood list length 0Area BACKBONE(0)Number of interfaces in this area is 1Area has no authenticationSPF algorithm executed 2 timesArea ranges areNumber of LSA 5. Checksum Sum 0x 209a3Number of opaque link LSA 0. Checksum Sum 0x 0Number of DCbitless LSA 0Number of indication LSA 0Number of DoNotAge LSA 0Flood list length 0Configuring OSPF Area Parameters
You can configure several area parameters using Cisco OSPF software. These area parameters (shown in the following task table) include authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the area border router, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the area stub router configuration command on the area border router to prevent it from sending summary link advertisement (LSAs type 3) into the stub area.
To specify an area parameter for your network, follow these tasks in router configuration mode:
This example shows how to configure the OSPF area parameters:
FWSM(config)# router ospf 2FWSM(config-router)# area 0 authenticationFWSM(config-router)# area 0 authentication message-digestFWSM(config-router)# area 17 stubFWSM(config-router)# area 17 default-cost 20Configuring OSPF NSSA
The OSPF implementation of NSSA is similar to OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These type 7 LSAs are translated into type 5 LSAs by NSSA area border routers, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an Internet service provider (ISP) or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as OSPF stub area because routes for the remote site could not be redistributed into stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.
To specify area parameters as needed to configure OSPF NSSA, follow this task in router configuration mode:
Command Purpose FWSM(config-router)# area area-id nssa [no-redistribution] [default-information-originate]Defines an NSSA area.
This example shows how to define an NSSA area:
FWSM(config-router)# area 17 nssaTo control summarization and filtering of type 7 LSAs into type 5 LSAs, use the following command in router configuration mode on the area border router:
Command Purpose FWSM(config-router)# summary address prefix mask [not advertise] [tag tag]Controls the summarization and filtering during the translation.
This example shows how to control summarization and filtering:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0Before you use this feature, consider these guidelines:
•
You can set a type 7 default route that can be used to reach external destinations. When configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router.
•
Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate.
Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router will advertise networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range.
To specify an address range, follow this task in router configuration mode:
.
Command Purpose FWSM(config-router)# area area-id range ip-address mask [advertise | not-advertise]Specifies an address range for which a single route will be advertised.
This example shows how to configure route summarization between OSPF areas:
FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0Configuring Route Summarization when Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the Cisco IOS software to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database.
To configure the software advertise one summary route for all redistributed routes covered by a network address and mask, follow this task in router configuration mode:
This example shows how to configure route summarization when redistributing routes into OSPF:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0Creating Virtual Links
With OSPF all areas must be connected to a backbone area. If there is a break in backbone continuity, or the backbone is purposefully partitioned, you can establish a virtual link. The two end points of a virtual link are area border routers. The virtual link must be configured in both routers. The configuration information in each router consists of the other virtual end point (the other area border router) and the nonbackbone area that the two routers have in common (called the transit area). Virtual links cannot be configured through stub areas.
To establish a virtual link, follow this task in router configuration mode:
.
This example shows how to create virtual links:
FWSM(config-router)# area 16 virtual-link 1.1.1.1To display information about virtual links, use the show ip ospf virtual-links EXEC command.
To display the router ID of an OSPF router, use the show ip ospf EXEC command
Generating a Default Route
You can force an autonomous system boundary router to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an autonomous system boundary router. However, an autonomous system boundary router does not by default generate a default route into the OSPF routing domain.
To force the autonomous system boundary router to generate a default route, follow this task in router configuration mode:
This example shows how to generate a default route:
FWSM(config-router)# default-information originate alwaysChanging the OSPF Administrative Distances
An administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. An administrative distance numerically is an integer from 0 to 255. In general, the higher the value, the lower the trust rating. An administrative distance of 255 means the routing information source cannot be trusted and should be ignored.
OSPF uses three different administrative distances: intra-area, interarea, and external. Routes within an area are intra-area; routes to another area are interarea; and routes from another routing domain learned through redistribution are external. The default distance for each type of route is 110.
To change any of the OSPF distance values, follow this task in router configuration mode:
Command Purpose FWSM(config-router)# distance ospf {[intra-area dist1] [inter-area dist2] [external dist3]}Changes the OSPF distance values.
This example shows how to change the OSPF administrative distance:
FWSM(config-router)# distance intra-ares 90 inter-area 95 external 100Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure the route calculation time, follow this task in router configuration mode:
Command Purpose FWSM(config-router)# timers spf spf-delay spf-holdtimeConfigures route calculation timers.
This example shows how to configure route calculation timers:
FWSM(config-router)# timers spf 10 120Logging Neighbors Going Up or Down
By default, the system sends a syslog message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ip ospf adjacency EXEC command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you want to see messages for each state change.
Command Purpose FWSM(config-router)# log-adj-changes [detail]Sends syslog message when an OSPF neighbor goes up or down.
If you turned off this feature and want to restore it, follow this task in router configuration mode:
This example shows how to log neighbors:
FWSM(config-router)# log-adj-changes detailChanging the LSA Group Pacing
The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check summing, and aging functions. Group pacing results in more efficient use of the router.
The router groups OSPF LSAs and paces these functions so that sudden increases in CPU usage and network resources are avoided. This feature is most beneficial to large OSPF networks.
OSPF LSA group pacing is enabled by default. The default group pacing interval for refreshing, check summing, and aging usually is appropriate, and you need not configure this feature.
Original LSA Behavior
Each OSPF LSA has an age, which indicates whether the LSA is still valid. When the LSA reaches the maximum age (1 hour), it is discarded. During the aging process, the originating router sends a refresh packet every 30 minutes to refresh the LSA. Refresh packets are sent to keep the LSA from expiring, whether there has been a change in the network topology or not. Check summing is performed on all LSAs every 10 minutes. The router keeps track of LSAs it generates and LSAs it receives from other routers. The router refreshes LSAs it generated; it ages the LSAs it received from other routers.
Before the LSA group pacing feature was introduced, the Cisco IOS software would perform refreshing on a single timer, and check summing and aging on another timer. In the case of refreshing, for example, the software would scan the whole database every 30 minutes, refreshing every LSA the router generated, regardless of how old it was.
Figure 15 shows all the LSAs being refreshed at the same time. This process wasted CPU resources because only a small portion of the database needed to be refreshed. A large OSPF database (several thousand LSAs) might have thousands of LSAs with different ages. Refreshing on a single timer resulted in the age of all LSAs becoming synchronized, which resulted in increased CPU processing at once. A large number of LSAs might cause a sudden increase of network traffic, consuming a large amount of network resources in a short period of time.
Figure 15 OSPF LSAs on a Single Timer Without Group Pacing
LSA Group Pacing with Multiple Timers
This problem is solved by configuring each LSA to have its own timer. Each LSA gets refreshed when it is 30 minutes old, independent of other LSAs, so the CPU is used only when necessary. However, LSAs being refreshed at frequent, random intervals would require many packets for the few refreshed LSAs the router must send out, which would be inefficient use of bandwidth.
Therefore, the router delays the LSA refresh function for an interval of time instead of performing it when the individual timers are reached. The accumulated LSAs constitute a group, which is then refreshed and sent out in one packet or more. The refresh packets are paced as are the check summing and aging. The pacing interval is configurable; it defaults to 4 minutes, which is randomized to further avoid synchronization.
Figure 16 shows refresh packets. The first timeline shows individual LSA timers; the second timeline shows individual LSA timers with group pacing.
Figure 16 OSPF LSAs on Individual Timers with Group Pacing
The group pacing interval is inversely proportional to the number of LSAs the router is refreshing, check summing, and aging. For example, if you have approximately 10,000 LSAs, decreasing the pacing interval would benefit you. If you have a very small database (40 to 100 LSAs), increasing the pacing interval to 10 to 20 minutes might benefit you slightly.
The default value of pacing between LSA groups is 240 seconds (4 minutes). The range is from 10 seconds to 1800 seconds (30 minutes). To change the LSA group pacing interval, follow this task in router configuration mode:
Command Purpose FWSM(config-router)# timers lsa-group-pacing secondsChanges the group pacing of LSAs.
The following example changes the OSPF pacing between LSA groups to 280 seconds:
FWSM(config-router)# timers lsa-group-pacing 280FWSM(config-router)# interface insideBlocking OSPF LSA Flooding
By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. Some redundancy is desirable, because it ensures substantial flooding. However, too much redundancy can waste bandwidth and might destabilize the network due to excessive link and CPU usage in certain topologies, such as a fully meshed topology.
You can block OSPF flooding of LSAs two ways, depending on the type of networks:
•
On broadcast, nonbroadcast, and point-to-point networks, you can block flooding over specified OSPF interfaces.
•
On point-to-multipoint networks, you can block flooding to a specified neighbor.
On broadcast, nonbroadcast, and point-to-point networks, to prevent flooding of OSPF LSAs, follow this task in interface configuration mode:
Command PurposeFWSM(config-if)# ospf database-filter all outBlocks the flooding of OSPF LSA packets to the interface.
On point-to-multipoint networks, to prevent flooding of OSPF LSAs, follow this task in router configuration mode:
Command Purpose FWSM(config-router)# neighbor ip-address database-filter all outBlocks the flooding of OSPF LSA packets to the specified neighbor.
Ignoring MOSPF LSA Packets
Cisco routers do not support LSA type 6 Multicast OSPF (MOSPF). If the routers receive these packets, they generate syslog messages. If the router is receiving many MOSPF packets, you might want to configure the router to ignore the packets, which prevent a large number of syslog messages. To configure the router to ignore these packets, follow this task in router configuration mode:
Command Purpose FWSM(config-router)# ignore lsa mospfPrevents the router from generating syslog messages when it receives MOSPF LSA packets.
The following example shows how to prevent flooding of OSPF LSAs to broadcast, nonbroadcast, or point-to-point networks reachable through Ethernet interface 0:
FWSM(config-router)# router ospf 2FWSM(config-router)# ignore lsa mospfFWSM(config-interface)# ospf database-filter all outFWSM(config-interface)# router ospf 2FWSM(config)# show ip ospf flood-list insideInterface inside, Queue length 0The following example shows how to prevent flooding of OSPF LSAs to point-to-multipoint networks to the neighbor at IP address 1.2.3.4:
FWSM(config-router)# router ospf 109FWSM(config-router)# neighbor 1.2.3.4 database-filter all outDisplaying OSPF Update Packet Pacing
The former OSPF implementation for sending update packets was not efficient. Some update packets were getting lost in situations where the link was slow, a neighbor could not receive the updates quickly enough, or the router was out of buffer space. For example, packets might be dropped if either of the following topologies existed:
•
A fast router was connected to a slower router over a point-to-point link.
•
During flooding, several neighbors sent updates to a single router at the same time.
OSPF update packets are now automatically paced so they are not sent less than 33 milliseconds apart. Pacing is also added between resends to increase efficiency and minimize lost retransmissions. You also can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, follow this task in EXEC mode:
Command PurposeFWSM# show ip ospf flood-list interface-type interface-numberDisplays a list of LSAs waiting to be flooded over an interface.
Area Border Router Type 3 LSA Filtering
The area border router Type 3 LSA filtering feature extends the capability of an area border router that is running the OSPF protocol to filter type 3 LSAs between different OSPF areas. This feature allows only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time. This feature is supported by the addition of the area filter-list command.
The OSPF ABR Type 3 LSA filtering feature provides improved control of route distribution between OSPF areas.
Only Type 3 LSAs that originate from an area border router are filtered.
Configuring ABR Type 3 LSA Filtering
To filter interarea routes into a specified area, perform the following tasks beginning in router configuration mode:
To filter interarea routes out of a specified area, use the following commands beginning in router configuration mode:
Monitoring and Maintaining OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. Information provided can be used to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.
To display various routing statistics, follow this task in EXEC mode, as needed:
To restart an OSPF process, follow this task in EXEC mode:
Configuring IPSec for Management
Internet Protocol Security (IPSec) provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec operates at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as Firewall Services Modules.
IPSec provides the following optional network security services. A local security policy determines the use of one or more of these services:
•
Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.
•
Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
•
Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.
•
Anti-Replay—The IPSec receiver can detect and reject replayed packets.
Note
The term data authentication indicates data-integrity and data-origin authentication. Within this document, the term also includes antireplay services, unless otherwise specified.
IPSec provides controlled tunnels between two peers, such as two Firewall Services Modules. These tunnels are sets of security associations that are established between two remote IPSec peers (modules). You define which packets are considered sensitive and should be sent through these controlled tunnels, and you define the parameters that should be used to protect these sensitive packets by specifying the characteristics of these tunnels. When the IPSec peer sees a sensitive packet, it sets up the appropriate controlled tunnel and sends the packet through the tunnel to the remote peer.
For detailed information about IPSec, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/index.htm
The following steps describe a minimal IPSec configuration where the IPSec security associations are established through Internet Key Exchange (IKE).
To configure IPSec with IKE for the module, perform this task:
Command PurposeStep 1
FWSM(config)# access-list access-list-module {deny | permit} ip source source-netmask destination destination-netmaskCreates an access list to define the traffic to protect.
Step 2
FWSM(config)# crypto ipsec transform-set transform-set-module transform1 [transform2, transform3]Configures a transform set that defines how the traffic will be protected. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry in Step 6.
Step 3
FWSM(config)# crypto map map-module seq-num ipsec-isakmpCreates a crypto map entry in IPSec ISAKMP mode.
Step 4
FWSM(config)# crypto map map-module seq-num match address access-list-moduleAssigns an access list to a crypto map entry.
Step 5
FWSM(config)# crypto map map-module seq-num set peer ip-addressSpecifies the peer to which the IPSec-protected traffic can be forwarded.The security association is set up with the peer having an IP address of 192.168.1.100. Specify multiple peers by repeating this command.
Step 6
FWSM(config)# crypto map map-module seq-num set transform-set transform-set-module1 [transform-set-module2, transform-set-module6]Specifies which transform sets are allowed for this crypto map entry. Lists multiple transform sets in order of priority (highest priority first). You can specify up to six transform sets.
Step 7
FWSM(config)# crypto map map-module seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}(Optional) Specifies a security association lifetime for the crypto map entry, if you want the security associations for this entry to be negotiated using different IPSec security association lifetimes other than the global lifetimes.
Step 8
FWSM(config)# crypto map map-module seq-num set pfs [group1 | group2](Optional) Specifies that IPSec should require perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or should require PFS in requests received from the peer.
Step 9
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num match address access-list-module(Optional) Assigns an access list to a dynamic crypto map entry, which determines which traffic should be protected and which traffic should not protected.
Step 10
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set peer ip-address(Optional) Specifies the peer to which the IPSec-protected traffic can be forwarded. This is rarely configured in dynamic crypto map entries because dynamic crypto map entries are often used for unknown peers.
Step 11
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set transform-set transform-set-module1, [transform-set-module2, transform-set-module9]Specifies which transform sets are allowed for this dynamic crypto map entry. Lists multiple transform sets in order of priority (highest priority first).
Step 12
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}(Optional) Specifies a security association lifetime for the dynamic crypto map entry, if you want the security associations for this entry to be negotiated using different IPSec security association lifetimes other than the global lifetimes:
Step 13
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set pfs [group1 | group2](Optional) Specifies that IPSec should request PFS when requesting new security associations for this dynamic crypto map entry, or should demand PFS in requests received from the peer.
Step 14
FWSM(config)# crypto map map-module seq-num ipsec-isakmp dynamic dynamic-map-moduleAdds the dynamic crypto map set into a static crypto map set. Be sure to set the crypto map entries referencing dynamic maps to be the lowest-priority entries (highest sequence numbers) in a crypto map set.
Step 15
FWSM(config)# crypto map map-module interface interface-moduleApplies a crypto map set to an interface on which the IPSec traffic will be evaluated.
Step 16
FWSM# sysopt connection permit-ipsecSpecifies that IPSec traffic be implicitly trusted (permitted).
In the Firewall Services Module, VPN and IPSec are available only for management purposes. You cannot establish IPSec tunnels across the firewall; any tunnel initiated by a VPN client on another switch should terminate at the Firewall Services Module. The CLI commands you use to configure IPSec for management have not changed from PIX except for those listed inTable 13. Refer to the PIX documentation for details about configuring IPSec.
Administering the Firewall Services Module
This chapter describe how to administer the Firewall Services Module and contains these sections:
•
Administering the Software Images
•
Changing and Recovering Passwords
•
Resetting the Firewall Services Module
•
Troubleshooting the Firewall Services Module
Administering the Software Images
This section contains the various administrative tasks you can perform using the Cisco IOS software images:
•
Logging into the Application Software
•
Logging into the Maintenance Software
Quick Software Upgrade
To quickly upgrade the Firewall Services Module software image, follow these steps:
Step 1
Make the new software image available on a TFTP server, or make the MSFC a TFTP server by using this command:
msfc(config)# tftp-server bootflash:image nameStep 2
If the MSFC is the TFTP server, make sure you have a VLAN interface on the MSFC reachable from the module. For example:
a.
On the MSFC, enter these commands:
router(config)# interface Vlan30router(config)# description to_fwsm_vlan_30router(config)# ip address 10.20.30.2 255.255.255.0router(config)# no ip redirectsb.
On the module, enter these commands:
nameif vlan30 inside security100...ip address inside 10.20.30.5 255.255.255.0c.
From the module make sure that you can ping the MSFC, by entering this command:
FWSM# ping 10.20.30.210.20.30.2 response received -- 0ms10.20.30.2 response received -- 0ms10.20.30.2 response received -- 0msStep 3
From the module enter the copy tftp flash command:
FWSM# copy tftp flashAddress or name of remote host [127.0.0.1]? 10.20.30.2Source file name [cdisk]? c6svc-fwm-k9.1-1-0-207.bincopying tftp://10.20.30.2/c6svc-fwm-k9.1-1-0-207.bin to flash:image[yes|no|again]?yes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!The output shows the MSFC as the TFTP server.
Step 4
Reload the module by entering this command:
FWSM# reloadProceed with reload? [confirm]
Image Locations
There are 5 partitions on the compact Flash as follows:
•
Maintenance Partition (MP) (cf:1) contains the maintenance image. You use the maintenance partition to upgrade or install all application images, reset the application image password, and display the crash dump information.
•
Network configuration partition (cf:2) contains the network configuration of the maintenance image.
•
Crash dump partition (cf:3) is used to store the crash dump information.
•
Application Partitions (APs) (cf:4 and cf:5) store the firewall image and configuration.
You can have two application images stored in Flash. One image in partition 4 and one in partition 5. Depending on which partition you want to boot, you can use cf:4 or cf:5 in the boot device module module_number partition_number command. For example:
Router(config)# boot device module 3 cf:5Router(config)# boot device module 4 cf:4The configurations related to that image is stored in the same partition as the image.
If the module's application partition gets corrupted, the maintenance partition can be used to recover the application configuration. The network configuration partition stores the network parameters for the maintenance partition.
When the application image fails, a log is created in the crash dump partition, which contains all failure-related information. You can use this log later for debugging using the show crashdump CLI command from both the maintenance partition and the application partition, if the application partition recovers without a problem on restart.
You can also upgrade the application from the maintenance partition. You can clear the enable password for the module from the maintenance partition CLI.
Logging into the Application Software
The application software has one user level. Use the enable command in the EXEC mode.
Refer to the "Changing and Recovering Passwords" section if you need to change or recover passwords.
To log into the Firewall Services Module, follow these steps:
Step 1
Log into the Catalyst 6500 series switch using the Telnet connection or the console port connection.
Step 2
At the CLI prompt, establish a console session with the module using the session slot slot_number processor 1 command:
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageCatalyst Operating System:
Console> session 8The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
If the module does not boot into the application partition, reset the module with the following command:
Cisco IOS:
Router# hw-module module slot_number reset cf:4Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Console(enable)> rebootLogging into the Maintenance Software
The maintenance software has two user levels with different access privileges:
•
root—Allows you to configure the network partition parameters, upgrade the software images on the application partitions, change the guest account password, and enable or disable the guest account.
The default password is cisco.
•
guest— Allows you to configure the network partition parameters and show crash dump information.
The default password is cisco.
Refer to the "Changing and Recovering Passwords" section if you need to change or recover passwords.
To log into the Firewall Services Module maintenance partition, follow these steps:
Step 1
Log into the Catalyst 6500 series switch using the Telnet connection or the console port connection.
Step 2
At the CLI prompt, establish a console session with the module using the Cisco IOS session slot slot_number processor 1 command or the Catalyst operating system session mod command.
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageCatalyst Operating System:
Console> session 8The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
At the Maintenance software login prompt, enter root to log in as the root user or guest to log in as a guest user.
login: rootStep 4
At the password prompt, enter the password for the account. The default password for both accounts is cisco.
Password:After a successful login, the command line prompt appears as follows:
Maintenance image version: 1.1(0.3)root@localhost#Step 5
If the module does not boot into the maintenance partition, reset the module with the following commands:
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Console(enable)> reboot
Upgrading Software Images
You can upgrade both the application software and the maintenance software. To upgrade the application software, see the "Upgrading the Application Software" section. To upgrade the maintenance software, see the "Upgrading the Maintenance Software" section.
The entire application and maintenance partitions are stored on the FTP or TFTP server. The images are downloaded and extracted to the application or maintenance partition depending on which image is being upgraded.
To upgrade the application partition, change the boot sequence to boot the module from the maintenance partition. The maintenance partition downloads and installs the application image. The supervisor engine must be executing the run-time image to provide network access to the maintenance partition.
Set the boot sequence for the module using the supervisor engine CLI commands. As the maintenance partition boots, it determines the application type. If the network parameters are already configured, you can directly download the new image. If network parameters are not set, you need to manually configure them.
When you specify the target device and partition number for upgrading the application partition, software recognition checks are made to ensure that you do not upgrade the maintenance partition.
Before starting the upgrade process, you will need these software images:
•
The application image for the module.
•
The maintenance partition image for the module.
A TFTP and FTP server are required to copy the images. The TFTP server should be connected to the switch and the port connecting to the TFTP server should be included in VLAN 1 on the switch.
Another TFTP server is required in the network. This TFTP server must be reachable from the module when the module image is booted up.
Upgrading the Application Software
To upgrade the application software image you must first copy the firewall software image to a directory accessible to FTP, and then log in to the switch through the console port or through a Telnet session.
To upgrade the application partition software, perform these tasks:
Command PurposeStep 1
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console>(enable) reset module-number boot cf:1Reboots the module into the maintenance partition.
Step 2
Cisco IOS:
Router# session slot slot_number processor 1Catalyst Operating System:
Console>(enable) session moduleEstablishes a console session with the module.
Step 3
login:rootAt the login prompt, logs into the root account of the module.
Step 4
root@localhost# ip address ip _address netmaskroot@localhost# ip gateway ip_addressAssigns an IP address and a default gateway to the maintenance partition.
Because the module maintenance partition can only use VLAN 1 on the switch, use the IP addresses and gateway for VLAN 1. The FTP server is reachable after the IP parameters are specified.
Step 5
root@localhost# show ipDisplays the current settings. If the parameters are not correct, use the commands described in Step 4. The module image should be available on the FTP server reachable through VLAN 1.
Step 6
root@localhost# ping ip_addressPings the FTP server to verify if the configuration is correct.
Step 7
root@localhost# upgrade ftp_url cf:xUpgrades the application image from the appropriate directory on the FTP server that is reachable from the module.
The ftp_url values contain the following options:
•
The username to log in to the FTP server.
The command prompts for the password. Enter the password for the username you are using to log in to the FTP server.
•
ftp_url is the IP address of the FTP server and the complete path of the file on the FTP server.
Note
If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename.
Enter your password when prompted.
•
cf:x is the partition where the image must be copied on the compact Flash. Use partitions cf:4 or cf:5 for this step.
Step 8
Follow the screen prompts during the upgrade.
The image is copied from the FTP server to the compact Flash. The upgrade command also ensures that the configuration on the corresponding application partition is backed up and restored at the end of the upgrade operation.
Step 9
Router# logoutLogs out of the maintenance software.
Step 10
Cisco IOS:
Router# hw-module module slot_number reset cf:4Catalyst Operating System:
Console>(enable) reset module-number boot cf:4Resets the module into the application partition.
This example shows how to upgrade the Firewall Services Module application software:
Router# hw-module module 9 reset cf:1Device BOOT variable for reset = cf:1Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:16:06:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:16:06:SP:The PC in slot 9 is shutting down. Please wait ...00:16:21:SP:PC shutdown completed for module 900:16:21:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:16:24:SP:Resetting module 9 ...00:16:24:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:18:21:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:18:21:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:18:21:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now onlineRouter# session slot 9 proc 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.91 ... OpenCisco Maintenance imagelogin:rootPassword:Maintenance image version: 1.1(0.3)root@localhost.cisco.com# upgrade ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin cf:4Downloading the image. This may take several minutes...ftp://user:password@address/tftpboot/c6svc-fwm-k9.1-1-0-170.bin (5919K)/tmp/upgrade.gz [########################] 5919K | 821.24K/s6061947 bytes transferred in 7.38 sec (821.23k/sec)Upgrade file ftp://ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin .gz is downloaded.Upgrading will wipe out the contents on the hard disk.Do you want to proceed installing it [y|N]:yProceeding with upgrade. Please do not interrupt.If the upgrade is interrupted or fails, boot intoMaintenance image again and restart upgrade.Proceeding with image upgrade.Backing up FWSM configuration.Restoring FWSM configuration.Application image upgrade complete. You can boot the image now.Partition upgraded successfully.root@hostname.cisco.com# logout[Connection to 127.0.0.91 closed by foreign host]Router# hw-module module 9 resetDevice BOOT variable for reset =Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:24:04:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:24:04:SP:The PC in slot 9 is shutting down. Please wait ...00:24:18:SP:PC shutdown completed for module 900:24:18:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:24:21:SP:Resetting module 9 ...00:24:21:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:26:19:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:26:19:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:26:19:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now onlineThe module is now upgraded and ready for further firewall configuration. You can do further application partition upgrades from the module console, by entering the command:
copy tftp://tftp_ip/file_name flash:Upgrading the Maintenance Software
To upgrade the maintenance software image, you must first copy the module maintenance software image to a directory accessible to TFTP, and then log into the switch through the console port or through a Telnet session.
Note
If you have changed the password for the root and guest accounts of the maintenance partition, they will be retained across upgrades.
To upgrade the maintenance partition software, perform these tasks:
This example shows how to upgrade the module maintenance software:
Router# hw-module module 9 reset cf:4Device BOOT variable for reset = cf:4Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:31:11:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:31:11:SP:The PC in slot 9 is shutting down. Please wait ...00:31:25:SP:PC shutdown completed for module 900:31:25:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:31:28:SP:Resetting module 9 ...00:31:28:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:33:26:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:33:26:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:33:26:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are nowonlineRouter# session slot 9 proc 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.91 ... Openfwsm# upgrade-mpAddress or name of remote host [160.251.101.128]? 192.168.253.79Source file name []? mp-1.0.1-bin.gzcopying upgrade-mp tftp://10.1.1.1/tftpboot/mp.1-1-0-3.bin.gz to flash[yes|no|again]? y!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Received 7700916 bytes.Maintenance partition upgraded.Router# hw-module module 9 reset cf:1Device BOOT variable for reset = cf:1Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#02:27:19:%SNMP-5-MODULETRAP:Module 9 [Down] Trap02:27:19:SP:The PC in slot 9 is shutting down. Please wait ...02:27:36:SP:PC shutdown completed for module 902:27:36:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)02:27:39:SP:Resetting module 9 ...02:27:39:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on02:29:37:%SNMP-5-MODULETRAP:Module 9 [Up] Trap02:29:37:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed02:29:37:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are nowonlineRouter#Changing and Recovering Passwords
You can change and recover passwords using a Telnet connection to the module and CLI.
To change the password, use a Telnet connection to the module, and then use the passwd or passwd-guest commands to change the password.
Note
New passwords must be at least six characters in length, and may include uppercase and lowercase letters, numbers, and punctuation marks.
Note
If the Firewall Services Module application image password is lost, you can clear the password by booting into the maintenance image. If the module maintenance image passwords are lost for the root or guest account, you can clear both passwords by booting into the application image.
Changing the Application Partition Passwords
To change the application partition password, follow these steps while you are logged in to the account application account. Enter the passwd command with a password, for example:
FWSM# passwd frnxIf you do not enter a password, you receive the following result:
FWSM# passwdNot enough arguments.Usage: passwd <password> encryptedChanging the Maintenance Partition Passwords
To change the password, follow these steps while you are logged in to the root account on the maintenance software partition. The passwd command is available for the maintenance partition's root and guest account.
Step 1
Enter this command:
root@localhost# passwdStep 2
Enter the new password:
Changing password for user rootNew password:Step 3
Enter the new password again:
Retype new password:passwd: all authentication tokens updated successfullyThis example shows how to set the password for the root account:
root@localhost# passwdChanging password for user rootNew password:Retype new password:passwd: all authentication tokens updated successfullyTo change the password for the guest account, enter the password-guest command. This command is available from the maintenance partition root account only.
Step 1
Enter this command:
root@localhost# passwd-guestStep 2
Enter the new password:
Changing password for user guestNew password:Step 3
Enter the new password again:
Retype new password:passwd: all authentication tokens updated successfullyThis example shows how to set the password for the guest account:
root@localhost# passwd-guestChanging password for user guestNew password:Retype new password:passwd: all authentication tokens updated successfullyRecovering the Application Partition Passwords
If you have forgotten or lost the passwords for either the module application or maintenance software, they can be reset to the default values. Clearing the password resets the Telnet password to cisco and clears the enable password. To reset an application image password, follow these steps:
Step 1
Enter this command:
root@localhost# clear passwd cf:partition_numberpartition_number refers to the number of the application or maintenance partition where you are resetting the password.
Note
If you are resetting the application password, you must be logged into the maintenance partition. If you are changing the maintenance partition password, you must be logged into the application partition.
Step 2
Follow the screen prompts during the operation.
Do you wish to erase the passwords? [yn] yThe following lines will be removed from the configuration:enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedDo you want to remove the commands listed above from the configuration?[yn] yPasswords and aaa commands have been erased.This example shows how to clear the password for the module application software on partition 4 of the compact flash:
root@localhost# clear passwd cf:4Do you wish to erase the passwords? [yn] yThe following lines will be removed from the configuration:enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedDo you want to remove the commands listed above from the configuration?[yn] yPasswords and aaa commands have been erased.Recovering the Maintenance Partition Passwords
If you have forgotten or lost the passwords for either the module application or maintenance software, they can be reset to the default values. Clearing the password resets the Telnet password to cisco and clears the enable password.
Note
If you are resetting the maintenance partition password, you must be logged into the application partition.
To reset a maintenance image password, enter this command:
fwsm# clear mp-passwdThis example shows how to clear the password for the module maintenance software on partition cf:1 of the compact Flash:
root@localhost# clear mp-passwdPasswords for 'root' and 'guest' accounts cleared successfully.Resetting the Firewall Services Module
If you cannot reach the module through the CLI or an external Telnet session, enter the hw-mod module module_number reset command to reset and reboot the module. The reset process requires several minutes.
When the module initially boots, by default it runs a partial memory test. To perform a full memory test, use the mem-test-full keyword in the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory size. Table 5 lists the memory and approximate boot time for a long memory test.
You can also use the hw-module module module_number reset [mem-test-full] command. For example:
Router# hw-module module 5 reset mem-test-fullThis section describes how to reset the module:
Resetting the Module with Cisco IOS Software
Resetting the Module with Catalyst Operating System Software
Resetting the Module with Cisco IOS Software
To reset the module from the CLI, perform this task in privileged mode:
Note
For the boot device, you can specify cf:4 or cf:5 for the application image or cf:1 for the maintenance image.
This example shows how to reset the module, installed in slot 9, from the CLI:
Router# hw-mod mod 9 resetProceed with reload of module? [confirm] y% reset issued for module 9Router#00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...To reboot the module from the application software, perform this task while you are sessioned into the root account on the module in the privileged mode:
This example shows how to reboot the module:
Router# reloadResetting the Module with Catalyst Operating System Software
To reset the module from the CLI, perform this task in privileged mode:
Note
For the boot device, you can specify cf:4 or cf:5 for the application image or cf:1 for the maintenance image. The default boot partition for the module is cf:4.
This example shows how to reset the module, installed in slot 9, from the from the application partition:
Router# reset mod 9Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...To reboot the module from the application software, perform this task while you are sessioned into the root account on the module in the privileged mode:
This example shows how to reboot the module:
FWSM# rebootTroubleshooting the Firewall Services Module
This section provides troubleshooting information for the Firewall Services Module.
Symptom You cannot connect to the module.
Possible Cause The initial configuration is incorrect or not configured.
Recommended Action Perform a show module command and check that the status is OK.
Symptom When a reset command is entered from the supervisor CLI, the system always boots into the maintenance image.
Possible Cause If the boot device is configured in the supervisor as cf:1, when you enter a reset module command the system always boots to the maintenance image.
Recommended Action Override the configured boot device in the supervisor engine by entering the boot string during reset. In Cisco IOS software, to boot to the application image, enter the hw-module mod 9 reset cf:4 (or cf:5) command.
Symptom You are unable to log into the maintenance image with the same password for the module application image.
Possible Cause The module application image and the maintenance image have different password databases. Any password change performed in the module application image does not change the maintenance image passwords and vice versa.
Recommended Action Use the maintenance image password.
Symptom You lost your password for the maintenance image and want to recover it.
Possible Cause The maintenance image does not support resetting passwords from the switch. Upgrading the maintenance image retains the password for root and guest across the upgrades.
Recommended Action Refer to "Changing and Recovering Passwords" section.
Firewall Services Module and PIX Commands
This section describes additions, changes, and differences between the Firewall Services Module and the PIX application commands.
The tables in this appendix describe the following commands:
•
Commands that support the maintenance software (Table 10).
•
Cisco IOS commands that support the Firewall Services Module (Table 11).
•
New commands specific to the module (Table 12).
These commands are described in Command Reference
•
PIX commands that were changed for the module (Table 13).
•
PIX commands that are not used by the module (Table 14).
•
PIX commands used by the module and their PIX version (Table 15).
For detailed information about the PIX software commands, refer to the PIX documentation listed in the "Related Documentation" section.
The module also supports CLI commands for the supervisor engine, which are described in more detail in the Catalyst 6500 Series Command Reference.
Table 13 PIX Commands Changed for the Firewall Services Module
Commandaaa authentication [supervisor | enable | telnet | ssh | http] console group_tag
[no] aaa authentication [supervisor | enable | telnet | ssh | http] console group_taginterface hardware_id [hardware_speed] [shutdown]
show interfacenameif hardware_id ifname security_level
New syntax is nameif vlan_id if_name security_level. Refer tonameif vlan_number if_name security_level in the "Command Reference" section.
route if_module ip_address netmask gateway_ip [metric]
Table 15 lists the PIX commands used by the module and their PIX version. Commands that were changed from PIX for the module are described in Command Reference For detailed information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
Command Reference
This appendix describes the Firewall Services Module commands that are unique to this module and the commands that have been changed from the PIX command implementation for use with the Firewall Services Module.
For detailed information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
access-list
Use the access-list command to configure access rules. Use the no form of this command to remove access rules from the configuration.
Note
The configuration options for the access-lists in module are the same as those supported in PIX 6.0. module also supports access rules configuration using the object group command as supported in PIX 6.2.
Note
Every interface on the module requires you to explicitly define access lists. By default access lists are defined as deny any any.
access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }
{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id ] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask | remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group service_obj_grp_id ] }no access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }
{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id ] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask | remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group service_obj_grp_id ] }access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id }{ host destination_addr | remote_addr | destination_addr | remote_addr destination_mask | remote_mask | object-group network_obj_grp_id }{ [ icmp_type | object-group icmp_type_obj_grp_id] }
no access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id }{ host destination_addr | remote_addr | destination_addr | remote_addr destination_mask | remote_mask | object-group network_obj_grp_id }{ [ icmp_type | object-group icmp_type_obj_grp_id] }
clear access-list [acl_ID]
show access-list [acl_ID]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
The access list behavior on the module differs from that on PIX 6.0 as follows:
•
By default all traffic is denied through the module. Explicit access rules need to be configured using the access-list command and attached to the appropriate interface using the access-group command to allow traffic to pass through that interface.
•
The module does not support the outbound, conduit and apply configuration commands that are supported in PIX.
•
The access lists used in the module are compiled by the software and loaded into a supervisor engine for subsequent lookup. Each time an access rule is added using any of the following commands a short delay occurs before a new compilation is begins to catch any additional configurations: filter, fixup, icmp, telnet, ssh, access-list, established, aaa authentication, aaa authorization and aaa accounting
After the compilation begins, it may take some time for the new rule set to be downloaded to the hardware. In the interim, the old access rule set is applied to the incoming traffic. After successfully download the new set is used to determine access permissions.
•
During compilation, if the compilation process runs out of resources, an error message is printed on the console when the access lists configured on the module are different from those currently being used in the hardware. To synchronize the configuration, remove the newly added rules that began the compilation and add fewer rules.
•
Access rules with port ranges have a negative impact on the total number of access rules that the module can support. You should avoid configuring access rules with large port ranges.
Examples
This example shows how to define an access list allowing any host to access server 121.23.65.12 using Telnet:
FWSM(config)# access-list in_acl permit tcp any host 121.23.65.12 eq 23For further examples, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version 6.
For examples on using access-lists with the object group command refer to the Cisco PIX Firewall and VPN Configuration Guide Version 6.2.
Related Commands
access-group - in the PIX 6.0
object-groupaccess-list (ospf)
Use the access list (ospf) command to configure access rules. Use the no form of this command to remove access rules from the configuration.
access-list id deny | permit {any | ip mask}
[no] access-list id deny | permit {any | ip mask}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
This access list syntax is used only in the context of OSPF. Access lists created with this syntax are then used for defining route maps to be applied to redistributed routes. An access list containing any access elements defined using the command syntax cannot be applied to an interface using the access-group command.
Examples
This example shows how to create an access list:
FWSM(config)# access-list ospf1 permit 10.2.0.0 255.255.255.0.0FWSM(config)# show access-listaccess-list ospf1; 1 elementsaccess-list ospf1 permit 10.2.0.0 255.255.255.0 (hitcnt=0)Related Commands
area
Use the area command to specify an area name in the router configuration submode.
area area id authentication
area area id authentication message-digest
area area id default-cost cost
area area id filter-list prefix name [in | out]
area area id nssa [no-redistribution] [default-information-originate]
area area id range prefix mask [advertise | not-advertise]
area area id stub [no-summary]
area area id virtual-link router id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[authentication-key key]| [message-digest-key key id md5 key]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
The following example mandates authentication for areas 0 and 36.0.0.0 of OSPF routing process 201. Authentication keys are also provided.
Router(config)# interface ethernet 0ip address 131.119.251.201 255.255.255.0ip ospf authentication-key adcdefgh!Router(config)# interface ethernet 1ip address 36.56.0.201 255.255.0.0ip ospf authentication-key ijklmnop!Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0network 131.119.0.0 0.0.255.255 area 0area 36.0.0.0 authenticationarea 0 authenticationThe following example assigns a default cost of 20 to stub network 36.0.0.0:
Router(config)# interface ethernet 0ip address 36.56.0.201 255.255.0.0!Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0area 36.0.0.0 stubarea 36.0.0.0 default-cost 20The following example filters prefixes that are sent from all other areas to area 1:
Router(config)# area 1 filter-list prefix-list AREA_1 inThe following example specifies one summary route to be advertised by the ABR to other areas for all subnets on network 36.0.0.0 and for all hosts on network 192.42.110.0:
Router(config)# interface ethernet 0ip address 192.42.110.201 255.255.255.0!Router(config)# interface ethernet 1ip address 192.42.120.201 255.255.255.0!Router(config)# router ospf 201network 192.42.110.0 0.0.0.255 area 0area 36.0.0.0 range 36.0.0.0 255.0.0.0area 0 range 192.42.110.0 255.255.0.0The following example establishes a virtual link with default values for all optional parameters:
Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0area 36.0.0.0 virtual-link 36.3.4.5The following example establishes a virtual link with MD5 authentication:
Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0area 36.0.0.0 virtual-link 36.3.4.5 message-digest-key 3 md5 sa5721bk47For further examples refer to the Cisco IOS Configuration Guides and Command References.
clear console-output
Use the clear console-output command to clear the contents of the message buffer.
clear console-output
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to clear the message buffer.
Router(config)# clear console-outputRelated Commands
clear logging rate-limit
Use the clear logging rate-limit command to clear the log rate.
clear logging rate-limit
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to clear the logging rate.
Router(config)# clear logging rate-limitRelated Commands
logging rate-limit
show logging rate-limitdefault-information originate
Use the default-information originate command to control the redistribution of a default route.
default-information originate [always] [metric value | metric-type {1 | 2} | [route-map map]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
This example shows how to control the redistribution of a default route:
Router(config)# default-information originatedistance
Use the distance command to define OSPF administrative distances based on route type. To restore the default value, use the no form of this command.
distance [intra-area dist1] [inter-area dist2] [external dist3]
no distance
Syntax Description
Defaults
.Default dist1, dist2, and dist3 values are 110.
Command Modes
Router configuration submode.
Command History
Examples
The following example changes the external distance to 200, making it less reliable:
Router A Configuration
Router(config)# router ospf 1Router(config)# redistribute ospf 2 subnetRouter(config)# distance external 200!Router B Configuration
Router(config)# router ospf 2Router(config)# redistribute ospf 1 subnetRouter(config)# distance external 200Related Commands
firewall module
Use the firewall module command to attach a group of controlled VLANs to a module.
firewall module module_number vlan-group firewall_group
Syntax Description
module_number
Specifies the module to attach the VLAN group.
vlan-group
Keyword to specify a VLAN group
firewall_group
Names the VLAN group.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to attach a VLAN group to a module:
Router(config)# firewall 6 vlan-group 20Related Commands
firewall vlan-group
Use the firewall vlan-group command to configure a group of controlled VLANs.
firewall vlan-group firewall_group vlan_range
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to configure a group of controlled VLANs:
Router(config)# firewall vlan-group 20 8, 10-15Related Commands
interface
Use the interface command to enter the interface configuration submode to enter OSPF commands or the shutdown command.
interface interface-name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to enter the interface configuration submode:
Router(config)# interface swedenRelated Commands
ip prefix-list
Use the ip prefix-list command to configure a prefix list.
ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le le-value
no ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le le-value]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to deny the default route 0.0.0.0/0:
Router(config)# ip prefix-list abc deny 0.0.0.0/0To permit the prefix 35.0.0.0/8:
Router(config)# ip prefix-list abc permit 35.0.0.0/8For further examples refer to the Cisco IOS Configuration Guides and Command References.
logging rate-limit
Use the logging rate-limit command to rate limit the number of syslogs generated from the module. Use the no form of this command to remove access lists from the configuration.
logging rate-limit num [interval] message syslog_id
no logging rate-limit num [interval] message syslog_id
logging rate-limit num [interval] level syslog_level
no logging rate-limit num [interval] level syslog_level
show logging rate-limit
clear logging rate-limit
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
These examples show how to set up logging rate limits:
•
If you want to see only 10 message per second for syslog id 106023, use the following command:
logging rate-limit 10 1 message 106023Because the [interval] is optional and defaults to 1 second, you can specify:
logging rate-limit 10 message 106023•
If you want to limit all the syslogs in level 3 to be generated only 5 times per second, use the following command:
logging rate-limit 5 level 3•
Precedence in setting up logging determines the result of the command action as follows:
–
The logging rate-limit message command forms an exception for the logging rate-limit level command if the level is defined. For example:
logging rate-limit 10 message 106023logging rate-limit 5 level 1All syslogs other than 106023 in level 1 will be generated at the maximum 5 times per second. 106023 will be generated up to 10 times per second.
–
If you set up a configuration in this order:
logging rate-limit 10 message 106023logging rate-limit 5 level 1no logging rate-limit 10 message 106023The configuration will be equivalent to only the following:
logging rate-limit 5 level 1If you set up a configuration in this order:
logging rate-limit 10 message 106023logging rate-limit 5 level 1no logging rate-limit 5 level 1This configuration is equivalent to the following:
logging rate-limit 10 message 106023–
To rate limit syslogs from more than 1 level, use the level version of the command multiple times:
logging rate-limit 5 level 1logging rate-limit 6 level 3logging rate-limit 5 2 level 4The last 1 in the configuration limits the rate of all syslogs in level 4 to 5 in 2 second intervals.
match
Use the match command to define route matching criteria for a route map. Use the no form of this command to disable matching.
match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
[no] match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Route-map configuration submode.
Command History
Examples
This example shows how create a route-map that can be used to redistribute internal routes:
Router(config-route-map)# route-map nameRouter(config-route-map)# match route-type internalRelated Commands
set
route-mapnameif
Use the nameif command to assign a name to an interface. Use the no form of this command to remove the interface name.
nameif vlan_number if_name security_level
no nameif vlan_number [if_name] [security_level]
Syntax Description
vlan_number
Specifies a VLAN.
if_name
Specifies the perimeter interface name.
security_level
Indicates the security level for the perimeter interface. Range is from 1 to 99.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
Specifies the perimeter interface VLAN, name, and security level on an interface.
Examples
This example shows how to assign a name to an interface:
Router(config)# nameif vlan 10 inside security 100network
Use the network area router command to define the interfaces on which OSPF runs and to define the area ID for those interfaces. Use the no form of this command to disable OSPF routing for interfaces defined with the address wildcard-mask pair..
network ip-address wildcard-mask area area id
no network ip-address wildcard-mask area area id
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
This example shows how to initialize the OSPF routing process 109, and defines four OSPF areas: 10.9.50.0, 2, 3, and 0. Areas 10.9.50.0, 2, and 3 mask specific address ranges, while area 0 enables OSPF for all other networks.
Router(config)# interface ethernet 0Router(config)# ip address 131.108.20.1 255.255.255.0Router(config)# router ospf 109Router(config-router)# network 131.108.20.0 0.0.0.255 area 10.9.50.0Router(config-router)# network 131.108.0.0 0.0.255.255 area 2Router(config-router)# network 131.109.10.0 0.0.0.255 area 3Router(config-router)# network 0.0.0.0 255.255.255.255 area 0:ospf
Use the ospf commands configure OSPF.
ospf authentication-key key
ospf authentication [message-digest | null]
ospf cost cost
ospf dead-interval seconds
ospf hello-interval seconds
ospf message-digest-key keyed md5 key
ospf priority number
ospf retransmit-interval seconds
ospf transmit-delay seconds
Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration submode.
Command History
Examples
This example shows how to set the interface cost, the interval between hello packets, and a new message digest key:
The following example sets the interface cost value to 65:
Router(config)# ospf cost 65The following example sets the interval between hello packets to 15 seconds:
Router(config)# ospf hello-interval 15The following example sets a new key 19 with the password 8ry4222:
Router(config)# ospf message-digest-key 19 md5 8ry4222For further examples refer to the corresponding ip ospf commands in Cisco IOS Configuration Guides and Command References.
Related Commands
redistribute
Use the redistribute command to enable redistribution of static or connected routes or routes form another OSPF process. Use the no form of this command to remove redistribution from the configuration.
redistribute {ospf id | static | connect} [{match {internal | external extern-type} metric metric-value | metric-type metric-type [internal | external] tag tag-value | subnets}] route-map map value
[no] redistribute {ospf id | static | connect} [{match { internal | external extern-type} metric metric-value | metric-type metric-type [internal | external] tag tag-value | subnets}] route-map map value
Syntax Description
Defaults
Default metric value is 0 or 20 depending upon the destination protocol.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to specify a network 172.16.0.0 that will appear as an external link-state advertisement (LSA) in OSPF 1 with a cost of 100 (the cost is preserved):
Router(config)# ip address inside 172.16.0.1 255.0.0.0Router(config)# interface insideRouter(config)# ospf cost 100Router(config)# ip address outside 10.0.0.1 255.0.0.0Router(config)# interface outsideRouter(config)# ip address 10.0.0.1 255.0.0.0Router(config)# router ospf 1Router(config-router)# network 10.0.0.0 0.255.255.255 area 0Router(config)# redistribute ospf 2 subnetRouter(config)# router ospf 2Router(config-router)# network 172.16.0.0 0.255.255.255 area 0route
Use the route command to define a static or default route for an interface.
route if_name ip_address netmask gateway_ip [metric]
[no] route [if_name ip_address [mask gateway]]
Syntax Description
Defaults
The default netmask value is 255.255.255.0.
The default metric value is 1.Command Modes
Privileged mode.
Command History
Examples
This example shows how to configure a route on the interface "inside" for the network 10.2.2.0/24 with next hop 10.2.1.5:
FWSM(config)# route inside 10.2.2.0 255.255.255.0 10.2.1.5FWSM(config)# show routeS 0.0.0.0 0.0.0.0 [0/0] via 10.6.13.1, dmzC 10.2.1.0 255.255.255.0 is directly connected, insideS 10.2.2.0 255.255.255.0 [1/0] via 10.2.1.5, insideC 10.3.1.0 255.255.255.0 is directly connected, outsideC 10.6.13.0 255.255.255.0 is directly connected, dmzC 127.0.0.0 255.255.255.0 is directly connected, eobcRelated Commands
show route
router ospf
Use the router ospf command to create or configure an OSPF routing process. Use the no form of this command to remove the routing process from the configuration.
router ospf autonomous-system id
no router ospf autonomous-system id
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to create and OSPF routing process:
Router(config)# router ospf 12345Related Commands
route-map
Use the route-map command to create a route map. Use the no form of this command to remove a route map from the configuration.
route-map map-tag [permit | deny] [seq-num]]
[no] route-map map-tag [permit | deny] [seq-num]]
Syntax Description
Defaults
The permit keyword is the default.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to create a route map:
FWSM# route-map disco permitFWSM# show route-maproute-map disco permit 10Related Commands
match
setset metric
Use the set metric command to define the actions taken on routes that match the criteria defined for a route map. Use the no form of this command to disable metric criteria.
set metric [+ | -] metric-value
[no] set metric [+ | -] metric-value
Syntax Description
+ | -
(Optional) Keyword to specify a positive or negative metric.
metric-value
Specifies a metric value.
Defaults
This command has no default settings.
Command Modes
Route-map configuration submode.
Command History
Examples
This example shows how to set the metric value for the routing protocol to 100:
Router(config-route-map)# route-map set-metricRouter(config)# set metric 100
Note
We recommend that you consult your Cisco technical support representative before changing the default value. For further information refer to the Cisco IOS Configuration Guides and Command References.
Related Commands
set metric-type
Use the set metric-type command to specify a metric type for a route map.
set metric-type type-1 | type-2
[no] set metric-type type-1 | type-2
Syntax Description
type-1
Keyword to specify the open Shortest Path First (OSPF) external Type 1 metric.
type-2
Keyword to specify the OSPF external Type 2 metric
Defaults
This command has no default settings.
Command Modes
Route-map configuration submode.
Command History
Examples
This example shows how to set the metric type of the destination protocol to OSPF external Type 1:
Router(config-route-map)# route-map map-typeRouter(config-route-map)# set metric-type type-1:Related Commands
show console-output
Use the show console-output command to view the contents of the message buffer.
show console-output [start_message_number-end_message_number]
Syntax Description
start_message_number
Specifies the starting serial number of the message to be displayed.
end_message_number
Specifies the end serial number of the message to be displayed.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
Messages appearing on the console are redirected to all active Telnet sessions.When no Telnet session is available, the output is saved to a buffer. The buffer output can be subsequently examined when you Telnet to the module application software partition. Individual messages are numbered.
Examples
This example shows how to display the buffer output:
FWSM# show console-outputMessage #1 :Initializing debugger......:Message #2 :Found PCI card in slot:1 bus:2 dev:9 (vendor:0x8086 deviceid:0x1001)Message #3 :Found PCI card in slot:2 bus:2 dev:8 (vendor:0x8086 deviceid:0x1001)Message #4 :Found PCI card in slot:3 bus:1 dev:6 (vendor:0x1014 deviceid:0x1e8)Message #5 :Ignoring PCI card in slot:3 (vendor:0x1014 deviceid:0x1e8)Message #6 :Found PCI card in slot:4 bus:1 dev:5 (vendor:0x1014 deviceid:0x1e8)Message #7 :Ignoring PCI card in slot:4 (vendor:0x1014 deviceid:0x1e8)Message #8 :Found PCI card in slot:5 bus:1 dev:4 (vendor:0x1014 deviceid:0x1e8)Message #9 :Ignoring PCI card in slot:5 (vendor:0x1014 deviceid:0x1e8)Message #10 :Found PCI card in slot:7 bus:0 dev:2 (vendor:0x1011 deviceid:0x22)Related Commands
show crashdump
Use the show crashdump command to display the contents of the crashdump partition.
show crashdump
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the contents of the crashdump partition.
Router(config)# show crashdumpshow firewall module
Use the show firewall module command to display the module configuration.
show firewall module
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the module configuration.
Router(config)# show firewall moduleshow firewall vlan-group
Use the show firewall command to display the configured firewall VLAN groups.
show firewall vlan-group
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the configured firewall VLAN groups.
Router(config)# show firewall 20show interface
Use the show interface command to show all of the VLANs configured.
show interface [interface name] stats
Syntax Description
interface_name
Specifies the perimeter interface name.
stats
Keyword to display the interface state and counters.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
If VLANs are not configured on the MSFC, you will not be able to define any new VLAN interfaces on the Firewall Services Module.
Examples
This example shows how to display the firewall VLANs configured on all interfaces:
Router(config)# show interface dominoRelated Commands
show ip ospf
Use the show ip ospf command to show the OSPF configuration.
show ip ospf border-routers
show ip ospf database [router][network][external]
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-link
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to show the IP OSPF configuration:
Router(config)# show ip ospf border routersRouting Process "ospf 201" with ID 192.42.110.200 Supports only single TOS(TOS0) route It is an area border and autonomous system boundary router Redistributing External Routes from, igrp 200 with metric mapped to 2, includes subnets in redistributionip with metric mapped to 2igrp 2 with metric mapped to 100igrp 32 with metric mapped to 1Number of areas in this router is 3Area 192.42.110.0Number of interfaces in this area is 1Area has simple password authenticationSPF algorithm executed 6 timesFor further examples, refer to the Cisco IOS Configuration Guides and Command References.
Related Commands
show logging rate-limit
Use the show logging rate-limit command to display the logging rate.
show logging rate-limit
Defaults
This command has no default settings
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the logging rate:
Router(config)# show logging rate limitRelated Commands
clear logging rate-limit
logging rate-limitshow vlan
Use the show vlan command to display the list of VLANs assigned to the module through the configuration on the supervisor route process MSFC.
show vlan
Defaults
This command has no default settings
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the VLANs assigned to the module:
Router(config)# show vlan10, 33, 100,summary-address
Use the summary-address command to create aggregate addresses for external routes. Use the no form of this command to disable aggregate addressing for external routes.
summary-address addr mask [not-advertise] [tag tag]
[no] summary-address addr mask [not-advertise] [tag tag]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
This example shows the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement.
Router(config)# summary-address 10.1.0.0 255.255.0.0timers lsa-group-pacing
Use the timers lsa-group-pacing command to change the interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing router configuration command. To restore the default value, use the no form of this command.
timers lsa-group-pacing seconds
no timers lsa-group-pacing.
Syntax Description
value
Specifies the umber of seconds in the interval at which LSAs are grouped and refreshed, checksummed, or aged. The range is from 10 to 1800 seconds.
Defaults
The default value is 240 seconds.
Command Modes
Router configuration submode.
Command History
Usage Guidelines
Examples
This example shows how to change the OSPF pacing between LSA groups to 60 seconds:
Router(config)# router ospf 1Router(config-router)# timers lsa-group-pacing 60timers spf
Use the timers spf command to configure the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation. To configure the hold time between two consecutive SPF calculations, use the timers spf router configuration command. To return to the default timer values, use the no form of this command.
timers spf spf-delay spf-holdtime
no timers spf spf-delay spf-holdtime
Syntax Description
Defaults
The default time for the spf-delay value is 5 seconds.
The default time for the spf-holdtime value is 10
Command Modes
Router configuration submode.
Command History
Examples
This example shows how to change the delay to 10 seconds and the hold time to 20 seconds:
Router(config)# timers spf 10 20upgrade-mp
Use the upgrade-mp command to upgrade the maintenance software image.
upgrade-mp tftp[:[[//location] [/tftp_pathname]]]
Syntax Description
Usage Guidelines
The upgrade-mp command lets you download a maintenance software image through TFTP. The image is downloaded, installed to the compact Flash and available on the next module reload (reboot).
If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively through a series of questions similar to those presented by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input.
The location is an IP address that the firewall can reach. The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the upgrade-mp command.
If your TFTP server has been configured to point to a directory on the system from which you are downloading the image, you need only use the IP address of the system and the image filename.
For example, the command causes the TFTP server to receive the command and determine the actual file location from its root directory information:
Router(config)# upgrade-mp tftp://10.1.1.5/mp.1-1-0-3.bin.gzThe server then downloads the TFTP image to the module
Examples
This example causes the module to prompt you for the filename and location before you start the TFTP download:
Router(config)# upgrade-mpAddress or name of remote host [127.0.0.1]? 10.1.1.5Source file name [cdisk]? mp.1-1-0-3.bin.gzcopying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash[yes|no|again]? yes!!!!!!!!!!!!!!!!!!!!!!!Received 1695744 bytes.Maintenance partition upgraded.To set the filename and location specified in the tftp-server command, save memory, and then download the image to Flash memory, use these commands:
Router(config)# tftp-server outside 10.1.1.5 mp.1-1-0-3.bin.gzWarning: 'outside' interface has a low security level (0).write memoryBuilding configuration...Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99[OK]Router(config)# upgrade-mp tftp:copying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!To override the information in the tftp-server command and specify alternate information about the filename and location, use this command:
Router(config)# upgrade-mp tftp://10.0.0.1/mp.1-1-0-3.bin.gzTo specify all information, if you have not set the tftp-server command, use this command:
Router(config)# upgrade-mp tftp://10.0.0.1/mp.1-1-0-3.bin.gzSystem Messages
This section provides the list of system log messages supported in the Firewall Services Module. The module functions similarly to the PIX firewall application software. Refer to the System Log Messages for the Cisco Secure PIX Firewall Version 6.0 documentation for information about the system message logs. The messages are listed by type and by message code within each type.
This appendix includes the following sections:
•
System Message Log Differences
•
SSH
•
PDM
•
Memory and Resource Allocation
•
SNMP
•
DHCP
•
VPN
•
OSPF
•
Shun
Note
The messages shown in this appendix apply to Firewall Services Module version 1.1(1) and higher. When a number is skipped from a sequence, for example, 106019, the message is no longer in the firewall code.
You can configure the module system software to send these messages to the output location of your choice. For example, you can specify that log messages be sent to the console, to any Telnet session actively connected to the module console, or to a logging server elsewhere on the network.
The module provides three output locations for sending syslog messages: the console, a host running a syslog server, and an SNMP management station. If you send messages to a host, they are sent using either UDP or TCP. The host must have a program (known as a server) called syslogd.
The syslog server runs a Windows NT-based system that accepts TCP and UDP system log messages. The syslog server provides time-stamped syslog messages, accepts messages on alternate ports, and stops the firewall traffic if the server log disk is full or the server goes down.
System Log Messages
System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:
%FWSM-Level-Message_number: Message_text
•
FWSM identifies the message facility code for messages generated by the Firewall Services Module.
•
Level reflects the severity of the condition described by the message. The lower the number, the more severe the condition. Table 16 lists the severity levels. Logging is set to level 3 (error) by default.
•
Message_number is the numeric code that uniquely identifies the message.
•
Message_text is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames. Table 17 lists the variable fields and the type of information in them.
Note
Syslog messages received at the module serial console contain only the code portion of the message. When you view the message description the severity level is provided.
System Message Log Differences
The module provides the following differences to the system message logging of the PIX firewall software:
•
Syslog level changes for the module to reduce the number of syslog entries per connection from 4 to 2 at Info(6) level:
–
Portmapped translation built (305001) changed from Info (6) to Debug(7)
–
Translation built (305002) changed from Info (6) to Debug(7)
–
Teardown translation (305003) changed from Info (6) to Debug(7)
–
Teardown portmap translation (305004) changed from Info (6) to Debug(7)
•
Syslog level changes for consistency purposes:
–
PreAllocate H323 UDP Connection (302004) changed from Info(6) to Debug(7)
–
Built H245 Connection (302003) changed from Info (6) to Debug(7)
–
PreAllocate H225 Connection (302012) changed from Info(6) to Debug(7)
–
PreAllocate SIP Secondary Channel (607001) changed from Info(6) to Debug(7)
–
PreAllocate Skinny Secondary Channel (608001) changed from Info(6) to Debug(7)
–
PreAllocate RTSP UDP Connection (314001) changed from Info(6) to Debug(7)
•
Syslog changes for Deny By Access Group (106023) Warning(4):
–
After a threshold has been reached, you can generate syslog only if the connection gets dropped for a specific access control rule n number of times (n is a global configurable item).
–
After a threshold has been reached, you can generate syslog once every t seconds with the ACL rule parameter that is getting hit (t is a global configurable item).
–
All of syslog uses the firewall services module instead of PIX.
–
Deny Inbound (106010) changed from Error (3) to Info(4).
•
Syslog messages generated by network processes are based on the interface. You can configure the module to either drop a new connection when the threshold is reached through that interface or allow the new connection without generating a syslog message.
Failover Messages
This section contains the messages generated by a failover configuration.
Error Message %FWSM-1-103001: (Primary) No response from other firewall (reason code = code).Explanation This message indicates that the primary module is unable to communicate with the secondary module over the failover cable. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify that the secondary module has the exact same hardware, software version level, and configuration as the primary module.
Error Message %FWSM-1-103002: (Primary) Other firewall network interface interface_name OK.Explanation This message indicates that the primary module detected that the network interface on the secondary module is okay. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-103003: (Primary) Other firewall network interface interface_name failed.Explanation This message indicates that the primary module detects a bad network interface on the secondary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the network connections on the secondary module, and check the network hub connection. If necessary, replace the failed network interface.
Error Message %FWSM-1-103004: (Primary) Other firewall reports this firewall failed.Explanation This message indicates that the primary module receives a message from the secondary module indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the status of the primary module.
Error Message %FWSM-1-103005: (Primary) Other firewall reporting failure.Explanation This message indicates that the secondary module reports a failure to the primary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the status of the secondary module.
Error Message %FWSM-1-104001: (Primary) Switching to ACTIVE (cause: reason).
%FWSM-1-104002: (Primary) Switching to STNDBY (cause: reason).Explanation Both instances are failover messages. These messages are logged when you force the failover module pair to switch roles. You can force the failover module pair to switch roles by either entering the failover active command on the secondary module or the no failover active command on the primary module. (Primary) can also be listed as (Secondary) for the secondary module. Possible values for the reason variable are as follows:
–
State check
–
Bad or incomplete configuration
–
Interface check, mate is healthier
–
The other module wants to be standby
–
In failed state, cannot be active
–
Switch to failed state
Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary module to verify the status of both modules of the pair.
Error Message %FWSM-1-104003: (Primary) Switching to FAILED.Explanation This message indicates that the primary module fails.
Recommended Action Check the system log messages for the primary module for an indication of the nature of the problem (see message %FWSM-1-104001:). (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-104004: (Primary) Switching to OK.Explanation This message indicates that a previously failed module now reports that it is operating again. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105001: (Primary) Disabling failover.Explanation This message indicates that you entered the no failover command on the console. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105002: (Primary) Enabling failover.Explanation This message indicates that you entered the failover command with no arguments on the console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105003: (Primary) Monitoring on interface int_name waitingExplanation The firewall is testing the specified network interface with the other module of the failover pair.
Recommended Action None required. The firewall monitors its network interfaces frequently during normal operations.
Error Message %FWSM-1-105004: (Primary) Monitoring on interface int_name normalExplanation The test of the specified network interface was successful. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface int_name.Explanation This message indicates that this module of the failover pair can no longer communicate with the other module of the pair. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
Error Message %FWSM-1-105006: (Primary) Link status 'Up' on interface int_name.
%FWSM-1-105007: (Primary) Link status 'Down' on interface int_name.Explanation Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
Error Message %FWSM-1-105008: (Primary) Testing interface int_name.Explanation This message indicates that the firewall tested a specified network interface. This testing is performed only if the firewall fails to receive a message from the standby module on that interface after the expected interval. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105009: (Primary) Testing on interface int_name result.Recommended Action This message reports the result (either Passed or Failed) None required if the result is Passed If the result is Failed, you should check to be sure the network cable is properly connected to both failover modules and that the network itself is functioning correctly, and verify the status of the standby module.
Error Message %FWSM-3-105010: (Primary) Failover message block alloc failedExplanation Block memory has been depleted. This is a transient message and the firewall should recover. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Use the show blocks command to monitor the current block memory.
Error Message %FWSM-1-105011: (Primary) Failover cable communication failureExplanation The failover cable is not permitting communication between the primary and secondary modules. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Ensure that the cable is properly connected.
Error Message %FWSM-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active firewall detects a partial configuration in memory. This situation is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Once the failover is detected by the firewall, the firewall automatically reloads itself and loads the configuration from Flash and resynchronizes with another firewall. If failovers happen continuously, check the failover configuration and make sure both firewalls can communicate with each other.
Error Message %FWSM-1-105038: (Primary) Interface count mismatchExplanation Failover initially verifies that the number of interfaces configured on the primary and secondary modules are the same. This message indicates that after the verification that the numbers are not the same. Failover cannot be enabled until both primary and secondary modules have the same number of interfaces. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the VLAN configuration on primary and secondary. Look for any nameif command failure on primary. (Primary) can also be listed as (Secondary) for the secondary module. Once these configurations are verified and corrected, type failover on the primary to enable failover again.
Error Message %FWSM-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary modules are the same. This message indicates that the primary module is not able to verify the number interfaces configured on the secondary module. This indicates that the primary module is not able communicate with the secondary module over the failover interface. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the failover VLAN, interface configuration and status on the primary and secondary modules. Make sure the secondary module is running the firewall application and failover is enabled. (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-105040: (Primary) Mate failover version is not compatible.Explanation The primary and secondary module should run the same failover software version to act as a failover pair. This message indicates that the secondary module's failover software version is not compatible with the primary module. Failover would be disabled on the primary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Maintain consistent software versions between primary and secondary to enable Failover.
Error Message %FWSM-1-105041: (Primary) nameif command failed. Number of interfaces is not consistent with mate.Explanation This message indicates that during a configuration sync from the secondary to the primary module the nameif command has failed in the primary module. The nameif command, defines the firewall interfaces in the Firewall Services Module. If this command fails during synchronization the result is that the interfaces are inconsistent across the failover modules. To avoid this situation, failover is disabled. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Correct the reason why nameif failed, and then enable failover
Error Message %FWSM-1-105042: (Primary) Failover interface OKExplanation Interface used to send failover messages to the secondary module is functioning. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required
Error Message %FWSM-1-105043: (Primary) Failover interface failedExplanation Interface used to send failover messages to the secondary module failed. The active module remains as active and standby module remains as standby. There will not be any failure detection or switchover activity until the failover interface becomes normal. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the VLAN and interface configuration of the failover interface is primary and secondary.
Connection Messages
This section contains connection messages and the messages specific to the following message types:
•
HTTP
•
ICMP
•
RSH
•
RTSP
•
SMTP
•
TCP
•
UDP
Error Message %FWSM-2-106002: protocol Connection denied by outbound list list_ID src laddr dest faddrExplanation This message indicates that the specified connection failed because of an outbound deny command statement. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
Error Message %FWSM-7-106011: Deny inbound (No xlate) charsExplanation This message indicates that a packet was sent to the same interface that it arrived on. This usually indicates that a security breach is occurring. When the module receives a packet, it tries to establish a translation slot based on the security policy you set with the global and conduit commands, and your routing policy set with the route command.
When the module polls both policies the module allows the packet to flow from the higher priority network to a lower priority network, if it is consistent with the security policy. If a packet comes from a lower priority network and the security policy does not allow it, the module routes the packet back to the same interface.
To provide access from an interface with a higher security to a lower security, use the nat and global commands. For example, use the nat command to allow internal users access to external servers, to allow the internal users to access perimeter servers, and to allow perimeter users access to external servers.
To provide access from an interface with a lower security level to a higher security level, use the static and conduit commands. For example, use the static and conduit commands to let external users to access internal servers, external users to access perimeter servers, or perimeter servers to access internal servers.
Recommended Action Fix your configuration to reflect your security policy for handling these attack events.
Error Message %FWSM-2-106012: Deny IP from IP_addr to IP_addr, IP options hex.Explanation An IP packet was detected with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action A security breach was probably attempted. Check the local site for loose source or strict source-routing.
Error Message %FWSM-2-106016: Deny IP spoof from (IP_addr) to IP_addr on interface int_name.Explanation This message indicates that the module discards a packet with an invalid source address. Invalid sources addresses are those addresses belong to the following:
–
Loopback network (127.0.0.0)
–
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
–
The destination host (land.c)
If a sysopt connection enforce subnet is enabled, the module discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.
To further enhance spoof-packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for incorrectly configured clients.
Error Message %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addrExplanation This message indicates that the module received a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet that is designed to attack systems. This attack is referred to as a land attack. If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
Recommended Action None.
Error Message %FWSM-2-106020: Deny IP teardrop fragment (size = num, offset = num) from IP_addr to IP_addrExplanation The firewall discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event to circumvent the module or an intrusion detection system.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
Error Message %FWSM-1-106021: Deny protocol reverse path check from src_addr to dest_addr on interface int_nameExplanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes it to be part of an attack on your module.
This message indicates that you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets sent to an interface; if it is configured on the outside, then the module checks packets arriving from the outside. The following conditions apply:
–
The module looks up a route based on the src_addr. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.
–
If there is a route, the module checks which interface it corresponds to. If the packet arrived on another interface, then it is a spoof or there is an asymmetric routing environment. The firewall does not support asymmetric routing (where there is more than one path to a destination).
–
If configured on an internal interface, the module checks static route command statements or RIP and if the source address is not found, then an internal user is spoofing their address.
Recommended Action An attack is in progress. With this feature enabled, no user action is required. The module repels the attack.
Error Message %FWSM-3-201002: Too many connections on static|xlate gaddr! econns nconnsExplanation This message indicates that the maximum number of connections to the specified static address has been exceeded. The econns variable is the maximum number of embryonic connections and nconns is the maximum number of connections permitted for the static or translate (xlate).
Recommended Action Use the show static command to check the limit imposed on connections to a static address. The limit is configurable.
Error Message %FWSM-2-201003: Embryonic limit exceeded neconns/elimit for faddr/fport (gaddr) laddr/lport on interface int_nameExplanation This message indicates that the maximum number of embryonic connections from the specified foreign address through the specified static global address to the specified local address has been exceeded. When the limit on embryonic connections is reached, the module attempts to accept them anyway, but puts a time limit on the connections. This allows some connections to succeed even if the module is very busy. The neconns variable lists the number of embryonic connections received and the limit variable lists the maximum number of embryonic connections specified in the static or nat command. This message indicates a more serious overload than indicated in message 201002. The overload could be caused by SYN attacks, or by a very heavy load of legitimate traffic.
Recommended Action Use the show static command to check the limit imposed on embryonic connections to a static address.
Error Message %FWSM-3-407002: Embryonic limit neconns/elimit for through connectionsExplanation This message provides information about connections through the firewall. This message indicates that the number of connections from a specified foreign address over a specified global address to the specified local address exceeds the maximum embryonic limit for that static. The module attempts to accept the connection if it can allocate memory for that connection. It proxies on behalf of local host and sends a SYN_ACK packet to the foreign host. the module retains pertinent state information, drops the packet, and waits for the client's acknowledgment.
Recommended Action The traffic may be legitimate, or this message might indicate that a denial of service (DoS) attack is in progress. Check the source address to determine where the packets are coming from and whether it is a valid host.
Error Message %FWSM-3-202001: Out of address translation slots!Explanation This message indicates that the module has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This message may also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.
Error Message %FWSM-3-202005: Non-embryonic in embryonic list faddr/fport laddr/lportExplanation This message indicates that a connection object (xlate) is in the wrong list.
Recommended Action Contact your customer support representative.
Error Message %FWSM-3-208005: (function:line_num) FWSM clear command return return_codeExplanation The module received a non-zero value (an internal error) when attempting to clear the configuration in Flash memory. The message includes the reporting subroutine's filename and line number.
Recommended Action For performance reasons, the end host should be configured to not inject IP fragments. This message probably occurred because of NFS. Set the read and write size to be the interface MTU for NFS.
Error Message %FWSM-6-305001:Portmapped translation built for gaddr IP_addr/port laddr IP_addr/portExplanation This message indicates that a translate (xlate) is created for outbound traffic using a PAT global address. This message applies to UDP, TCP, and ICMP packets.
Recommended Action None required.
Error Message %FWSM-6-305002:Translation built for gaddr IP_addr to laddr IP_addrExplanation This message indicates that a translate (xlate) is created for outbound traffic using a global address, or for either outbound or inbound traffic using a static address.
Recommended Action None required.
Error Message %FWSM-6-305003:Teardown translation for global IP_addr local IP_addrExplanation This message indicates that the firewall clears a dynamically allocated translation after the xlate timeout expires.
Recommended Action None required.
Error Message %FWSM-6-305004:Teardown portmap translation for global IP_addr/port local IP_addr/portExplanation This message indicates that a portmapped translation (PAT xlate) no longer in use has been reclaimed.
Recommended Action None required.
Error Message %FWSM-3-305005: No translation group found for protocol.Explanation This message indicates that a nat and global command cannot be found for a protocol. The protocol can be TCP, UDP, or ICMP.
Recommended Action This message can be either an internal error or an error in the configuration.
Error Message %FWSM-3-305006: Regular translation creation failed for protocol src int_name:IP_addr/port dst int_name:IP_addr/portExplanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the module. This message appears as a fix to caveat CSCdr0063 that requested that the module not allow packets destined to network or broadcast addresses. The module provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the module denies translations for a destined IP address identified as a network or broadcast address.
The module uses the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the module will not create a translate (xlate) for network or broadcast IP addresses with inbound packets.
Recommended Action This message can be either an internal error or an error in the configuration.
Error Message %FWSM-6-305007: Orphan IP IP_addr on interface interface_nameExplanation This message indicates that after the module attempts to translate an address that it cannot find in any of its global pools. The module assumes that the address has been deleted and drops the request.
Recommended Action None required.
Error Message %FWSM-6-609001: Built local-host int_name:ip_addrExplanation A network state container is reserved for the host IP address connected to the interface name. This is an informational message.
Recommended Action None required.
Error Message %FWSM-6-609002: Teardown local-host int_name:ip_addr duration hh:mm:ssExplanation A network state container for the host IP address connected to interface name is removed. This is an informational message.
Recommended Action None required.
Error Message %FWSM-3-305008: Free unallocated global IP address.Explanation This message indicates an inconsistency condition when trying to free an unallocated global IP address back to the address pool. This abnormal condition may occur if the module is running a stateful failover setup and some of the internal states are momentarily out of sync between the active and standby module. This condition is not catastrophic and the module will recover automatically.
Recommended Action Report this condition to Cisco technical support if you continue to see this message.
Error Message %FWSM-4-307004: Telnet session limit exceeded. Connection request from IP_addr on interface int_name.Explanation This message indicates that the maximum number of Telnet connections to the module is exceeded. The module denies an attempt to connect to its Telnet port from the specified IP address on the specified network.
Recommended Action None required.
Error Message %FWSM-4-308002: static gaddr1 laddr1 netmask mask1 overlapped with gaddr2 laddr2Explanation This message indicates that the IP addresses in one or more static command statements overlap. gaddr is the global address, which is the address on the lower security interface and laddr is the local address, which is the address on the higher security level interface.
Recommended Action Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0 and in another static command statement, specify a host within that range such as 10.1.1.5.
Error Message %FWSM-4-500004: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_portExplanation This message indicates there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP.
Recommended Action If these messages persist, contact the peer's administrator.
FTP and URL
Error Message %FWSM-3-201005: FTP data connection failed for IP_addrExplanation This message indicates that the module is unable to allocate a structure to track the data connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
Error Message %FWSM-6-303002: src_addr Stored|Retrieved dest_addr: nat_addrsExplanation This message indicates that the specified host successfully stores or retrieves data from the specified FTP site. This message is used by the module manager to generate reports.
Recommended Action None required.
Error Message %FWSM-5-304001: user src_addr Accessed JAVA URL|URL dest_addr: url.Explanation This message indicates that the specified host successfully accesses the specified URL. This message is used by the module manager to generate reports.
Recommended Action None required.
Error Message %FWSM-5-304002: Access denied URL chars SRC IP_addr DEST IP_addr: charsExplanation This message indicates that access from the source address failed.
Recommended Action None required.
Error Message %FWSM-3-304003: URL Server IP_addr timed out URL stringExplanation This message indicates that access from the URL server failed.
Recommended Action None required.
Error Message %FWSM-6-304004: URL Server IP_addr request failed URL charsExplanation This message indicates that a Websense server request fails.
Recommended Action None required.
Error Message %FWSM-7-304005: URL Server IP_addr request pending URL charsExplanation This message indicates that a Websense server request is pending.
Recommended Action None required.
Error Message %FWSM-3-304006: URL Server IP_addr not respondingExplanation The Websense server is unavailable for access, and the module attempts to either try to access the same server if it is the only server installed or another server if there is more than one.
Recommended Action None required.
Error Message %FWSM-2-304007: URL Server IP_addr not responding, ENTERING ALLOW mode.Explanation This message indicates that when you use the allow option of the filter command the Websense servers are not responding. The module allows all Web requests to continue without filtering while the servers are not available.
Recommended Action None required.
Error Message %FWSM-2-304008: LEAVING ALLOW mode, URL Server is up.Explanation This message indicates that when you use the allow option of the filter command that the module received a response message from a Websense server that previously was not responding. With this response message, the module exits the allow mode and enables the URL filtering feature again.
Recommended Action None required.
Error Message %FWSM-4-406001: FTP port command low port: laddr, port to gaddr on interface int_numberExplanation This message indicates the port is not responding.
Recommended Action None required.
Error Message %FWSM-4-406002: FTP port command different address: laddr to gaddr on interface int_numberExplanation This message indicates the interface address is incorrect.
Recommended Action None required.
HTTP
Error Message %FWSM-6-605001: HTTP daemon interface int_name: Connection denied from IP_addrExplanation This message indicates that an HTTP connection to the module was denied.
Recommended Action None required.
Error Message %FWSM-6-605002: HTTP daemon connection limit exceededExplanation This message indicates that the number of HTTP connections to the module for Cisco Secure PDM was exceeded.
Recommended Action None required.
Error Message %FWSM-6-605003: HTTP daemon: Login failed from IP_addr for user "user_id"Explanation This message indicates that Cisco Secure PDM login to the module failed.
Recommended Action None required.
ICMP
Error Message %FWSM-6-106010: Deny inbound icmp src outside: IP_addr dst inside: IP_addr (type dec, code dec)Explanation This message indicates that an inbound connection is denied by your security policy.
Recommended Action None required.
Explanation This message indicates that the module discards an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. It is discarded because the inbound packet cannot specify which PAT host should receive the packet.
Recommended Action None required.
Error Message %FWSM-3-106014: Deny inbound icmp src interface name: IP_addr dst interface name: IP_addr (type dec, code dec)Explanation This message indicates that the module denies any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted using the conduit permit icmp command.
Recommended Action None required.
Error Message %FWSM-2-106018: ICMP packet type ICMP_type denied by outbound list list_ID src laddr dest faddrExplanation This message indicates that the outgoing ICMP packets with a specified ICMP type from a local host to a foreign host is denied by the outbound list.
Recommended Action None required.
Error Message %FWSM-3-313001: Denied ICMP type=icmp_type, code=type_code from IP_addr on interface int_nameExplanation When using the icmp command with an access list, if the first matched entry is a permit entry, ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the module discards the ICMP packet and generates this syslog message. The icmp command enables or disables pinging to an interface. With pinging disabled, the module cannot be detected on the network. This feature is also referred to as configurable proxy pinging.
Recommended Action Contact the peer's administrator.
Error Message %FWSM-3-313003: Invalid destination, ICMP-packet-description, on interface-name interface. Original IP payload, packet-descriptionExplanation The destination for the ICMP error message is different from the source of the IP packet that generated the ICMP error message.
Recommended Action If the message occurs frequently, this could be an active network probe, an attempt to use the ICMP error message as a covert channel, or an IP host that is not operating properly. Contact the administrator of the host that originated the ICMP error message.
Error Message %FWSM-6-602101: PMTU-D packet packet_length bytes greater than effective mtu mtu_value dest_addr=dest_ip, src_addr=source_ip, prot=protocolExplanation This message occurs when the module sends an ICMP destination unreachable message and when fragmentation is needed, but the don't-fragment bit is set.
Recommended Action Ensure that the data is sent correctly.
Routing Messages
This section contains the messages generated by the router configuration.
Error Message %FWSM-1-107001: RIP auth failed from IP_addr: version=vers, type=type, mode=mode, sequence=seq on interface int_nameExplanation This is an alert log message. The module received a RIP reply message with bad authentication. This could be due to an incorrectly configured router or the module or it could be a unsuccessful attempt to attack the module's routing table.
Recommended Action This may be an attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker may be trying to deduce the existing keys.
Error Message %FWSM-1-107002: RIP pkt failed from IP_addr: version=vers on interface int_nameExplanation This is an alert message. This message indicates a router bug, a packet with non-RFC values inside, or malformed entries. This situation should not happen and may be an attempt to exploit the firewall module's routing table.
Recommended Action This may be an attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. The situation should be monitored and the keys should be changed if there are any doubts as to the originator of the packets.
Error Message %FWSM-6-110001: No route to dest_addr from src_addrExplanation This message indicates a route lookup failure. A packet is looking for a destination IP address, which is not in the routing table.
Recommended Action Check the routing table and make sure there is a route to the destination.
Error Message %FWSM-3-110002: No ARP for host IP_addrExplanation This is a routing message. This message indicates that the module cannot resolve the address of a host on one of its immediately connected networks. This usually occurs if the specified host does not exist or is not reachable on the network. The module expects it to be on, for example, if the host's address is incorrectly subnetted.
Recommended Action Check the ARP table and ensure the host is available. If necessary, add a static ARP statement with the arp command or set the arp timeout value lower so that the ARP table will refresh sooner.
Check that the host's IP address is appropriate to the network topology and your subnet scheme. Verify that the host is reachable by pinging it from another host. Use the show arp command to display the module's ARP table.The module minimally must be able to resolve the addresses of its SNMP server, routers, and syslog host.
Error Message %FWSM-6-312001: RIP hdr failed from IP_addr: cmd=cmd, version=vers domain=name on interface int_nameExplanation The module received a RIP message with an operation code other than reply, the message has a version number different than what is expected on this interface, and the routing domain entry was non-zero.
Recommended Action This message is informational, but may also indicate that another RIP device is not configured correctly to communicate with the module.
H.225
Error Message %FWSM-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for faddr faddr[/fport] to laddr laddr[/lport]Explanation The module failed to allocate RAM system memory while starting a connection or has no memory available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact customer support. Also, check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This message might be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.
Error Message %FWSM-4-405104: H225 message received from faddr/fport to laddr/lport before SETUPExplanation This message indicates that an H.225 message is received out of order. The H.225 message was received before the initial SETUP message, which is not allowed. The module has to receive an initial SETUP message for that H.225 call-signaling channel before accepting any other H.225 messages.
Recommended Action None required.
Error Message %FWSM-4-405103: H225 message from faddr/fport to laddr/lport contains bad protocol discriminatorExplanation This message indicates that the message with incorrect protocol information.
Recommended Action None required.
H.245
Error Message %FWSM-7-302003: Built H245 connection for faddr faddr/fport laddr laddr/lportRecommended Action This message indicates that an H.245 connection is started from a foreign address to a local address. This message only occurs if the module detects the use of an Intel Internet phone. The foreign port (fport) only displays on connections from outside the module. The local port value (lport) only appears on connections started on an internal port.
Recommended Action None required.
Error Message %FWSM-4-405102: Unable to Pre-allocate H245 Connection for faddr faddr[/fport] to laddr laddr[/lport]Explanation The module failed to allocate RAM system memory while starting a connection or has no memory available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact customer technical support. Also, check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This message may also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.
H.323
Error Message %FWSM-7-302004: Pre-allocate H323 UDP backconnection for faddr faddr/fport to laddr laddr/lportExplanation This message indicates that an H.323 UDP back-connection is preallocated to a foreign address from a local address. This message is only generated if the module detects the use of an Intel Internet phone. The foreign port (fport) only displays on connections from outside the module. The local port value (lport) only appears on connections started on an internal interface.
Recommended Action None required.
Error Message %FWSM-4-405103: H323 RAS message AdmissionConfirm received from %I/%d to %I/%d without an AdmissionRequestRecommended Action None required.
IP Fragmentation
Error Message %FWSM-4-209003: Fragment database limit of bytes exceeded: src = IP_addr, dest = IP_addr, proto = protocol, id = IDExplanation Too many IP fragments are currently awaiting reassembly. The module limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the module under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. A noticeable exception is in the network environment with NFS over UDP. Consider NFS over TCP in this environment, if such traffic is to be relayed through the module.
Refer to the sysopt connection tcpmss bytes command page in Chapter 5 of the Configuration Guide for the Cisco Secure Firewall Version 5.3 for more information.
Recommended Action If this message persists, a DoS (denial of service) attack might be in progress. Contact the remote peer's administrator or upstream provider.
Error Message %FWSM-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: An IP fragment is malformed.Explanation The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.
Recommended Action A possible intrusion event may be in progress. If this message persists, contact the remote peer's administrator or upstream provider.
Error Message %FWSM-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.Explanation The module disallows any IP packet that is fragmented into more than 24 fragments.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx int_name command.
SIP
Error Message %FWSM-7-607001: Pre-allocate SIP conn_type secondary channel for outside-interface:address/port to inside-interface:address from sip_message messageExplanation This message indicates that the fixup SIP preallocated a SIP connection after inspecting a SIP message.
Recommended Action None required.
Skinny
Error Message %FWSM-7-608001: Pre-allocate Skinny conn_type secondary channel for outside-interface:address to inside-interface:address/port from skinny_message messageExplanation This message indicates that the fixup skinny preallocated a Skinny connection after inspecting a Skinny message.
Recommended Action None required.
RSH
Error Message %FWSM-3-201005: FTP data connection failed for IP_addrExplanation This message indicates that the module cannot allocate a structure to track the data connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
RTSP
Error Message %FWSM-7-314001: Pre-allocate RTSP UDP back connection for faddr faddr/fport to laddr laddr/lportExplanation This message indicates that the module is unable to allocate and RTSP connection.
Recommended Action None required.
SMTP
Error Message %FWSM-2-108002: SMTP replaced chars: out src_addr in laddr data: charsExplanation This is generated by the fixup protocol smtp command. This message indicates that the module replaces an invalid character in an e-mail address with a space.
Recommended Action None required.
TCP
Error Message %FWSM-2-106001: Inbound TCP connection denied from IP_addr/port to IP_addr/port flags TCP_flags on interface int_nameExplanation This message indicates that an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the module, and it was dropped. The TCP_flags in this packet are FIN,ACK.
The TCP_flags are as follows:
•
ACK—The acknowledgment number was received.
•
FIN—Data was sent.
•
PSH—The receiver passed data to the application.
•
RST—The connection was reset.
•
SYN—Sequence numbers were synchronized to start a connection.
•
URG—The urgent pointer was declared valid.
Recommended Action None required.
Error Message %FWSM-6-106015: Deny TCP (no connection) from IP_addr/port to IP_addr/port flags flags on interface int_name.Explanation This message indicates that the module discards a TCP packet that has no associated connection in the module module's connection table. The module looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the module discards the packet.
Recommended Action The action is required unless the module receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
Error Message %FWSM-6-302002: Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason] [(user)]Explanation A TCP connection between two hosts was deleted.
connection id is an unique identifier.
interface, real-address, real-port identify the actual sockets.
duration is the lifetime of the connection.
bytes bytes is the data transfer of the connection.
user is the AAA name of the user.
The reason variable presents the action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in Table 0-18.
Recommended Action None required.
Error Message %FWSM-3201009: TCP connection limit of limit-count for host host-address on interface exceededExplanation This message indicates that the maximum number of connections to the specified static address was exceeded. The limit-count variable is the maximum of connections permitted for the host specified by the host-address variable.
Recommended Action Use the show static and show nat commands to check the limit imposed on connections to an address. The limit is configurable.
Error Message %FWSM-6-302013: Built {inbound|outbound} TCP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A TCP connection slot between two hosts was created. If inbound is specified, then the original control connection was initiated from the outside.
Recommended Action None required.
Error Message %FWSM-6-302009: Rebuilt TCP connection id for faddr faddr/fport gaddr gaddr/gport laddr laddr/lportExplanation This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other module. The faddr IP address is the foreign host, the gaddr IP address is a global address on the lower security level interface, and the laddr IP address is the local IP address behind the module on the higher security level interface.
Recommended Action None required.
Error Message %FWSM-6-302010: conns in use, conns most usedExplanation This message appears after a TCP connection restarts. conns is the number of connections.
Recommended Action None required.
Error Message %FWSM-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_nameExplanation This message indicates that a header length in TCP is incorrect. Some operating systems do not handle TCP RSTs (resets) correctly when responding to a connection request to a disabled socket. If a client tries to connect to an FTP server outside the module and FTP is not listening, then the server sends an RST. Some operating systems send incorrect TCP header lengths, which causes this problem. UDP uses ICMP port unreachable messages.
The TCP header length may indicate that it is larger than the packet length resulting in a negative number of bytes being transferred. A negative number is displayed by syslog as an unsigned number making it appear far larger than would be normal; for example, showing 4 GB transferred in 1 second.
Recommended Action None required. This message should occur infrequently.
UDP
Error Message %FWSM-2-106006: Deny inbound UDP from faddr/fport to laddr/lport on interface int_name.Explanation This message indicates that an inbound UDP packet is denied by your security policy.
Recommended Action None required.
Error Message %FWSM-2-106007: Deny inbound UDP from faddr/fport to laddr/lport due to DNS flag.Explanation This message indicates that a UDP packet containing a DNS query or response is denied. The flag variable is either Response or Query.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
Error Message %FWSM-6-302015: Built {inbound|outbound} UDP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A UDP connection slot between two hosts was deleted. If inbound is specified, then the original control connection is initiated from the outside.
Recommended Action None required.
Error Message %FWSM-6-302016: Teardown UDP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [(user)]Explanation A UDP connection slot between two hosts was deleted.
Recommended Action None required.
SSH
Error Message %FWSM-3-315001: Denied SSH session from IP_addr on interface int_nameExplanation This message indicates that the module denies an attempt to connect to the SSH port from the specified IP address on the specified network interface.
Recommended Action From the console, enter the show ssh command to verify that the module is configured to permit SSH access from the host or network.
Error Message %FWSM-6-315002: Permitted SSH session from IP_addr on interface int_name for user "user_id"Explanation This message indicates that an SSH session starts. The ip_addr is the address of the host with the SSH client. The int_name is the interface through which the SSH session is started. The user_ID is the username to which the client is accessing. Use the ssh show sessions command to view the status of SSH sessions.
Explanation None required.
Error Message %FWSM-6-315003: SSH login session failed from IP_addr on (num attempts) on interface int_name by user "user_id"Explanation This message appears after an incorrect user ID or password were entered a certain number of times for the same connection. Up to three attempts are allowed to log into a SSH console session. The ip_addr is the address of the host with the SSH client. The int_name, is the interface through which the SSH session is started. The user_ID is the username that the client is attempting to access.
Recommended Action If this message appears infrequently, no action is required. If this message appears frequently, it can indicate an attack. Inform the user to verify their username and password.
Error Message %FWSM-3-315004: Fail to establish SSH session because FWSM RSA host key retrieval failed.Explanation This message indicates that the module cannot find the module's RSA host key, which is required for establishing an SSH session. The firewall host key may be absent because no module host key has been generated or because the license for this module does not allow DES or 3DES.
Recommended Action From the console, enter the show ca mypubkey rsa command to verify that module's RSA host key is present. If not, also enter the show version command to check whether the module's license allows DES or 3DES.
Error Message %FWSM-4-315005: SSH session limit exceeded. Connection request from IP_addr on interface int_nameExplanation This message indicates that the maximum number of SSH connections to the module is exceeded. The module denies any attempt to connect to its SSH port from the specified IP address on the specified network.
Recommended Action None required.
Error Message %FWSM-6-315011: SSH session from IP_addr on interface int_name for user "user_id" terminated normally
%FWSM-6-315011: SSH session from IP_addr on interface int_name for user "user_id" disconnected by SSH server, reason: "text"Explanation This message appears after an SSH session completes. If you enter quit or exit, this message displays terminated normally. If the session disconnected for another reason, the text describes the reason.
Recommended Action None required.
Telnet
Error Message %FWSM-6-307001: Denied Telnet login session from IP_addr on interface int_name.Explanation This message indicates that the module denies an attempt to connect to the Telnet port from the specified IP address on the inside network.
Recommended Action From the console, enter the show telnet command to verify that the module is configured to permit Telnet access from that host or network. From the Firewall Manager, select Administration>Telnet Hosts for host information.
Error Message %FWSM-6-307002: Permitted Telnet login session from IP_addrExplanation This message logs a successful Telnet connection to the module.
Recommended Action None required.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num attempts) on interface int_name.Explanation This message indicates that an incorrect Telnet password was entered a number of times for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Recommended Action Verify the password and try again.
AAA and ACL
Error Message %FWSM-4-106019: IP packet from src_addr to dest_addr, protocol protocol received from interface int_name deny by access-group acl_IDExplanation This message indicates that an IP packet is denied by the parameters you specified.
Recommended Action None required.
Error Message %FWSM-6-109001: Auth start for user `username' from laddr/lport to faddr/fportExplanation This message indicates that the module is configured for AAA and detects an authentication request by the specified user.
Recommended Action None required.
Error Message %FWSM-6-109002: Auth from laddr/lport to faddr/fport failed (server IP_addr failed) on interface int_name.Explanation This message indicates that an authentication request fails because the specified authentication server cannot be contacted by the module.
Recommended Action Check to be sure the authentication daemon is running on the specified authentication server.
Error Message %FWSM-6-109003: Auth from laddr to faddr/fport failed (all servers failed) on interface int_name.Explanation This message indicates that no authentication server can be found.
Recommended Action Ping the authentication servers from the module. Make sure the daemons are running.
Error Message %FWSM-6-109005: Authentication succeeded for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This message indicates that the specified authentication request succeeds.
Recommended Action None required.
Error Message %FWSM-6-109006: Authentication failed for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This message indicates that the specified authentication request fails, possibly because of a wrong password.
Recommended Action None required.
Error Message %FWSM-6-109007: Authorization permitted for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This message indicates that the specified authorization request succeeds.
Recommended Action None required.
Error Message %FWSM-6-109008: Authorization denied for user `user' from faddr/fport to laddr/lport on interface int_name.Explanation This message indicates that you are not authorized to access the specified address, possibly because of a wrong password.
Recommended Action None required.
Error Message %FWSM-3-109010: Auth from laddr/lport to faddr/fport failed (too many pending auths) on interface int_name.Explanation This message indicates that an authentication request cannot be processed because the server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication requests. Enable floodguard with the floodguard enable command.
Error Message %FWSM-2-109011: Authen Session Start: user 'user', sid session_numExplanation An authentication session started between the host and the module and has not yet completed.
Recommended Action None required.
Error Message %FWSM-5-109012: Authen Session End: user 'user', sid session_num, elapsed num secondsExplanation The authentication cache has timed out. Users will need to reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.
Recommended Action None required.
Error Message %FWSM-3-109013: User must authenticate before using this serviceExplanation The user must be authenticated before using the service.
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
Error Message %FWSM-6-109015: Authorization denied (acl=acl_ID) for user 'username' from src_addr/src_port to dest_addr/dest_port on interface int_nameExplanation The access list check failed; either it matched a deny, or it matched nothing, such as an implicit deny. The connection was denied by the user access list, which was defined per the AAA authorization policy on Cisco Secure ACS.
Recommended Action None required.
Error Message %FWSM-3-109016: Downloaded authorization access-list acl_ID not found for user 'username'Explanation The AAA authorization access-list command statement ID defined on the remote AAA server has not been configured on the module. This error can occur if you configure the AAA server before configuring the module.
Recommended Action Use the same access-list command statement ID on the module as you specified on the AAA server.
Error MessageExplanation The AAA authorization access-list command statement ID defined on the remote AAA server has not been configured on the module. This error can occur if you configure the AAA server before configuring the module.
Recommended Action None required. If errors persist, this may indicate a possible (DoS) denial of service attempt.
Error Message %FWSM-5-111008: User 'user' executed the 'cmd' command.Explanation This message indicates that a command change to the configuration has been made.
Recommended Action None required.
Error Message %FWSM-3-302302: ACL = deny; no sa createdExplanation Proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the administrator for the peer.
Error Message %FWSM-7-701001: alloc_user() out of Tcp_user objectsExplanation This message indicates that the user authentication rate is too high for the module to handle new AAA requests.
Recommended Action Enable floodguard with the floodguard enable command.
Error Message %FWSM-4-106023: Deny protocol src [inbound-interface]:[src_address / src_port] dst outbound-interface:dst_address / dst_port [type {type}, code {code}] by access_group access-list-nameExplanation An IP packet was denied by the access list.
Recommended Action Change permission of access list if a permit policy is desired. If messages persist from the same source address, messages could indicate a foot-printing or port-scanning attempt. Contact the remote host administrator.
Error Message %FWSM-5-501101: User transitioning priv levelExplanation The privilege level of a command was changed.
Recommended Action None required.
Error Message %FWSM-5-502101: New user added to local dbase: Uname: username Priv: priv_lvl Encpass: encrypted_paswdExplanation A new user was added to the local database.
Recommended Action None required.
Error Message %FWSM-5-502102: User deleted from local dbase: Uname: username Priv: priv_lvl Encpass: encrypted_paswdExplanation A user was deleted from the local database.
Recommended Action None required.
Error Message %FWSM-5-502103: User priv level changed: Uname: username From: old_priv_lvl To: new_priv_lvlExplanation The privilege level you changed.
Recommended Action None required.
Error Message %FWSM-6-610101: Authorization failed: Cmd: cmd_string Cmdtype: command_modifierExplanation Command authorization failed for the specified command.
Recommended Action None required.
Error Message %FWSM-6-611101: User authentication succeeded: Uname: usernameExplanation User authentication when accessing the module succeeded.
Recommended Action None required.
Error Message %FWSM-6-611102: User authentication failed: Uname: usernameExplanation User authentication failed when attempting to access the module.
Recommended Action None required.
Error Message %FWSM-5-611103: User logged out: Uname: usernameExplanation The specified user logged out.
Recommended Action None required.
Configuration
Error Message %FWSM-5-111001: Begin configuration: IP_addr writing to deviceExplanation This message indicates that you entered the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby module, or the console terminal). The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-6-199005: FWSM Startup beginExplanation This message indicates that the module starts up.
Recommended Action None required.
Error Message %FWSM-7-709001: FO replication failed: cmd=command returned=code
%FWSM-7-709002: FO unreplicable: cmd=commandExplanation These failover messages only appear during the development debug testing phase.
Recommended Action None required.
Error Message %FWSM-1-709003: (Primary) Beginning configuration replication: Receiving from mate.Explanation This message indicates that the active module starts replicating its configuration to the standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-709004: (Primary) End Configuration Replication (ACT)Explanation This message indicates that the active module completes replicating its configuration on the standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-709005: (Primary) Beginning configuration replication: Receiving from mate.Explanation This message indicates that the standby module received the first part of the configuration replication from the active module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-709006: (Primary) End Configuration Replication (STB)Explanation This message indicates that the standby module completes replicating a configuration sent by the active module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-2-709007: Configuration replication failed for command command_nameExplanation This message indicates that the standby module cannot complete replicating a configuration sent by the active module. The command that caused the failure displays at the end of the message.
Recommended Action Write down the command name and contact customer technical support.
FWSM Management
Error Message %FWSM-5-111003: IP_addr Erase configurationExplanation This message indicates that you erased the contents of Flash memory, either by entering the write erase command at the console, or by clicking OK to clear Flash memory in the Firewall Manager. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action After erasing the configuration, you must reconfigure the module and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, either on floppy or on a TFTP server elsewhere on the network.
Error Message %FWSM-5-111004: IP_addr end configuration: [FAILED]|[OK]Explanation This message indicates that you entered the config floppy/memory/ network command or the write floppy/memory/network/standby command. The IP_addr indicates whether the login was made at the console port through Telnet connection.
Recommended Action No action is required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy, ensure that the floppy is not write protected; if writing to a TFTP server, ensure that the server is up.
Error Message %FWSM-5-111005: IP_addr end configuration: OKExplanation This message indicates that you exited configuration mode. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-5-111006: Console Login from user at IP_addrExplanation This message indicates that you connected to the module. If authentication is enabled, the username is reported; otherwise, the string nobody appears. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-5-111007: Begin configuration: IP_addr reading from device.Explanation This message indicates that you enter the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-7-111009:User user_name executed cmd:commandExplanation This syslog message is for accounting purposes. You entered a command that does not modify the configuration.
Recommended Action None required.
Error Message %FWSM-2-112001:FWSM clear finished.Explanation This message indicates that a request to clear the module configuration has finished. The source file and line number are identified.
Recommended Action None required.
Error Message %FWSM-5-199001: FWSM reload command executed from IP_addr.Explanation This message indicates the address of the host initiating a module reboot with the reload command.
Recommended Action None required.
Error Message %FWSM-6-199002: FWSM startup completed. Beginning operation.Explanation This message indicates that after the module finishes its initial boot and Flash memory reading sequence, and is ready to begin operating normally.
Recommended Action None required.
Error Message %FWSM-6-307002: Permitted Telnet login session from IP_addrExplanation This message indicates a successful Telnet connection to the module.
Recommended Action None required.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num attempts) on interface int_name.Explanation This message indicates that an incorrect Telnet password was entered a number of times for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Recommended Action Verify the password and try again.
Error Message %FWSM-6-308001: FWSM console enable password incorrect for num tries (from IP_addr).Explanation This message indicates the number of times you incorrectly typed the password to enter privileged mode. The maximum is three attempts.
Recommended Action The privileged mode password is not necessarily the same as the password for Telnet access to the module. Verify the password and try again.
Error Message %FWSM-3-309001: Denied manager connection from IP_addr.Explanation This message indicates that the Firewall Manager denies an attempt to connect to its Telnet port from the specified IP address on the inside network.
Recommended Action None required.
Error Message %FWSM-6-309002: Permitted manager connection from IP_addr.Explanation This message indicates a successful Firewall Manager connection.
Recommended Action None required.
Error Message %FWSM-4-309004: Manager session limit exceeded. Connection request from IP_addr on interface int_nameExplanation This message indicates that the maximum number of module management connections has been exceeded. The module denies an attempt to connect to its management port from the specified IP address on the specified network.
Recommended Action None required.
PDM
Error Message %FWSM-6-606001: PDM session number num from IP_addr startedExplanation This message indicates that a PDM session has been started.
Recommended Action None required.
Error Message %FWSM-6-606002: PDM session number num from IP_addr endedExplanation This message indicates that a PDM session has ended.
Recommended Action None required.
Stateful Failover
Error Message %FWSM-3-210001: LU SW_Module_Name error = error_codeExplanation This message indicates that a Stateful Failover error occurred.
Recommended Action If this error persists after traffic lessens through the module, report this error to customer support.
Error Message %FWSM-3-210002: LU allocate block (size) failed.Explanation Stateful Failover could not allocate a block of memory to transmit stateful information to the standby module.
Recommended Action Check the failover interface to make sure its transmit is normal using the show interface command. Also, check the current block of memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the module software to recover the lost blocks of memory.
Error Message %FWSM-3-210003: Unknown LU Object IDExplanation Stateful failover received an unsupported Logical Update object and was unable to process it. This situation could be caused by corrupted memory, LAN transmissions, and other events.
Recommended Action If you see this error infrequently, then no action is required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Check for incorrectly configured clients.
Note
We recommend that you separate the failover and logical update interfaces into separate links. Packets on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and failover LAN interfaces the same.
Error Message %FWSM-3-210005: LU allocate connection failedExplanation Stateful failover cannot allocate a new connection on the standby module. This may be caused by little or no RAM memory available within the module.
Recommended Action Check the available memory using the show mem command to make sure the module has free memory in the system. If there is no available memory, add more physical memory to the module.
Error Message %FWSM-3-210006: LU look NAT for IP_addr failedExplanation Stateful failover was unable to locate an NAT group for the IP address on the standby module. The active and standby modules probably are out of synchronization.
Recommended Action Enter the write standby command on the active module to synchronize system memory with the standby module.
Error Message %FWSM-3-210007: LU allocate xlate failedExplanation Stateful failover failed to allocate an translation slot (xlate) record.
Recommended Action Check the available memory using the show mem command to make sure that the module has free memory in the system. If the memory has been used up, you may need to add more physical memory.
Error Message %FWSM-3-210008: LU no xlate for laddr/l_port faddr/f_portExplanation Unable to find an translation slot (xlate) record for a stateful failover connection; unable to process the connection information.
Recommended Action Enter the write standby command on the active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-3-210010: LU make UDP connection for faddr:f_port laddr:l_port failedExplanation Stateful failover was unable to allocate a new record for a UDP connection.
Recommended Action Check the available memory with the show memory command to make sure that the module has free memory in the system. If the memory has been used up, you may need to add more physical memory.
Error Message %FWSM-3-210020: LU PAT port port_number reserve failedExplanation Stateful failover is unable to allocate a specific PAT address which is in use.
Recommended Action If this error reappears frequently, enter the write standby command on the active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-3-210021: LU create static xlate global_IP ifc int_name failedExplanation Stateful failover is unable to create a translation slot (xlate).
Recommended Action If this error reappears frequently, use the write standby command on the active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-6-210022: LU missed number updatesExplanation Stateful failover assigns a sequence number for each record sent to the standby module. When a received record sequence number is out of sequence with the last updated record, the information in between is assumed lost and this error message is sent.
Recommended Action Unless there are LAN interruptions, check the available memory on both modules to ensure there is enough memory to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.
Error Message %FWSM-6-311001: LU loading standby startExplanation This message indicates that stateful failover update information was sent to the standby module.
Recommended Action None required.
Error Message %FWSM-6-311002: LU loading standby endExplanation This message indicates that stateful failover update information is done being sent to the standby module.
Recommended Action None required.
Error Message %FWSM-6-311003: LU recv thread upExplanation This message indicates that an update acknowledgment has been received from the standby module.
Recommended Action None required.
Error Message %FWSM-6-311004: LU xmit thread upExplanation This message indicates that a stateful failover update is transmitted to the standby module.
Recommended Action None required.
Memory and Resource Allocation
This section contains the messages generated by memory and resources.
Error Message %FWSM-3-211001: Memory allocation ErrorExplanation Failed to allocate RAM system memory.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact customer technical support.
Error Message %FWSM-2-211003: CPU Utilization for number_seconds seconds = cpu_utilizationExplanation CPU utilization exceeds 100 percent. The utilization time in seconds (number_seconds) and the percentage of CPU usage (cpu_utilization). This is a value greater than 100 percent.
Recommended Action Report this error to customer technical support.
SNMP
This section contains the messages generated by SNMP.
Error Message %FWSM-3-212001: Unable to open SNMP channel (UDP port udp_port) on interface interface_name, error code = codeExplanation This message indicates that the module cannot receive SNMP requests destined for the module from SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the module through any interface.
Recommended Action An error code of -1 indicates that the module could not open the SNMP transport for the interface, and once the module reclaims some of its resources when traffic is lighter, use the snmp-server host command for that interface again.
Error Message %FWSM-3-212002: Unable to open SNMP trap channel (UDP port udp_port) on interface interface_name, error code = codeExplanation This message indicates that the module will not be able to send its SNMP traps from the module to SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the module through any interface.
An error code of -1 indicates that module could not open the SNMP trap transport for the interface An error code of -2 indicates that module could not bind the SNMP trap transport for the interface.
Recommended Action After the module reclaims some of its resources when traffic is lighter, enter the snmp-server host command for that interface again.
Error Message %FWSM-3-212003: Unable to receive an SNMP request on interface interface_name, error code = code, will try again.Explanation This message indicates that of an internal error for an interface was received.
Recommended Action None required. The module SNMP agent will wait for the next SNMP request.
Error Message %FWSM-3-212004: Unable to send an SNMP response to IP Address IP_addr Port port interface interface_name, error code = codeExplanation This message indicates that of an internal error occurred in sending an SNMP response from the module to the specified host on the specified interface.
Recommended Action None required.
Error Message %FWSM-3-212005: incoming SNMP request (number bytes) on interface int_name exceeds data buffer size, discarding this SNMP request.Explanation This message indicates that the length of the incoming SNMP request, which is destined for the module, exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing; therefore, the module cannot process this request. This does not affect the SNMP traffic passing through the module through any interface.
Recommended Action Configure the SNMP management station to resend the request with a shorter length, for example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. You may need to modify the configuration of the SNMP manager software.
DHCP
Error Message %FWSM-6-604103: DHCP daemon interface int_name: address granted MAC_addr (IP_addr)Explanation The module DHCP server granted an IP address to an external client.
Recommended Action None required.
Error Message %FWSM-6-604104: DHCP daemon interface int_name: address releasedExplanation An external client released an IP address back to the module DHCP server.
Recommended Action None required.
VPN
Error Message %FWSM-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=IP_addr, prot=protocol, spi=spiExplanation Received an IPSec packet that specifies that the SPI does not exist in the server address database. This situation may be a temporary condition due to slight differences in aging of server addresses between the IPSec peers, or it may be because the local server addresses have been cleared. It may also be because of incorrect packets sent by the IPSec peer. This message might also indicate an attack.
Recommended Action The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.
Error Message %FWSM-4-402102: decapsulate: packet missing packet_type, destadr=dest_addr, actual prot=protocolExplanation Received IPSec packet is missing an expected AH or ESP header. The peer is sending packets that do not match the negotiated security policy. This may be an attack. The packet type is either AH or ESP.
Recommended Action Contact the peer's administrator.
Error Message %FWSM-4-402103: identity doesn't match negotiated identity (ip) dest_addr= IP_addr, src_addr= IP_addr, prot= protocol, (ident) local=IP_addr, remote=IP_addr, local_proxy=IP_addr/IP_addr/port/port, remote_proxy=IP_addr/IP_addr/port/portExplanation An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. This situation may be due to a security association selection error by the peer. This situation may be a hostile event.
Recommended Action Contact the peer's administrator to compare policy settings.
Error Message %FWSM-4-402106: Rec'd packet not an IPSEC packet (ip) dest_addr= IP_addr, src_addr= IP_addr, prot= protocolExplanation Received packet matched the crypto map ACL, but it is not IPSec-encapsulated. IPSec Peer is sending unencapsulated packets. This situation may occur because of a policy setup error on the peer. This may also be a hostile event.
Recommended Action Contact the peer's administrator to compare policy settings.
Error Message %FWSM-4-404101: ISAKMP: Failed to allocate address for client from pool pool_idExplanation The Internet Security Association and Key Management Protocol (ISAKMP), failed to allocate an IP address for the VPN client from the pool you specified with the ip local pool command.
Recommended Action Enter the ip local pool command to specify additional IP addresses for the pool.
Error Message %FWSM-6-602102: Adjusting IPSec tunnel mtuExplanation The MTU for an IPSec tunnel is adjusted from path MTU discovery.
Recommended Action Check the MTU of the IPSec tunnels. If an affected MTU is smaller than normal, check intermediate links.
Error Message %FWSM-6-602301: sa createdExplanation A new security association was created.
Recommended Action Informational message only.
Error Message %FWSM-6-602302: deleting saExplanation A security association was deleted.
Recommended Action Informational message only.
Error Message %FWSM-7-702301: lifetime expiringExplanation A security association lifetime has expired.
Recommended Action Debugging message only.
Error Message %FWSM-7-702303: sa_requestExplanation IPSec has requested internet key exchange (IKE) for new security associations.
Recommended Action Debugging message only.
Internet Protocol Routing
Error Message %FWSM-3-317001: No memory available for limit_slowExplanation The requested operation failed because of a low memory condition.
Recommended Action Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.
Error Message %FWSM-3-317003: IP routing table creation failure - reasonExplanation An internal software error occurred, which prevented the creation of new IP routing table.
Recommended Action Copy the message exactly as it appears, and report it to your technical support representative.
Error Message %FWSM-3-317004: IP routing table limit warningExplanation The number of routes in the named IP routing table has reached the configured warning limit.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
Error Message %FWSM-3-317005: IP routing table limit exceeded - reason, ip_address ip_maskExplanation Further routes will be added to the table.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
Error Message %FWSM-4-408001: IP route counter negative - reason, ip_address Attempt: numberExplanation Attempt to decrement IP route counter into negative value failed.
Recommended Action Enter the clear ip route * command to reset the route counter. If the message continues to appear consistently, copy the messages exactly as they appear, and report it to your technical support representative.
OSPF
Error Message %FWSM-3-318002: Flagged as being an ABR without a backbone areaExplanation The router was flagged as an area border router without a backbone area configured in the router.
Recommended Action Restart the OSPF process.
Error Message %FWSM-6-613001: Checksum Failure in database in area ospf_complain Link State Id ip_address Old Checksum old_checksum New Checksum new_checksumExplanation OSPF has detected a checksum error in the database due to memory corruption.
Recommended Action Restart the OSPF process.
Error Message %FWSM-4-409001: Database scanner: external LSA ip_address ip_mask is lost, reinstallsExplanation The software detected an unexpected condition. The router will take corrective action and continue.
Recommended Action None required.
Error Message %FWSM-4-409002: db_free: external LSA ip_address ip_maskExplanation An internal software error occurred.
Recommended Action None required.
Error Message %FWSM-4-409003: Received invalid packet: reason from ip_address, int_nameExplanation An invalid OSPF packet was received. Details are included in the error message. The cause might be a incorrect OSPF configuration or an internal error in the sender.
Recommended Action Check the OSPF configuration of the receiver and the sender configuration for inconsistency.
Error Message %FWSM-3-318003: Reached unknown state in neighbor state machineExplanation An internal software error occurred.
Recommended Action None required.
Error Message %FWSM-4-409004: Received reason from unknown neighbor ip_addressExplanation The OSPF hello, database description, or database request packet was received, but the router could not identify the sender.
Recommended Action This situation should correct itself.
Error Message %FWSM-4-409005: Invalid length number in OSPF packet from ip_address (ID ip_address), int_nameExplanation The system received an OSPF packet with a filed length of less than normal header size or inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error in the sender of the packet.
Recommended Action From a neighboring address, locate the problem router and reboot it.
Error Message %FWSM-4-409006: Invalid lsa: reason Type number, LSID ip_address from ip_address, ip_address, int_nameExplanation The router received an LSA with an invalid LSA type. The cause is either memory corruption or unexpected behavior on a router.
Recommended Action From a neighboring address, locate the problem router and reboot it. To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409007: Found LSA with the same host bit set but using different mask LSA ID ip_address ip_mask New: Destination ip_address ip_maskExplanation An internal software error occurred
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409008: Found generating default LSA with non-zero mask LSA type : number Mask : ip_address metric : number area : nameExplanation The router tried to generate a default LSA with the wrong mask and possibly wrong metric due to an internal software error
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409009: OSPF process number cannot start. There must be at least one \up\ IP interface, for OSPF to use as router IDExplanation OSPF failed while attempting to allocate a router ID from the IP address of one of its interfaces.
Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough interfaces up so that each of them can obtain a router ID.
Error Message %FWSM-4-409010: Virtual link information found in non-backbone area: area_nameExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-3-318004: area area_name lsid ip_address mask ip_address adv ip_address type numberExplanation OSPF has a problem locating the LSA, which could lead to a memory leak.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-3-318005: lsid ip_address adv ip_address type number gateway ip_address metric number network ip_address mask ip_address protocol number attr number net-metric numberExplanation OSPF has a problem locating the LSA.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message OSPF found inconsistency between its database and IP routing tableExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-6-613002: interface interface_name has zero bandwidthExplanation The interface reports its bandwidth as zero.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-3-318006: if string if_state numberExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-5-503001: Process number, Nbr ip_address on int_name from name to name, reasonExplanation An OSPF neighbor has changed its state. The message describes the change and the reason for it. This message appears only if the log-adjacency-changes command is configured for the OSPF process.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-6-613003: ip_address ip_mask changed from area areaname to area areanameExplanation An OSPF configuration change has caused a network range to change areas
Recommended Action Reconfigure OSPF with the correct network range.
Error Message %FWSM-3-318007: OSPF is enabled on string during idb initializationExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409011: OSPF detected duplicate router-id ip_address from ip_address on interface interface_nameExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action OSPF router- ID should be unique. Change the neighbors router ID.
Error Message %FWSM-4-409012: Detected router with duplicate router ID ip_address in area area_nameExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action OSPF router- ID should be unique. Change the neighbors router ID.
Error Message %FWSM-4-409013: Detected router with duplicate router ID ip_address in Type-4 LSA advertised by ip_addressExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action OSPF router- ID should be unique. Change the neighbors router ID.
Error Message %FWSM-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-idExplanation OSPF process is being reset, and it is going to select a new router ID, which will bring down all virtual links. To make the links work again, the virtual link configuration needs to be changed on all virtual link neighbors.
Recommended Action Change virtual link configuration on all the virtual link neighbors, to reflect our new router ID.
Error Message %FWSM-3-319001: Acknowledge for arp update for IP address dest_addr not received (number).Explanation The ARP process in the Firewall Services Module lost internal synchronization because the system was overloaded.
Recommended Action No immediate action is required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319002: Acknowledge for route update for IP address dest_addr not received (number).Explanation The routing module in The FWSM lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319003: Arp update for IP address dest_addr failed (number).Explanation The ARP module in the FWSM lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319004: Route update for IP address dest_addr failed (number).Explanation The routing module in The FWSM lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Shun
Error Message %FWSM-4-401001: Shuns clearedExplanation The clear shun command was entered to remove existing shuns from memory.
Recommended Action None required. This message provides a record of shunning activity.
Error Message %FWSM-4-401002: Shun added: IP_addr IP_addr port portExplanation A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available.
Recommended Action None required. This message provides a record of shunning activity.
Error Message %FWSM-4-401003: Shun deleted: IP_addrExplanation A single shunned host was removed from the shun database.
Recommended Action None required. This message provides a record of shunning activity.
Error Message %FWSM-4-401004: Shunned packet: IP_addr ==> IP_addr on interface int_nameExplanation A packet was dropped because the host defined by IP source is a host in the shun database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an external host on the Internet can be shunned on the outside interface.
Recommended Action None required. This message provides a record of the shunned hosts activity. This message and the next message (%FWSM-4-401005) can be used to evaluate further risk assessment concerning this host.
Error Message %FWSM-4-401005: Shun add failed: unable to allocate resources for IP_addr IP_addr port portExplanation The module is out of memory; a shun could not be applied.
Recommended Action The Cisco Secure Intrusion Detection System should continue to attempt to apply this rule. Attempt to reclaim memory and reapply shun manually, or wait for the Cisco Secure Intrusion Detection System to do this process.
Standards Compliance Specifications
Refer to Appendix A, "Specifications," in the Catalyst 6000 Family Installation Guide for the standards compliance specifications.
FCC Class B Compliance
This equipment has complies with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco's installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. There is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco's written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.
Note
Modifications to this device not specifically approved by Cisco Systems could void the user's authority to continue operating the device.
Refer to the Catalyst 6000 Family Installation Guide for additional FCC class compliance information.
Related Documentation
For more detailed installation and configuration information, refer to the following publications:
•
For additional information about the Catalyst 6500 and Cisco 7600 Series Firewall Services Module, refer to the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Guide.
•
For additional information about Catalyst 6500 series switches and command-line interface (CLI) commands, refer to the following:
–
Site Preparation and Safety Guide
–
Regulatory Compliance and Safety Information for the Catalyst 6500 Series and Cisco 7600 series Switches
–
Catalyst 6500 Series Switch Installation Guide
–
Catalyst 6500 Series Switch Quick Software Configuration Guide
–
Catalyst 6500 Series Switch Module Installation Guide
–
Catalyst 6500 Series Switch Software Configuration Guide
–
Catalyst 6500 Series Switch Command Reference
–
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide
–
Catalyst 6500 Series Switch Cisco IOS Command Reference
–
ATM Software Configuration and Command Reference—Catalyst 5000 Family and Catalyst 6500 Series Switches
–
System Message Guide—Catalyst 6500 Series, 5000 Family, 4000 Family, 2926G Series, 2948G, and 2980G Switches
–
For information about MIBs, refer to this URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
–
Release Notes for Catalyst 6500 Series Switches and Cisco 7600 Internet Router for Cisco IOS Release 12.1(13)E
–
Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.
–
For detailed hardware configuration and maintenance procedures, refer to the Catalyst 6000 Family Module Installation Guide.
•
The following documents are available for the Catalyst 6500 family switches running Catalyst operating system software:
–
Release Notes for Catalyst 6000 Family Software Release 7.x
–
Catalyst 6500 Series Switch Documentation Map
–
Catalyst 6500 Series Switch Configuration Guide (7.5)
–
Catalyst 6500 Series Switch Command Reference (7.5)
–
System Message Guide—Catalyst 6500 Series Switches (7.5)
•
For additional information about the PIX software, refer to the following:
–
Cisco PIX Firewall Release Notes Version 6.1(1)
–
Cisco PIX Device Manager Installation Guide, Version 2.1
–
Cisco PIX 501 Firewall Quick Start Guide
–
Cisco PIX Firewall Hardware Installation Guide
–
Cisco PIX Device Manager Installation Guide
–
Cisco PIX Firewall and VPN Configuration Guide
–
Cisco PIX Firewall Command Reference
–
Cisco PIX Firewall System Log Messages
Cisco IOS Software Documentation Set
Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2002, 2003 Cisco Systems, Inc.
All rights reserved.
Feedback

















