 Feedback
|
Table Of Contents
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
Understanding How the Firewall Services Module Works
Multiple Firewall Services Module Configuration
Specifications and System Limitations
Installing the Firewall Services Module
Memory and Storage Requirements
Installing and Removing the Module
Configuring the Switch Interface
Catalyst Operating System Software
Firewall Services Module and PDM Restrictions
Platform and Browser Requirements
Installing or Upgrading the PDM
Setting up a Single-Chassis Configuration
Setting Up a Dual-Chassis Configuration
Receiving Requests and Sending Syslog Traps
Compiling Cisco Syslog MIB Files
Using the Firewall and Memory Pool MIBs
Configuring OSPF Routing Support
Configuring OSPF Interface Parameters
Configuring OSPF Area Parameters
Configuring Route Summarization Between OSPF Areas
Configuring Route Summarization when Redistributing Routes into OSPF
Changing the OSPF Administrative Distances
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Displaying OSPF Update Packet Pacing
Area Border Router Type 3 LSA Filtering
Monitoring and Maintaining OSPF
Configuring IPSec for Management
Administering the Firewall Services Module
Administering the Software Images
Logging into the Application Software
Logging into the Maintenance Software
Changing and Recovering Passwords
Changing the Application Partition Passwords
Changing the Maintenance Partition Passwords
Recovering the Application Partition Passwords
Recovering the Maintenance Partition Passwords
Resetting the Firewall Services Module
Resetting the Module with Cisco IOS Software
Resetting the Module with Catalyst Operating System Software
Troubleshooting the Firewall Services Module
Firewall Services Module and PIX Commands
System Message Log Differences
Memory and Resource Allocation
Standards Compliance Specifications
Cisco IOS Software Documentation Set
Obtaining Documentation and Submitting a Service Request
Catalyst 6500 Series Firewall Services Module Installation and Configuration Note
WS-SVC-FWM-1-K9
This publication describes how to install and configure the Firewall Services Module (FWSM) in the Catalyst 6500 series switches and Cisco 7600 Optical Services Router (OSR). See the "Related Documentation" section for more information about software configuration for the switch.
Throughout this publication, the Firewall Services Module (FWSM) is referred to as "the module"
Note
For translations of the warnings in this publication, see the "Safety Overview" section and refer to the Regulatory Compliance and Safety Information for the Catalyst 6500 series switches.
Contents
This publication consists of these sections:
•
•
•
•
•
Overview
This section describes the Catalyst 6500 Series Firewall Services Module, how it operates, how to manage it. This chapter contains these sections:
•
•
Before You Begin
To help you get started using the Firewall Services Module, refer to this roadmap:
Note
Refer to Table 10 for information on these commands.
Table 11 lists the Cisco IOS commands for the module.
Table 12 lists the new commands specific to the module. These commands are described in Command Reference
Table 13 lists the PIX commands that were changed for the module.
Table 14 lists the PIX commands that are not used by the module.
Table 15 lists the PIX commands used by the module and their PIX version.
Understanding How the Firewall Services Module Works
Firewalls protect an internal (inside) network, such as a data center, from unauthorized access by users on an external (outside) network, such as the public Internet.
Note
You also can protect one or more networks, also known as demilitarized zones (DMZs). DMZs are those portions of the network that contain resources which you may want to allow access to for specified users. Access to a DMZ is usually more restricted than access to the outside network, but less restricted than access to the inside network.
A DMZ allows you to protect your network resources that need to be accessed by users on the public Internet, for example, mail servers or web servers. By placing them in a DMZ, you obtain some protection without jeopardizing the resources on your internal network.
Connections between the inside and outside and DMZ networks are controlled by the module through the firewall using a network-modeled protection scheme based upon a configuration and security policy. By implementing a security policy, you can ensure that all traffic from the protected networks only passes through the firewall to the unprotected network. You also can control who accesses the networks and with which services. Features on the module allow you to control how your security policy is used.
The security policy determines the security level, which allows you to isolate networks that are assigned the same security level from each other. To route traffic between different networks, you assign each network a different security level. A lower security level provides less protection for the interface than a higher security level. The security levels to your networks can range from 0 to 100.
All interfaces connecting the inside, outside, and DMZ networks through the module are virtual and logical Layer 3 interfaces consisting of a VLAN, an IP address, and a security level. The module supports 100 firewall interfaces. All traffic between these VLANs is protected and controlled. Because the module supports multiple interfaces, you can create one or more DMZ networks.
The Firewall Services Module is a fabric-enabled module that connects to both the Catalyst 6500 bus and the switch fabric module if one is present. The Firewall Services Module does not require a Switch Fabric Module to function.
The module has a 6 Gbps dot1q EtherChannel connection to the backplane where the hosts of the various security zones are connected to ports on the Catalyst 6500 chassis.
The module can be configured in a multiple, failover, or redundant configuration.
Figure 1 shows a firewall configuration. The Multilayer Switch Feature Card (MSFC) is used as a router on the network inside the firewall. The MSFC is connected to only one of the controlled firewall interfaces. All other router interfaces configured on the MSFC are considered to be the same security level as the interface to which the MSFC is connected. For example, traffic between VLAN 201 and VLAN 202 is routed directly.
Figure 1 Firewall Services Module Configuration
Multiple Firewall Services Module Configuration
Figure 2 shows multiple modules that are located in the same switch, and how they can operate independently. There is no restriction to the number of modules installed in the same switch. The network requirements and topology determine the configuration.
Figure 2 Multiple Firewall Services Module Configuration
In a multiple-module configuration, the following conditions apply:
•
•
•
Redundancy Failover
The failover configuration has these features:
•
•
•
•
The module can be configured to use stateful failover as shown in Figure 3. Stateful failover allows you to maintain the operating state for the connection during the failover from the primary module to the standby module.
Figure 3 Stateful Failover Configuration
When a failover occurs, each module changes its state. The new active module begins accepting traffic. The new standby module assumes the failover IP and MAC addresses of the module that was previously the active module. Because network devices do not detect a change in these addresses, there are no ARP entries changed nor is there a time out anywhere on the network.
Be sure that both modules have the same software version, VLAN configuration, Flash memory, and RAM or the configuration copied to the standby module will not work. After you configure the primary module and provide the failover link, the primary module automatically copies the configuration over to the standby module.
Note
Figure 4 shows two modules located in separate chassis: one module is designated as the active module and the other module is designated as the standby module.
Figure 4 Firewall Services Module Multiple Configuration in a Network
In this multiple-module configuration, the following conditions apply:
•
•
•
•
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
•
•
•
•
•
•
•
•
•
•
Note
•
•
The stateful, connection-oriented ASA creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. You can control all inbound and outbound traffic by applying security policies to each connection table entry.
•
•
•
•
–
–
When the Firewall Services Module software is the platform, PDM will display modified screens for features not supported by the module. To use the PDM to configure the module, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
•
•
•
•
•
Specifications and System Limitations
Table 1 lists the specifications and system limitations of the FWSM.
Table 1 FWSM Specifications and System Limitations
Modules per switch
Maximum of four modules per switch.
If you are using failover, you can still only have four modules per switch even if two of them are in standby mode.
Memory
•
•
Bandwidth
CEF256 line card with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus.
Filtering servers
16 Websense Enterprise filtering servers.
IPSec management connections, concurrent
5 connections.
TCP1 or UDP2 connections between any two hosts, including connections between one host and multiple other hosts, concurrent and rate
999,900 connections.
100K connections per second.
Fixup connections, rate
10,000 per second.
PC based fixup connections, rate
10K per second.
Host connections, concurrent
256K
SSH3 management connections, concurrent
5 connections.
System messages, rate
20K per second.
Telnet management connections, concurrent
5 connections.
NAT translations, concurrent
256K.
NAT statements
1K statements.
High-performance firewall
5 GBps (aggregated).
Concurrent connections.
1 million
Packets-per-second.
3 million pps
New connections per second for HTTP, DNS, and enhanced Simple Mail Transfer Protocol (SMTP).
7K
VLAN interfaces (no physical interfaces on the module).
100
Static NAT statements
1K statements.
Global statements
1K statements.
Shun statements
2K statements. The FWSM supports at most 2000 shuns - that number is contigent upon finite hardware resources and cannot be increased.
Alias statements
1K statements.
User authentication sessions, concurrent
5K sessions.
User authorization sessions, concurrent
150K sessions.
Maximum 15 sessions per user.
ARP4 table entries, concurrent
64K entries.
Route table entries, concurrent
32K entries.
Packet reassembly, concurrent
30,000 fragments.
Filter Rules, Fixup and Filter statements combined.
3K rules and statements.
Established CLI Rules
1K rules.
Established data
1K implicit rules used by TCP and UDP fixups to allow back channels.
3K statements.
AAA Rules
3K rules. 1K rules for authentication, 1K rules for authorization, and 1K rules for accounting.
1K rules.
ACEs
72K ACEs (best case).
1 Transmission Control Protocol
2 User Datagram Protocol
3 Secure Shell
4 Address Resolution Protocol
5 Internet Control Message Protocol
6 HyperText Transfer Protocol
Front Panel Description
The front panel includes a STATUS LED and SHUTDOWN button. (See Figure 5)
Figure 5 Firewall Services Module Front Panel
STATUS LED
The STATUS LED indicates the operating states of the module. Table 2 describes the LED operation.
SHUTDOWN Button
Caution
To avoid corrupting the compact Flash memory, you must correctly shut down the module before you remove it from the chassis or disconnect the power. This shutdown procedure is initiated normally by commands entered at the supervisor engine CLI prompt or the module CLI prompt.
If the module fails to respond to these commands properly, you must use the SHUTDOWN button on the front panel to initiate the shutdown procedure. Use a small pointed object (such as a paper clip) to push the button.
The shutdown procedure may require several minutes. The STATUS LED turns orange when the module shuts down.
Module Specifications
Table 3 describes the specifications for the module.
Safety Overview
Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may harm you. A warning symbol precedes each warning statement.
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Installing the Firewall Services Module
This section describes how to install the Firewall Services Module including the software and hardware requirements.
This chapter contains these sections:
•
System Requirements
This section describes the software and hardware requirements for the module.
Memory and Storage Requirements
There are no additional memory or storage requirements for this module. The module contains the following memory:
•
•
Software Requirements
Table 4 lists the Firewall Services Module software versions supported by Catalyst operating system and Cisco IOS software.
Hardware Requirements
Before you can use the Catalyst 6500 series and Cisco 7600 series Firewall Services Module, you must have a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a Supervisor Engine 2 (Catalyst operating system and Cisco IOS) and an MSFC 2, and any module with ports to connect server and client networks.
Note
Required Tools
These tools are required to install the module in the Catalyst 6500 series switches:
•
•
•
•
Whenever you handle the module, always use a wrist strap or other grounding device to prevent electrostatic discharge (ESD).
Installing and Removing the Module
Warning
All Catalyst 6500 series switches support hot swapping, which allows you to install, remove, replace, and rearrange modules without turning off the system power. For more information on removing the module from a switch, see the "Removing a Module" section.
When the system detects that a module has been installed or removed, the system automatically runs diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes system operation.
This section describes how to install and verify the operation of the Firewall Services Module in the Catalyst 6500 series switches and contains the following sections:
Slot Assignments
The Catalyst 6006 and 6506 switch chassis have six slots, the Catalyst 6009 and 6509 switch chassis have nine slots, and the Catalyst 6513 switch chassis has thirteen slots.
Note
Each slot is used as follows:
•
•
•
•
Removing a Module
This section describes how to remove an existing module from a chassis slot.
Warning
Warning
Warning
To remove a supervisor engine or module from the chassis, perform these steps:
Step 1
Step 2
This step ensures that the space created by the removed module is maintained.
Note
Step 3
Step 4
Horizontal slots
a.
b.
Vertical slots
a.
b.
Step 5
Step 6
Warning
Installing a Module
This section describes how to install modules in the Catalyst 6500 series switches.
Caution
Warning
Warning
Warning
To install a supervisor engine or module in the chassis, perform these steps:
Step 1
Step 2
Step 3
This action ensures that the EMI gaskets on all modules are fully compressed in order to maximize the opening space for the new module or the replacement module.
Note
Step 4
Step 5
Figure 6 Positioning the Module in a Horizontal Slot Chassis
Step 6
Horizontal slots
a.
b.
Figure 7 Clearing the EMI Gasket in a Horizontal Slot Chassis
c.
Caution
d.
Figure 8 Ejector Lever Closure in a Horizontal Slot Chassis
Note
e.
Note
Vertical slots
a.
Figure 9 Positioning the Module in a Vertical Slot Chassis
b.
c.
Figure 10 Clearing the EMI Gasket in a Vertical Slot Chassis
Caution
d.
Figure 11 Ejector Lever Closure in a Vertical Slot Chassis
e.
Note
Verifying the Installation
This section describes how to verify the module installation.
To verify that the system acknowledges the new module and has brought it online, enter the show module [mod-num | all] command.
This example shows the output of the show module command:
Router# show moduleMod Slot Ports Module-Type Model Sub Status--- ---- ----- ------------------------- ------------------- --- --------1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok2 2 6 Firewall Service Module WS-SVC-FWM-1 no okRouter#When the module initially boots, by default it runs a partial memory test. To perform a full memory test, enter the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory size.
Table 5 lists the memory test time and approximate boot time for a long memory test.
This example shows how to do a full memory test for module 5:
Router(config)# hw-module module 5 reset mem-test-fullUsing the CLI
The software interface for the module is the Cisco IOS command-line interface accessed through a Telnet connection to the switch or through the switch console interface. Refer to the Catalyst 6500 Series IOS Software Configuration Guide and the Catalyst 6500 Series Software Configuration Guide for details.
To understand the Cisco IOS command-line interface and Cisco IOS command modes, refer to Chapter 2, "Command-Line Interfaces," in the Catalyst 6500 Series IOS Software Configuration Guide.
Unless your switch is located in a fully trusted environment, we recommend that you configure the module through a Telnet connection using Secure Shell (SSH) encryption.
You can session into the module from the switch console and configure the firewall. Session is a Telnet interface through the Ethernet out-of-band channel (EOBC) of the switch backplane.
You can also make a Telnet connection into the module from a specified host and on a specific interface. Telnet support for this host should be configured or enabled from the module console.
Console output is redirected to all active Telnet sessions. When no Telnet session is available, the output is saved to a buffer. The buffer output can be subsequently examined when you make a Telnet connection into the module.
The module application software is similar to the Cisco PIX firewall software. This publication describes only the commands unique to the Firewall Services Module. For information about the PIX commands, refer to the PIX documentation at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm
Getting Started
This section describes how to begin configuring the Firewall Services Module from the CLI and contains these sections:
Configuration Overview
This section describes the Firewall Services Module configuration and contains these sections:
•
The Firewall Services Module can be used in a variety of topologies depending on the needs of your network. For example, in a data center you may want to provide access control or segregate your security domains. The security domain can be a collection of servers with the same security level. Within that domain, multiple subnets or server farms can exist.
When you configure the Firewall Services Module to function on the perimeter of the network, the module can provide access control to the inside network as a whole, or segregate multiple security zones through VLAN interfaces of different security levels. The security zones can be either in the same network or can define the boundaries of multiple customer networks.
The Firewall Services Module configuration has the following characteristics:
•
•
•
•
•
You can configure the module in various situations by selecting the firewall features that meet the requirements of a particular network. Figure 12 shows a typical firewall configuration.
Figure 12 Firewall Configuration
Configuring the Switch Interface
This section describes the basic configuration steps performed on the switch and the Firewall Services Module.
Cisco IOS Software
To set up the configuration on the switch using the Cisco IOS CLI, follow these general tasks:
:
Note
switchport trunk allowed vlan {add | except | none | remove} vlan1, [, vlan [, vlan [,...]]]}This example shows how to configure the switch interface:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# vlan 55Router(config-vlan)# vlan 56Router(config-vlan)# vlan 57Router(config-vlan)# exitRouter(config)# firewall vlan-group 50 55-57Router(config)# firewall vlan-group 51 70-85Router(config)# firewall module 8 vlan-group 50-51Router(config)# int vlan 55Router(config-if)# ip address 55.1.1.1 255.255.255.0Router(config-if)# no shutRouter(config-if)# endRouter# show firewall vlan-groupGroup vlans----- ------50 55-5751 70-85Router# show firewall moduleModule Vlan-groups8 50,51,Router# show int vlan 55Vlan55 is up, line protocol is upHardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)Internet address is 55.1.1.1/24MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setARP type:ARPA, ARP Timeout 04:00:00Last input never, output 00:00:08, output hang neverLast clearing of "show interface" counters neverInput queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0Queueing strategy:fifoOutput queue :0/40 (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/secL2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytesL3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcastL3 out Switched:ucast:0 pkt, 0 bytes0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored4 packets output, 256 bytes, 0 underruns0 output errors, 0 interface resets0 output buffer failures, 0 output buffers swapped outRouter#Catalyst Operating System Software
To set up the configuration on the switch for the Firewall Services Module using the Catalyst operating system CLI, you must be in the proper Virtual Terminal Protocol (VTP) mode to create VLANs (server, transparent, or off modes all work) and then follow these general tasks:
:
This example shows how to configure the switch interface:
Console>(enable) enableConsole>(enable) set vlan 7, 11-15, 19-20 firewall-vlan 8Console> show vlan firewall-vlan 8Console> show vlan fire 8Secured vlans by firewall module 8:7 11-15,19-20Console>(enable) set vlan 8Sessioning into the Module
You can log into the module's maintenance partition or application partition.
Sessioning into the Maintenance Partition
To log into the module's maintenance partition, perform these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot number processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance image
Note
Catalyst Operating System:
Console> session moduleThe default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
Step 4
Password: cisco
Note
Step 5
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Router# reboot
Sessioning into the Application Partition
To log into the module's application partition, perform these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit'at the remoteprompt to end the session Trying 127.0.0.81 ... OpenFWSM passwd:Welcome to the FWSM firewallType help or '?' for a list of available commands.FWSM>
Note
Catalyst Operating System:
Console (enable)# session moduleStep 3
Cisco IOS:
Router# hw-module module slot_number reset cf:4Router# session slot module processor processorCatalyst Operating System:
Console (enable)# session moduleStep 4
Step 5
Password: password
Note
Configuring the Module
To set up the configuration on the module, follow these tasks:
Step 1
Defines the host name in the command line prompt.
Step 2
Specifies the interface name.
Step 3
Defines a local address for each interface.
Step 4
FWSM(config)#access-list acl_ID [deny | permit] protocol {source_addr | local_addr} {source_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator portDefines an access list. Refer to "Command Reference" section and theaccess-list and theaccess-list (ospf).
Step 5
Defines access groups.
Step 6
Displays the configured interfaces.
Step 7
Displays the configured IP addresses.
Step 8
Displays the configured access lists.
Note
This example shows how to configure the module:
FWSM(config)# hostname FWSMFWSM(config)# nameif 55 inside 100FWSM(config)# nameif 56 outside 0FWSM(config)# ip address inside 10.1.1.1 255.255.255.0FWSM(config)# ip address outside 55.1.1.2 255.255.255.0FWSM(config)# access-list 1 permit ip any anyFWSM(config)# access-group 1 in interface insideFWSM(config)# show nameifnameif vlan55 inside security100nameif vlan56 outside security0FWSM(config)# show ipSystem IP Addresses:ip address inside 10.1.1.1 255.255.255.0ip address outside 55.1.1.2 255.255.255.0ip address eobc 127.0.0.61 255.255.255.0Current IP Addresses:ip address inside 10.1.1.1 255.255.255.0ip address outside 55.1.1.2 255.255.255.0ip address eobc 127.0.0.61 255.255.255.0FWSM(config)# show access-listaccess-list 1; 1 elementsaccess-list 1 permit ip any any (hitcnt=0)FWSM(config)# show access-groupaccess-group 1 in interface insideFWSM(config)#Saving the Configuration
To save your configuration, use one of the following methods:
•
•
•
•
Using PDM
Cisco PIX Device Manager (PDM) is a single-device graphical user interface (GUI) application that you can use to manage your Firewall Services Module. For detailed information about PDM, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
Note
Note
PDM Overview
PDM is a signed Java applet that uses certificates and HTTP over SSL (HTTPS) to securely transmit all information between PDM and the Firewall Services Module. PDM performs the following functions:
•
•
•
Firewall Services Module and PDM Restrictions
The module and PDM have the following operation restrictions:
•
–
–
Refer to the PDM 2.1 release notes for the complete list of unsupported commands. The release notes are located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmrn21/pdmrn21.htm
Note
Platform and Browser Requirements
PDM is supported in the following platforms and browsers:
•
•
•
For details about PDM and its operation refer to the Cisco PIX Device Manager Installation Guide Version 2.1.
The installation guide is located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmig/index.htm
Setting Up the Module for PDM
Before you do this procedure, make sure you have installed the Firewall Services Module into the switch and you have completed the basic configuration described earlier in this chapter. Refer to the "Configuration Overview" section.
To set up the module to use the PDM application, follow these steps:
Step 1
Step 2
Step 3
Cisco IOS:
Router# firewall vlan-group VLAN-group vlan-interfacesCatalyst Operating System
Console>(enable) set vlan vlan-range firewall-vlan module-numberStep 4
Cisco IOS only:
Router# firewall module module-number vlan-group VLAN-groupStep 5
Step 6
Router># enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# firewall vlan-group 5 10,20,50-51Router(config)# firewall module 3 vlan-group 5Router(config)# exitRouter# telnet 192.168.1.1Trying 192.168.1.1 ... OpenFWSM passwd:Welcome to the FWSM firewallType help or '?' for a list of available commands.FWSM# enablePassword:FWSM# configure terminalFWSM(config)# setupPre-configure FWSM Firewall now through interactive prompts [yes]?To complete this setup, follow the instructions that appear on the terminal.
Installing or Upgrading the PDM
To install or upgrade PDM on the module, enter this command:
copy tftp://location/pathname flash:pdmThis example shows how to install or upgrade PDM on the module:
FWSM# copy tftp://10.1.1.1/pdm-211.bin flash:pdm10.1.1.1 is the location of the TFTP server and the PDM image.
Verify that PDM was downloaded to the module.
Starting PDM
To start PDM, in your browser be sure you use the HTTP secure (https) command and type the following address:
https://IP address of FWSMThis example shows how to start PDM:
https://192.168.1.1192.168.1.1 is the IP address of one of the VLAN interfaces on the module.
You can now use the PDM 2.1 application to configure your Firewall Services Module. Access the PDM online help to use the application.
Configuring Firewall Services
This chapter describes how to configure firewall services and contains these sections:
•
•
•
Configuring Firewall Failover
Failover uses two modules that must have identical configurations. You can configure the modules in the following ways:
•
•
Setting up a Single-Chassis Configuration
To set up failover on a single chassis, install two firewall modules on the same chassis and assign the same firewall VLAN group to both modules.
Figure 13 Failover Single Chassis Configuration
To configure failover in a single chassis, perform this task:
This example shows how to configure failover in a single chassis:
Router(config)# firewall vlan-group 10 10,20,30,40,50Router(config)# firewall module 4 vlan-group 10Router(config)# firewall module 6 vlan-group 10Setting Up a Dual-Chassis Configuration
To set up failover across two chassis, install a firewall module in each chassis and assign the same firewall VLAN group to both modules.
To set up a dual-chassis configuration, follow these tasks:
Figure 14 shows a dual-chassis configuration.
Figure 14 Failover Dual-Chassis Configuration
This example shows how to configure failover in two chassis:
Router1(config)# firewall vlan-group 10 10,20,30,40Router1(config)# firewall module 4 vlan-group 10Router2(config)# firewall vlan-group 20 10,20,30,40Router2(config)# firewall module 5 vlan-group 20Configuring Firewall Failover
For a failover configuration, both firewall modules need to have the same RAM and Flash memory size and be running the same software version.
To configure failover, follow these steps:
Step 1
Note
Step 2
Step 3
Step 4
Step 5
This is the IP address used by the primary module on failover interface
Step 6
Step 7
This is the IP address used by the secondary module on failover interface.
Step 8
This command specifies the IP address used by the standby module on other firewall interfaces. The client hosts are not expected to use this IP address to communicate to the module.
Step 9
Step 10
Note
Step 11
Step 12
Step 13
The primary and the secondary module should have the identical failover configuration, except for the failover LAN module configuration.
Note
Note
Step 14
Enter the icmp permit 0 0 if_name command to configure the failover interface to allow the ping to go through the firewall.
Step 15
The secondary module should detect the primary module and then switch to standby. The firewall configuration is synchronized from the active module to the standby module.
Warning
Step 16
Step 17
Note
These example shows how to configure failover on a pair of FWSMs.
The modules are located in two different switches. A dedicated VLAN (vlan 4000) is created for the failover protocol. The following conditions apply:
•
•
•
•
•
•
This example shows how to configure the primary module:
FWSM(config)# show vlan30, 40, 4000FWSM(config)#FWSM(config)# fail lan unit priFWSM(config)# nameif 4000 fover 50FWSM(config)# nameif 30 outside 0FWSM(config)# nameif 40 inside 100FWSM(config)# ip address fover 10.40.40.1 255.255.255.0FWSM(config)# ip address inside 10.2.1.1 255.255.255.0FWSM(config)# ip address outside 10.11.1.2 255.255.255.0FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0FWSM(config)# fail ip address inside 10.2.1.2 255.255.255.0FWSM(config)# fail ip address outside 10.11.1.3 255.255.255.0FWSM(config)# fail lan int foverFWSM(config)# logg onFWSM(config)# logg monitor 7FWSM(config)# logg con 7111008: User 'enable_15' executed the 'logging con 7' command.FWSM(config)# no logg mess 111008FWSM(config)# no logg mess 111009FWSM(config)# fail105002: (Primary) Enabling failover.FWSM(config)#No Response from Mate. Switching to ActiveYou may begin configuring the standby module at this time.
Sync Process StartSync Process End709004: (Primary) End Configuration Replication (ACT)105003: (Primary) Monitoring on interface 2 waiting105003: (Primary) Monitoring on interface 1 waiting105004: (Primary) Monitoring on interface 2 normal105004: (Primary) Monitoring on interface 1 normal302010: 0 in use, 0 most used302010: 0 in use, 0 most usedThis example shows how to configure the standby or secondary module:
FWSM(config)# fail lan unit secFWSM(config)# nameif 4000 fover 50FWSM(config)# ip address fover 10.40.40.1 255.255.255.0FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0FWSM(config)# fail lan int foverFWSM(config)# failFWSM(config)# logg onFWSM(config)# logg mon 7FWSM(config)# logg con 7FWSM(config)# 111008: User 'enable_15' executed the 'logging con 7' command.Detected an Active mate. Switching to StandbySwitching to Standby.FWSM(config)#Beginning configuration replication from mate.This unit is in syncing state. 'failover' command will not be effective at this timeEnd configuration replication from mate.709006: (Secondary) End Configuration Replication (STB)Access Rules Download Complete: Memory Utilization < 1%105003: (Secondary) Monitoring on interface 2 waiting105003: (Secondary) Monitoring on interface 1 waiting105004: (Secondary) Monitoring on interface 2 normal105004: (Secondary) Monitoring on interface 1 normalThis example shows how to monitor the failover status on the primary and secondary modules:
Primary module:
FWSM(config)# show failFailover OnFailover unit PrimaryFailover LAN Interface foverReconnect timeout 0:00:00Poll frequency 15 secondsThis host: Primary - ActiveActive time: 29925 (sec)Interface outside (10.11.1.2): NormalInterface inside (10.2.1.1): NormalOther host: Secondary - StandbyActive time: 285 (sec)Interface outside (10.11.1.3): NormalInterface inside (10.2.1.2): NormalStateful Failover Logical Update StatisticsLink : Unconfigured.Secondary module:
FWSM(config)# show failFailover OnFailover unit SecondaryFailover LAN Interface foverReconnect timeout 0:00:00Poll frequency 15 secondsThis host: Secondary - StandbyActive time: 285 (sec)Interface inside (10.2.1.2): NormalInterface outside (10.11.1.3): NormalOther host: Primary - ActiveActive time: 30750 (sec)Interface inside (10.2.1.1): NormalInterface outside (10.11.1.2): NormalStateful Failover Logical Update StatisticsLink : Unconfigured.FWSM(config)#Using SNMP
You can monitor system events on the Firewall Services Module by using SNMP. You can read SNMP events, but information on the module cannot be changed with SNMP.
Use CiscoWorks for Windows or any other SNMP V1, MIB-II compliant browser to receive SNMP traps and browse a MIB. SNMP traps occur at UDP port 162.
Note
You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending traps. Browsing involves doing an snmpget or snmpwalk of the MIB tree from the management station to determine values.
MIB Support
The Firewall Services Module supports the Cisco Firewall MIB and Cisco Memory Pool MIB.
The Firewall Services Module does not support the following in the Cisco Firewall MIB:
•
•
•
•
•
•
SNMP Traps
Traps are unsolicited "comments" from the managed device to the management station for specific events, such as link up, link down, and syslog event generation.
The snmp-server command causes the Firewall Services Module to send SNMP traps so that the module can be monitored remotely. Use snmp-server host command to specify which systems receive the SNMP traps.
An SNMP object ID (OID) for the module displays in SNMP event traps sent from the module. The Firewall Services Module provides system OID in SNMP event traps and SNMP mib-2.system.sysObjectID equal to the.(1.3.6.1.4.1.9.1.227) original PIX Firewall OID.
The module responds to an SNMP request from a management station and the module then sends an event notification trap.
The Firewall Services Module SNMP traps available to an SNMP management station are as follows:
•
–
–
–
•
–
–
–
Receiving Requests and Sending Syslog Traps
To receive requests and send traps from the Firewall Services Module to an SNMP management station, follow these steps:
Step 1
Step 2
If you only want to send the cold start, link up, and link down generic traps, and you only want to receive SNMP requests, no further configuration is required.
Step 3
Step 4
logging history debuggingWe recommend that you use the debugging level during initial setup and during testing. After setup, set the level from debugging to a lower value.
The logging history command sets the severity level for SNMP syslog messages.
Step 5
Step 6
Compiling Cisco Syslog MIB Files
To receive security and failover SNMP traps from the Firewall Services Module, compile the Cisco SMI MIB and the Cisco syslog MIB into your SNMP management application. If you do not compile the Cisco syslog MIB into your application, you receive only traps for link up or down, firewall cold start, and authentication failure.
To obtain the Cisco MIB files go to the following URLs:
•
•
•
•
•
•
•
•
To compile Cisco syslog MIB files into your browser using CiscoWorks for Windows (SNMPc), follow these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Step 18
Using the Firewall and Memory Pool MIBs
You can poll failover and system status using the Cisco Firewall and Memory Pool MIBs. With the MIB tables, you can view failover status, memory usage, connection count, and system buffer usage.
Viewing Failover Status
The Cisco Firewall MIBs cfsHardwareStatusTable indicates whether failover is enabled, and which module is active. The Cisco Firewall MIB indicates failover status in two rows in the cfwHardwareStatusTable object. From the Firewall Services Module command line, you can view failover status using the show failover command. You can access the object table from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTableTable 6 lists which objects provide failover information.
Table 6 Failover Status Objects
cfwHardwareType (table index)
Hardware
6 (primary module)1
6 (primary module)
7 (secondary module)
cfwHardwareInformation
SnmpAdminString
blank
blank
blank
cfwHardwareStatusValue
HardwareStatus
0 (not used)
active or 9 (active module) or standby or 10 (standby module)
active or 9 (active module) or standby or 10 (standby module)
cfwHardwareStatusDetail
SnmpAdminString
Failover Off
blank
blank
1 The type of returned values are shown in parentheses.
In the HP OpenView Browse MIB application's MIB values window, if failover is disabled, a sample MIB query displays the following information:
cfwHardwareInformation.6:cfwHardwareInformation.7 :cfwHardwareStatusValue.6 :0cfwHardwareStatusValue.7 :0cfwHardwareStatusDetail.6 :Failover OffcfwHardwareStatusDetail.7 :Failover OffIn this list, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0, and the cfwHardwareStatusDetail contains Failover Off, which indicates the failover status.
When failover is enabled, a sample MIB query displays the following information:
cfwHardwareInformation.6 :cfwHardwareInformation.7 :cfwHardwareStatusValue.6 : activecfwHardwareStatusValue.7 : standbycfwHardwareStatusDetail.6 :cfwHardwareStatusDetail.7 :In this listing, only the cfwHardwareStatusValue contains, either active or standby values to indicate the status of each module.
Verifying Memory Usage
You can determine how much free memory is available with the Cisco Memory Pool MIB. From the Firewall Services Module command line, use the show memory command to view the memory usage. The following is sample output from the show memory command:
Router(config)# show memory16777216 bytes total, 5595136 bytes freeYou can access the MIB objects from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTableTable 7 lists which objects provide memory usage information.
In the HP OpenView Browse MIB application's MIB values window, a sample MIB query displays the following information:
ciscoMemoryPoolName.1 :FWSM system memoryciscoMemoryPoolAlternate.1 :0ciscoMemoryPoolValid.1 :trueciscoMemoryPoolUsed.1 :12312576ciscoMemoryPoolFree.1 :54796288ciscoMemoryPoolLargestFree.1 :0In this list, the table index, ciscoMemoryPoolName, appears as the .1 value at the end of each subsequent object value. The ciscoMemoryPoolUsed object lists the number of bytes currently in use, 12312576, and the ciscoMemoryPoolFree object lists the number of bytes currently free 54796288. The other objects always list the values described in Table 7.
Viewing the Connection Count
You can view the number of connections in use from the cfwConnectionStatTable in the Cisco Firewall MIB. From the Firewall Services Module command line. Enter the show conn command to view the connection count. The following is sample output from the show conn command:
show connection count15 in useThe cfwConnectionStatTable object table can be accessed from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTableTable 8 lists which objects provide connection count information.
In the HP OpenView Browse MIB application's MIB values window, a sample MIB query displays the following information:
cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire firewallcfwConnectionStatDescription.40.7 :highest number of connections in use at any one time since system startupcfwConnectionStatCount.40.6 :0cfwConnectionStatCount.40.7 :0cfwConnectionStatValue.40.6 :15cfwConnectionStatValue.40.7 :15In this list, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent object.The table index, cfwConnectionStatType, appears as either .6 to indicate the number of connections in use or .7 to indicate the most used number of connections. The cfwConnectionStatValue object lists the connection count. The cfwConnectionStatCount object always returns 0 (zero).
Viewing System Buffer Usage
You can view the system buffer usage from the Cisco Firewall MIB in multiple rows of the cfwBufferStatsTable. The system buffer usage provides an early warning that the Firewall Services Module is reaching its capacity limit. On the command line, enter the show blocks command to view this information.
The following is sample output from the show blocks command to demonstrate how cfwBufferStatsTable is populated:
show blocksSIZE MAX LOW CNT4 1600 1600 160080 100 97 97256 80 79 791550 780 402 40465536 8 8 8You can view cfwBufferStatsTable at the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwBufferStatsTableTable 9 lists the objects required to view the system block usage.
Note
In the HP OpenView Browse MIB application's MIB values window a sample MIB query displays the following information:
cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blockscfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startupcfwBufferStatInformation.4.8 :current number of available 4 byte blockscfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blockscfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startupcfwBufferStatInformation.80.8 :current number of available 80 byte blockscfwBufferStatInformation.256.3 :maximum number of allocated 256 byte blockscfwBufferStatInformation.256.5 :fewest 256 byte blocks available since system startupcfwBufferStatInformation.256.8 :current number of available 256 byte blockscfwBufferStatInformation.1550.3 :maximum number of allocated 1550 byte blockscfwBufferStatInformation.1550.5 :fewest 1550 byte blocks available since system startupcfwBufferStatInformation.1550.8 :current number of available 1550 byte blockscfwBufferStatValue.4.3: 1600cfwBufferStatValue.4.5: 1600cfwBufferStatValue.4.8: 1600cfwBufferStatValue.80.3: 400cfwBufferStatValue.80.5: 396cfwBufferStatValue.80.8: 400cfwBufferStatValue.256.3: 1000cfwBufferStatValue.256.5: 997cfwBufferStatValue.256.8: 999cfwBufferStatValue.1550.3: 1444cfwBufferStatValue.1550.5: 928cfwBufferStatValue.1550.8: 932In this list, the first table index, cfwBufferStatSize, appears as first number appended to the end of each object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5,or .8 after the first index. For each block size, the cfwBufferStatInformation object identifies the type of value and the cfwBufferStatValue object identifies the number of bytes for each value.
Using the ipAddrTable
When you use the SNMP ipAddrTable entry, all interfaces must have unique addresses. If interfaces have not been assigned IP addresses, by default, their IP addresses are all set to 127.0.0.1. Duplicate IP addresses cause the SNMP management station to loop indefinitely. If this situation occurs, assign each interface a different address. For example, you can set one address to 127.0.0.1, another to 127.0.0.2, and so on.
SNMP uses a sequence of GetNext operations to traverse the MIB tree. Each GetNext request is based on the result of the previous request. If two consecutive interfaces have the same IP 127.0.0.1 (table index), the GetNext function returns 127.0.0.1, which is correct. However, when SNMP generates the next GetNext request using the same result (127.0.0.1), the request is identical to the previous one, which causes the management station to loop infinitely. For example:
GetNext(ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1)With SNMP, the MIB table index must be unique for the agent to identify a row from the MIB table. The table index for ip.ipAddrTable is the module interface IP address, which requires that the IP address is unique. The SNMP agent might become confused and may return information of another interface (row), which has the same IP (index).
SNMP Usage Notes
The following notes apply:
•
•
•
•
Configuring OSPF Routing Support
The Firewall Services Module can run two processes of Open Shortest Path First (OSPF) protocol simultaneously. Each of the OSPF processes runs on a different set of interfaces. RIP cannot be enabled on any of the same interfaces as the interfaces that OSPF is enabled on.
Redistribution between the two OSPF processes is supported. Redistribution between RIP and OSPF is not supported in the current release. Static and connected routes configured on OSPF-enabled interfaces on the Firewall Services Module can also be redistributed into the OSPF process. For further information on how to configure OSPF redistribution on the Firewall Services Module, please refer to the section "Configuring IP Routing Protocol-Independent Features" of the Cisco IOS IP and IP Routing Configuration Guide.'
OSPF allows the module to maintain its own routing table. The OSPF protocol provides the following features for the module:
•
•
•
•
•
•
•
Enabling OSPF
As with other routing protocols, to enable OSPF you need to create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range of IP addresses. To enable OSPF, follow these tasks, beginning in global configuration mode:
This example shows how to enable OSPF:
FWSM(config)# router ospf 2FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0Configuring OSPF Interface Parameters
Cisco OSPF implementation allows you to alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but some interface parameters must be consistent across all routers in an attached network. You configure the parameters by using the ospf hello-interval, ospf dead-interval, and ospf authentication-key interface configuration commands. Be sure that if you do configure any of these parameters, the configurations for all routers on your network have compatible values.
To specify interface parameters for your network, follow these tasks in interface configuration mode:
This example shows how to configure the OSPF interfaces:
FWSM(config)# router ospf 2FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0FWSM(config-router)# interface insideFWSM(config-interface)# ospf cost 20FWSM(config-interface)# ospf retransmit-interval 15FWSM(config-interface)# ospf transmit-delay 10FWSM(config-interface)# ospf priority 20FWSM(config-interface)# ospf hello-interval 10FWSM(config-interface)# ospf dead-interval 40FWSM(config-interface)# ospf authentication-key ciscoFWSM(config-interface)# ospf message-digest-key 1 md5 ciscoFWSM(config-interface)# ospf authentication message-digestFWSM(config-interface)# exitFWSM(config)# show ip ospfRouting Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 5. Checksum Sum 0x 26da6Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 1. 1 normal 0 stub 0 nssaExternal flood list length 0Area BACKBONE(0)Number of interfaces in this area is 1Area has no authenticationSPF algorithm executed 2 timesArea ranges areNumber of LSA 5. Checksum Sum 0x 209a3Number of opaque link LSA 0. Checksum Sum 0x 0Number of DCbitless LSA 0Number of indication LSA 0Number of DoNotAge LSA 0Flood list length 0Configuring OSPF Area Parameters
You can configure several area parameters using Cisco OSPF software. These area parameters (shown in the following task table) include authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the area border router, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the area stub router configuration command on the area border router to prevent it from sending summary link advertisement (LSAs type 3) into the stub area.
To specify an area parameter for your network, follow these tasks in router configuration mode:
This example shows how to configure the OSPF area parameters:
FWSM(config)# router ospf 2FWSM(config-router)# area 0 authenticationFWSM(config-router)# area 0 authentication message-digestFWSM(config-router)# area 17 stubFWSM(config-router)# area 17 default-cost 20Configuring OSPF NSSA
The OSPF implementation of NSSA is similar to OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These type 7 LSAs are translated into type 5 LSAs by NSSA area border routers, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an Internet service provider (ISP) or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as OSPF stub area because routes for the remote site could not be redistributed into stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.
To specify area parameters as needed to configure OSPF NSSA, follow this task in router configuration mode:
Defines an NSSA area.
This example shows how to define an NSSA area:
FWSM(config-router)# area 17 nssaTo control summarization and filtering of type 7 LSAs into type 5 LSAs, use the following command in router configuration mode on the area border router:
Controls the summarization and filtering during the translation.
This example shows how to control summarization and filtering:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0Before you use this feature, consider these guidelines:
•
•
Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router will advertise networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range.
To specify an address range, follow this task in router configuration mode:
.
Specifies an address range for which a single route will be advertised.
This example shows how to configure route summarization between OSPF areas:
FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0Configuring Route Summarization when Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the Cisco IOS software to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database.
To configure the software advertise one summary route for all redistributed routes covered by a network address and mask, follow this task in router configuration mode:
This example shows how to configure route summarization when redistributing routes into OSPF:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0Creating Virtual Links
With OSPF all areas must be connected to a backbone area. If there is a break in backbone continuity, or the backbone is purposefully partitioned, you can establish a virtual link. The two end points of a virtual link are area border routers. The virtual link must be configured in both routers. The configuration information in each router consists of the other virtual end point (the other area border router) and the nonbackbone area that the two routers have in common (called the transit area). Virtual links cannot be configured through stub areas.
To establish a virtual link, follow this task in router configuration mode:
.
This example shows how to create virtual links:
FWSM(config-router)# area 16 virtual-link 1.1.1.1To display information about virtual links, use the show ip ospf virtual-links EXEC command.
To display the router ID of an OSPF router, use the show ip ospf EXEC command
Generating a Default Route
You can force an autonomous system boundary router to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an autonomous system boundary router. However, an autonomous system boundary router does not by default generate a default route into the OSPF routing domain.
To force the autonomous system boundary router to generate a default route, follow this task in router configuration mode:
This example shows how to generate a default route:
FWSM(config-router)# default-information originate alwaysChanging the OSPF Administrative Distances
An administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. An administrative distance numerically is an integer from 0 to 255. In general, the higher the value, the lower the trust rating. An administrative distance of 255 means the routing information source cannot be trusted and should be ignored.
OSPF uses three different administrative distances: intra-area, interarea, and external. Routes within an area are intra-area; routes to another area are interarea; and routes from another routing domain learned through redistribution are external. The default distance for each type of route is 110.
To change any of the OSPF distance values, follow this task in router configuration mode:
Changes the OSPF distance values.
This example shows how to change the OSPF administrative distance:
FWSM(config-router)# distance intra-ares 90 inter-area 95 external 100Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure the route calculation time, follow this task in router configuration mode:
Configures route calculation timers.
This example shows how to configure route calculation timers:
FWSM(config-router)# timers spf 10 120Logging Neighbors Going Up or Down
By default, the system sends a syslog message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ip ospf adjacency EXEC command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you want to see messages for each state change.
Sends syslog message when an OSPF neighbor goes up or down.
If you turned off this feature and want to restore it, follow this task in router configuration mode:
This example shows how to log neighbors:
FWSM(config-router)# log-adj-changes detailChanging the LSA Group Pacing
The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check summing, and aging functions. Group pacing results in more efficient use of the router.
The router groups OSPF LSAs and paces these functions so that sudden increases in CPU usage and network resources are avoided. This feature is most beneficial to large OSPF networks.
OSPF LSA group pacing is enabled by default. The default group pacing interval for refreshing, check summing, and aging usually is appropriate, and you need not configure this feature.
Original LSA Behavior
Each OSPF LSA has an age, which indicates whether the LSA is still valid. When the LSA reaches the maximum age (1 hour), it is discarded. During the aging process, the originating router sends a refresh packet every 30 minutes to refresh the LSA. Refresh packets are sent to keep the LSA from expiring, whether there has been a change in the network topology or not. Check summing is performed on all LSAs every 10 minutes. The router keeps track of LSAs it generates and LSAs it receives from other routers. The router refreshes LSAs it generated; it ages the LSAs it received from other routers.
Before the LSA group pacing feature was introduced, the Cisco IOS software would perform refreshing on a single timer, and check summing and aging on another timer. In the case of refreshing, for example, the software would scan the whole database every 30 minutes, refreshing every LSA the router generated, regardless of how old it was.
Figure 15 shows all the LSAs being refreshed at the same time. This process wasted CPU resources because only a small portion of the database needed to be refreshed. A large OSPF database (several thousand LSAs) might have thousands of LSAs with different ages. Refreshing on a single timer resulted in the age of all LSAs becoming synchronized, which resulted in increased CPU processing at once. A large number of LSAs might cause a sudden increase of network traffic, consuming a large amount of network resources in a short period of time.
Figure 15 OSPF LSAs on a Single Timer Without Group Pacing
LSA Group Pacing with Multiple Timers
This problem is solved by configuring each LSA to have its own timer. Each LSA gets refreshed when it is 30 minutes old, independent of other LSAs, so the CPU is used only when necessary. However, LSAs being refreshed at frequent, random intervals would require many packets for the few refreshed LSAs the router must send out, which would be inefficient use of bandwidth.
Therefore, the router delays the LSA refresh function for an interval of time instead of performing it when the individual timers are reached. The accumulated LSAs constitute a group, which is then refreshed and sent out in one packet or more. The refresh packets are paced as are the check summing and aging. The pacing interval is configurable; it defaults to 4 minutes, which is randomized to further avoid synchronization.
Figure 16 shows refresh packets. The first timeline shows individual LSA timers; the second timeline shows individual LSA timers with group pacing.
Figure 16 OSPF LSAs on Individual Timers with Group Pacing
The group pacing interval is inversely proportional to the number of LSAs the router is refreshing, check summing, and aging. For example, if you have approximately 10,000 LSAs, decreasing the pacing interval would benefit you. If you have a very small database (40 to 100 LSAs), increasing the pacing interval to 10 to 20 minutes might benefit you slightly.
The default value of pacing between LSA groups is 240 seconds (4 minutes). The range is from 10 seconds to 1800 seconds (30 minutes). To change the LSA group pacing interval, follow this task in router configuration mode:
Changes the group pacing of LSAs.
The following example changes the OSPF pacing between LSA groups to 280 seconds:
FWSM(config-router)# timers lsa-group-pacing 280FWSM(config-router)# interface insideBlocking OSPF LSA Flooding
By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. Some redundancy is desirable, because it ensures substantial flooding. However, too much redundancy can waste bandwidth and might destabilize the network due to excessive link and CPU usage in certain topologies, such as a fully meshed topology.
You can block OSPF flooding of LSAs two ways, depending on the type of networks:
•
•
On broadcast, nonbroadcast, and point-to-point networks, to prevent flooding of OSPF LSAs, follow this task in interface configuration mode:
FWSM(config-if)# ospf database-filter all outBlocks the flooding of OSPF LSA packets to the interface.
On point-to-multipoint networks, to prevent flooding of OSPF LSAs, follow this task in router configuration mode:
Blocks the flooding of OSPF LSA packets to the specified neighbor.
Ignoring MOSPF LSA Packets
Cisco routers do not support LSA type 6 Multicast OSPF (MOSPF). If the routers receive these packets, they generate syslog messages. If the router is receiving many MOSPF packets, you might want to configure the router to ignore the packets, which prevent a large number of syslog messages. To configure the router to ignore these packets, follow this task in router configuration mode:
Prevents the router from generating syslog messages when it receives MOSPF LSA packets.
The following example shows how to prevent flooding of OSPF LSAs to broadcast, nonbroadcast, or point-to-point networks reachable through Ethernet interface 0:
FWSM(config-router)# router ospf 2FWSM(config-router)# ignore lsa mospfFWSM(config-interface)# ospf database-filter all outFWSM(config-interface)# router ospf 2FWSM(config)# show ip ospf flood-list insideInterface inside, Queue length 0The following example shows how to prevent flooding of OSPF LSAs to point-to-multipoint networks to the neighbor at IP address 1.2.3.4:
FWSM(config-router)# router ospf 109FWSM(config-router)# neighbor 1.2.3.4 database-filter all outDisplaying OSPF Update Packet Pacing
The former OSPF implementation for sending update packets was not efficient. Some update packets were getting lost in situations where the link was slow, a neighbor could not receive the updates quickly enough, or the router was out of buffer space. For example, packets might be dropped if either of the following topologies existed:
•
•
OSPF update packets are now automatically paced so they are not sent less than 33 milliseconds apart. Pacing is also added between resends to increase efficiency and minimize lost retransmissions. You also can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, follow this task in EXEC mode:
FWSM# show ip ospf flood-list interface-type interface-numberDisplays a list of LSAs waiting to be flooded over an interface.
Area Border Router Type 3 LSA Filtering
The area border router Type 3 LSA filtering feature extends the capability of an area border router that is running the OSPF protocol to filter type 3 LSAs between different OSPF areas. This feature allows only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time. This feature is supported by the addition of the area filter-list command.
The OSPF ABR Type 3 LSA filtering feature provides improved control of route distribution between OSPF areas.
Only Type 3 LSAs that originate from an area border router are filtered.
Configuring ABR Type 3 LSA Filtering
To filter interarea routes into a specified area, perform the following tasks beginning in router configuration mode:
To filter interarea routes out of a specified area, use the following commands beginning in router configuration mode:
Monitoring and Maintaining OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. Information provided can be used to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.
To display various routing statistics, follow this task in EXEC mode, as needed:
To restart an OSPF process, follow this task in EXEC mode:
Configuring IPSec for Management
Internet Protocol Security (IPSec) provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec operates at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as Firewall Services Modules.
IPSec provides the following optional network security services. A local security policy determines the use of one or more of these services:
•
•
•
•
Note
IPSec provides controlled tunnels between two peers, such as two Firewall Services Modules. These tunnels are sets of security associations that are established between two remote IPSec peers (modules). You define which packets are considered sensitive and should be sent through these controlled tunnels, and you define the parameters that should be used to protect these sensitive packets by specifying the characteristics of these tunnels. When the IPSec peer sees a sensitive packet, it sets up the appropriate controlled tunnel and sends the packet through the tunnel to the remote peer.
For detailed information about IPSec, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/index.htm
The following steps describe a minimal IPSec configuration where the IPSec security associations are established through Internet Key Exchange (IKE).
To configure IPSec with IKE for the module, perform this task:
Step 1
FWSM(config)# access-list access-list-module {deny | permit} ip source source-netmask destination destination-netmaskCreates an access list to define the traffic to protect.
Step 2
FWSM(config)# crypto ipsec transform-set transform-set-module transform1 [transform2, transform3]Configures a transform set that defines how the traffic will be protected. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry in Step 6.
Step 3
Creates a crypto map entry in IPSec ISAKMP mode.
Step 4
Assigns an access list to a crypto map entry.
Step 5
Specifies the peer to which the IPSec-protected traffic can be forwarded.The security association is set up with the peer having an IP address of 192.168.1.100. Specify multiple peers by repeating this command.
Step 6
Specifies which transform sets are allowed for this crypto map entry. Lists multiple transform sets in order of priority (highest priority first). You can specify up to six transform sets.
Step 7
FWSM(config)# crypto map map-module seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}(Optional) Specifies a security association lifetime for the crypto map entry, if you want the security associations for this entry to be negotiated using different IPSec security association lifetimes other than the global lifetimes.
Step 8
(Optional) Specifies that IPSec should require perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or should require PFS in requests received from the peer.
Step 9
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num match address access-list-module(Optional) Assigns an access list to a dynamic crypto map entry, which determines which traffic should be protected and which traffic should not protected.
Step 10
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set peer ip-address(Optional) Specifies the peer to which the IPSec-protected traffic can be forwarded. This is rarely configured in dynamic crypto map entries because dynamic crypto map entries are often used for unknown peers.
Step 11
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set transform-set transform-set-module1, [transform-set-module2, transform-set-module9]Specifies which transform sets are allowed for this dynamic crypto map entry. Lists multiple transform sets in order of priority (highest priority first).
Step 12
FWSM(config)# crypto dynamic-map dynamic-map-module dynamic-seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}(Optional) Specifies a security association lifetime for the dynamic crypto map entry, if you want the security associations for this entry to be negotiated using different IPSec security association lifetimes other than the global lifetimes:
Step 13
(Optional) Specifies that IPSec should request PFS when requesting new security associations for this dynamic crypto map entry, or should demand PFS in requests received from the peer.
Step 14
Adds the dynamic crypto map set into a static crypto map set. Be sure to set the crypto map entries referencing dynamic maps to be the lowest-priority entries (highest sequence numbers) in a crypto map set.
Step 15
Applies a crypto map set to an interface on which the IPSec traffic will be evaluated.
Step 16
Specifies that IPSec traffic be implicitly trusted (permitted).
In the Firewall Services Module, VPN and IPSec are available only for management purposes. You cannot establish IPSec tunnels across the firewall; any tunnel initiated by a VPN client on another switch should terminate at the Firewall Services Module. The CLI commands you use to configure IPSec for management have not changed from PIX except for those listed inTable 13. Refer to the PIX documentation for details about configuring IPSec.
Administering the Firewall Services Module
This chapter describe how to administer the Firewall Services Module and contains these sections:
•
•
•
•
Administering the Software Images
This section contains the various administrative tasks you can perform using the Cisco IOS software images:
•
•
Quick Software Upgrade
To quickly upgrade the Firewall Services Module software image, follow these steps:
Step 1
msfc(config)# tftp-server bootflash:image nameStep 2
a.
router(config)# interface Vlan30router(config)# description to_fwsm_vlan_30router(config)# ip address 10.20.30.2 255.255.255.0router(config)# no ip redirectsb.
nameif vlan30 inside security100...ip address inside 10.20.30.5 255.255.255.0c.
FWSM# ping 10.20.30.210.20.30.2 response received -- 0ms10.20.30.2 response received -- 0ms10.20.30.2 response received -- 0msStep 3
FWSM# copy tftp flashAddress or name of remote host [127.0.0.1]? 10.20.30.2Source file name [cdisk]? c6svc-fwm-k9.1-1-0-207.bincopying tftp://10.20.30.2/c6svc-fwm-k9.1-1-0-207.bin to flash:image[yes|no|again]?yes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!The output shows the MSFC as the TFTP server.
Step 4
FWSM# reloadProceed with reload? [confirm]
Image Locations
There are 5 partitions on the compact Flash as follows:
•
•
•
•
You can have two application images stored in Flash. One image in partition 4 and one in partition 5. Depending on which partition you want to boot, you can use cf:4 or cf:5 in the boot device module module_number partition_number command. For example:
Router(config)# boot device module 3 cf:5Router(config)# boot device module 4 cf:4The configurations related to that image is stored in the same partition as the image.
If the module's application partition gets corrupted, the maintenance partition can be used to recover the application configuration. The network configuration partition stores the network parameters for the maintenance partition.
When the application image fails, a log is created in the crash dump partition, which contains all failure-related information. You can use this log later for debugging using the show crashdump CLI command from both the maintenance partition and the application partition, if the application partition recovers without a problem on restart.
You can also upgrade the application from the maintenance partition. You can clear the enable password for the module from the maintenance partition CLI.
Logging into the Application Software
The application software has one user level. Use the enable command in the EXEC mode.
Refer to the "Changing and Recovering Passwords" section if you need to change or recover passwords.
To log into the Firewall Services Module, follow these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageCatalyst Operating System:
Console> session 8The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
Cisco IOS:
Router# hw-module module slot_number reset cf:4Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Console(enable)> rebootLogging into the Maintenance Software
The maintenance software has two user levels with different access privileges:
•
The default password is cisco.
•
The default password is cisco.
Refer to the "Changing and Recovering Passwords" section if you need to change or recover passwords.
To log into the Firewall Services Module maintenance partition, follow these steps:
Step 1
Step 2
Cisco IOS:
Router# session slot 8 processor 1The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageCatalyst Operating System:
Console> session 8The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.81 ... OpenCisco Maintenance imageStep 3
login: rootStep 4
Password:After a successful login, the command line prompt appears as follows:
Maintenance image version: 1.1(0.3)root@localhost#Step 5
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console(enable)> reset module-number [boot device:partition]Console(enable)> reboot
Upgrading Software Images
You can upgrade both the application software and the maintenance software. To upgrade the application software, see the "Upgrading the Application Software" section. To upgrade the maintenance software, see the "Upgrading the Maintenance Software" section.
The entire application and maintenance partitions are stored on the FTP or TFTP server. The images are downloaded and extracted to the application or maintenance partition depending on which image is being upgraded.
To upgrade the application partition, change the boot sequence to boot the module from the maintenance partition. The maintenance partition downloads and installs the application image. The supervisor engine must be executing the run-time image to provide network access to the maintenance partition.
Set the boot sequence for the module using the supervisor engine CLI commands. As the maintenance partition boots, it determines the application type. If the network parameters are already configured, you can directly download the new image. If network parameters are not set, you need to manually configure them.
When you specify the target device and partition number for upgrading the application partition, software recognition checks are made to ensure that you do not upgrade the maintenance partition.
Before starting the upgrade process, you will need these software images:
•
•
A TFTP and FTP server are required to copy the images. The TFTP server should be connected to the switch and the port connecting to the TFTP server should be included in VLAN 1 on the switch.
Another TFTP server is required in the network. This TFTP server must be reachable from the module when the module image is booted up.
Upgrading the Application Software
To upgrade the application software image you must first copy the firewall software image to a directory accessible to FTP, and then log in to the switch through the console port or through a Telnet session.
To upgrade the application partition software, perform these tasks:
Step 1
Cisco IOS:
Router# hw-module module slot_number reset cf:1Catalyst Operating System:
Console>(enable) reset module-number boot cf:1Reboots the module into the maintenance partition.
Step 2
Cisco IOS:
Router# session slot slot_number processor 1Catalyst Operating System:
Console>(enable) session moduleEstablishes a console session with the module.
Step 3
At the login prompt, logs into the root account of the module.
Step 4
root@localhost# ip address ip _address netmaskroot@localhost# ip gateway ip_addressAssigns an IP address and a default gateway to the maintenance partition.
Because the module maintenance partition can only use VLAN 1 on the switch, use the IP addresses and gateway for VLAN 1. The FTP server is reachable after the IP parameters are specified.
Step 5
Displays the current settings. If the parameters are not correct, use the commands described in Step 4. The module image should be available on the FTP server reachable through VLAN 1.
Step 6
root@localhost# ping ip_addressPings the FTP server to verify if the configuration is correct.
Step 7
root@localhost# upgrade ftp_url cf:xUpgrades the application image from the appropriate directory on the FTP server that is reachable from the module.
The ftp_url values contain the following options:
•
The command prompts for the password. Enter the password for the username you are using to log in to the FTP server.
•
Note
Enter your password when prompted.
•
Step 8
Follow the screen prompts during the upgrade.
The image is copied from the FTP server to the compact Flash. The upgrade command also ensures that the configuration on the corresponding application partition is backed up and restored at the end of the upgrade operation.
Step 9
Logs out of the maintenance software.
Step 10
Cisco IOS:
Router# hw-module module slot_number reset cf:4Catalyst Operating System:
Console>(enable) reset module-number boot cf:4Resets the module into the application partition.
This example shows how to upgrade the Firewall Services Module application software:
Router# hw-module module 9 reset cf:1Device BOOT variable for reset = cf:1Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:16:06:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:16:06:SP:The PC in slot 9 is shutting down. Please wait ...00:16:21:SP:PC shutdown completed for module 900:16:21:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:16:24:SP:Resetting module 9 ...00:16:24:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:18:21:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:18:21:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:18:21:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now onlineRouter# session slot 9 proc 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.91 ... OpenCisco Maintenance imagelogin:rootPassword:Maintenance image version: 1.1(0.3)root@localhost.cisco.com# upgrade ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin cf:4Downloading the image. This may take several minutes...ftp://user:password@address/tftpboot/c6svc-fwm-k9.1-1-0-170.bin (5919K)/tmp/upgrade.gz [########################] 5919K | 821.24K/s6061947 bytes transferred in 7.38 sec (821.23k/sec)Upgrade file ftp://ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin .gz is downloaded.Upgrading will wipe out the contents on the hard disk.Do you want to proceed installing it [y|N]:yProceeding with upgrade. Please do not interrupt.If the upgrade is interrupted or fails, boot intoMaintenance image again and restart upgrade.Proceeding with image upgrade.Backing up FWSM configuration.Restoring FWSM configuration.Application image upgrade complete. You can boot the image now.Partition upgraded successfully.root@hostname.cisco.com# logout[Connection to 127.0.0.91 closed by foreign host]Router# hw-module module 9 resetDevice BOOT variable for reset =Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:24:04:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:24:04:SP:The PC in slot 9 is shutting down. Please wait ...00:24:18:SP:PC shutdown completed for module 900:24:18:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:24:21:SP:Resetting module 9 ...00:24:21:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:26:19:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:26:19:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:26:19:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now onlineThe module is now upgraded and ready for further firewall configuration. You can do further application partition upgrades from the module console, by entering the command:
copy tftp://tftp_ip/file_name flash:Upgrading the Maintenance Software
To upgrade the maintenance software image, you must first copy the module maintenance software image to a directory accessible to TFTP, and then log into the switch through the console port or through a Telnet session.
Note
To upgrade the maintenance partition software, perform these tasks:
This example shows how to upgrade the module maintenance software:
Router# hw-module module 9 reset cf:4Device BOOT variable for reset = cf:4Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:31:11:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:31:11:SP:The PC in slot 9 is shutting down. Please wait ...00:31:25:SP:PC shutdown completed for module 900:31:25:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)00:31:28:SP:Resetting module 9 ...00:31:28:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on00:33:26:%SNMP-5-MODULETRAP:Module 9 [Up] Trap00:33:26:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed00:33:26:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are nowonlineRouter# session slot 9 proc 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.91 ... Openfwsm# upgrade-mpAddress or name of remote host [160.251.101.128]? 192.168.253.79Source file name []? mp-1.0.1-bin.gzcopying upgrade-mp tftp://10.1.1.1/tftpboot/mp.1-1-0-3.bin.gz to flash[yes|no|again]? y!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Received 7700916 bytes.Maintenance partition upgraded.Router# hw-module module 9 reset cf:1Device BOOT variable for reset = cf:1Warning:Device list is not verified.Proceed with reload of module? [confirm] y% reset issued for module 9Router#02:27:19:%SNMP-5-MODULETRAP:Module 9 [Down] Trap02:27:19:SP:The PC in slot 9 is shutting down. Please wait ...02:27:36:SP:PC shutdown completed for module 902:27:36:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (adminrequest)02:27:39:SP:Resetting module 9 ...02:27:39:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on02:29:37:%SNMP-5-MODULETRAP:Module 9 [Up] Trap02:29:37:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed02:29:37:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are nowonlineRouter#Changing and Recovering Passwords
You can change and recover passwords using a Telnet connection to the module and CLI.
To change the password, use a Telnet connection to the module, and then use the passwd or passwd-guest commands to change the password.
Note
Note
Changing the Application Partition Passwords
To change the application partition password, follow these steps while you are logged in to the account application account. Enter the passwd command with a password, for example:
FWSM# passwd frnxIf you do not enter a password, you receive the following result:
FWSM# passwdNot enough arguments.Usage: passwd <password> encryptedChanging the Maintenance Partition Passwords
To change the password, follow these steps while you are logged in to the root account on the maintenance software partition. The passwd command is available for the maintenance partition's root and guest account.
Step 1
root@localhost# passwdStep 2
Changing password for user rootNew password:Step 3
Retype new password:passwd: all authentication tokens updated successfullyThis example shows how to set the password for the root account:
root@localhost# passwdChanging password for user rootNew password:Retype new password:passwd: all authentication tokens updated successfullyTo change the password for the guest account, enter the password-guest command. This command is available from the maintenance partition root account only.
Step 1
root@localhost# passwd-guestStep 2
Changing password for user guestNew password:Step 3
Retype new password:passwd: all authentication tokens updated successfullyThis example shows how to set the password for the guest account:
root@localhost# passwd-guestChanging password for user guestNew password:Retype new password:passwd: all authentication tokens updated successfullyRecovering the Application Partition Passwords
If you have forgotten or lost the passwords for either the module application or maintenance software, they can be reset to the default values. Clearing the password resets the Telnet password to cisco and clears the enable password. To reset an application image password, follow these steps:
Step 1
root@localhost# clear passwd cf:partition_numberpartition_number refers to the number of the application or maintenance partition where you are resetting the password.
Note
Step 2
Do you wish to erase the passwords? [yn] yThe following lines will be removed from the configuration:enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedDo you want to remove the commands listed above from the configuration?[yn] yPasswords and aaa commands have been erased.This example shows how to clear the password for the module application software on partition 4 of the compact flash:
root@localhost# clear passwd cf:4Do you wish to erase the passwords? [yn] yThe following lines will be removed from the configuration:enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedDo you want to remove the commands listed above from the configuration?[yn] yPasswords and aaa commands have been erased.Recovering the Maintenance Partition Passwords
If you have forgotten or lost the passwords for either the module application or maintenance software, they can be reset to the default values. Clearing the password resets the Telnet password to cisco and clears the enable password.
Note
To reset a maintenance image password, enter this command:
fwsm# clear mp-passwdThis example shows how to clear the password for the module maintenance software on partition cf:1 of the compact Flash:
root@localhost# clear mp-passwdPasswords for 'root' and 'guest' accounts cleared successfully.Resetting the Firewall Services Module
If you cannot reach the module through the CLI or an external Telnet session, enter the hw-mod module module_number reset command to reset and reboot the module. The reset process requires several minutes.
When the module initially boots, by default it runs a partial memory test. To perform a full memory test, use the mem-test-full keyword in the hw-module module module_number reset device:partition mem-test-full command. This command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory size. Table 5 lists the memory and approximate boot time for a long memory test.
You can also use the hw-module module module_number reset [mem-test-full] command. For example:
Router# hw-module module 5 reset mem-test-fullThis section describes how to reset the module:
Resetting the Module with Cisco IOS Software
Resetting the Module with Catalyst Operating System Software
Resetting the Module with Cisco IOS Software
To reset the module from the CLI, perform this task in privileged mode:
Note
This example shows how to reset the module, installed in slot 9, from the CLI:
Router# hw-mod mod 9 resetProceed with reload of module? [confirm] y% reset issued for module 9Router#00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...To reboot the module from the application software, perform this task while you are sessioned into the root account on the module in the privileged mode:
This example shows how to reboot the module:
Router# reloadResetting the Module with Catalyst Operating System Software
To reset the module from the CLI, perform this task in privileged mode:
Note
This example shows how to reset the module, installed in slot 9, from the from the application partition:
Router# reset mod 9Proceed with reload of module? [confirm] y% reset issued for module 9Router#00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...To reboot the module from the application software, perform this task while you are sessioned into the root account on the module in the privileged mode:
This example shows how to reboot the module:
FWSM# rebootTroubleshooting the Firewall Services Module
This section provides troubleshooting information for the Firewall Services Module.
Symptom You cannot connect to the module.
Possible Cause The initial configuration is incorrect or not configured.
Recommended Action Perform a show module command and check that the status is OK.
Symptom When a reset command is entered from the supervisor CLI, the system always boots into the maintenance image.
Possible Cause If the boot device is configured in the supervisor as cf:1, when you enter a reset module command the system always boots to the maintenance image.
Recommended Action Override the configured boot device in the supervisor engine by entering the boot string during reset. In Cisco IOS software, to boot to the application image, enter the hw-module mod 9 reset cf:4 (or cf:5) command.
Symptom You are unable to log into the maintenance image with the same password for the module application image.
Possible Cause The module application image and the maintenance image have different password databases. Any password change performed in the module application image does not change the maintenance image passwords and vice versa.
Recommended Action Use the maintenance image password.
Symptom You lost your password for the maintenance image and want to recover it.
Possible Cause The maintenance image does not support resetting passwords from the switch. Upgrading the maintenance image retains the password for root and guest across the upgrades.
Recommended Action Refer to "Changing and Recovering Passwords" section.
Firewall Services Module and PIX Commands
This section describes additions, changes, and differences between the Firewall Services Module and the PIX application commands.
The tables in this appendix describe the following commands:
•
•
•
These commands are described in Command Reference
•
•
•
For detailed information about the PIX software commands, refer to the PIX documentation listed in the "Related Documentation" section.
The module also supports CLI commands for the supervisor engine, which are described in more detail in the Catalyst 6500 Series Command Reference.
Table 13 PIX Commands Changed for the Firewall Services Module
aaa authentication [supervisor | enable | telnet | ssh | http] console group_tag
[no] aaa authentication [supervisor | enable | telnet | ssh | http] console group_taginterface hardware_id [hardware_speed] [shutdown]
show interfacenameif hardware_id ifname security_level
New syntax is nameif vlan_id if_name security_level. Refer tonameif vlan_number if_name security_level in the "Command Reference" section.
route if_module ip_address netmask gateway_ip [metric]
Table 15 lists the PIX commands used by the module and their PIX version. Commands that were changed from PIX for the module are described in Command Reference For detailed information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
Command Reference
This appendix describes the Firewall Services Module commands that are unique to this module and the commands that have been changed from the PIX command implementation for use with the Firewall Services Module.
For detailed information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
access-list
Use the access-list command to configure access rules. Use the no form of this command to remove access rules from the configuration.
Note
Note
access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }
{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id ] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask | remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group service_obj_grp_id ] }no access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }
{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id ] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask | remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group service_obj_grp_id ] }access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id }{ host destination_addr | remote_addr | destination_addr | remote_addr destination_mask | remote_mask | object-group network_obj_grp_id }{ [ icmp_type | object-group icmp_type_obj_grp_id] }
no access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr | local_addr source_mask | local_mask | object-group network_obj_grp_id }{ host destination_addr | remote_addr | destination_addr | remote_addr destination_mask | remote_mask | object-group network_obj_grp_id }{ [ icmp_type | object-group icmp_type_obj_grp_id] }
clear access-list [acl_ID]
show access-list [acl_ID]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
The access list behavior on the module differs from that on PIX 6.0 as follows:
•
•
•
After the compilation begins, it may take some time for the new rule set to be downloaded to the hardware. In the interim, the old access rule set is applied to the incoming traffic. After successfully download the new set is used to determine access permissions.
•
•
Examples
This example shows how to define an access list allowing any host to access server 121.23.65.12 using Telnet:
FWSM(config)# access-list in_acl permit tcp any host 121.23.65.12 eq 23For further examples, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version 6.
For examples on using access-lists with the object group command refer to the Cisco PIX Firewall and VPN Configuration Guide Version 6.2.
Related Commands
access-group - in the PIX 6.0
object-groupaccess-list (ospf)
Use the access list (ospf) command to configure access rules. Use the no form of this command to remove access rules from the configuration.
access-list id deny | permit {any | ip mask}
[no] access-list id deny | permit {any | ip mask}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
This access list syntax is used only in the context of OSPF. Access lists created with this syntax are then used for defining route maps to be applied to redistributed routes. An access list containing any access elements defined using the command syntax cannot be applied to an interface using the access-group command.
Examples
This example shows how to create an access list:
FWSM(config)# access-list ospf1 permit 10.2.0.0 255.255.255.0.0FWSM(config)# show access-listaccess-list ospf1; 1 elementsaccess-list ospf1 permit 10.2.0.0 255.255.255.0 (hitcnt=0)Related Commands
area
Use the area command to specify an area name in the router configuration submode.
area area id authentication
area area id authentication message-digest
area area id default-cost cost
area area id filter-list prefix name [in | out]
area area id nssa [no-redistribution] [default-information-originate]
area area id range prefix mask [advertise | not-advertise]
area area id stub [no-summary]
area area id virtual-link router id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[authentication-key key]| [message-digest-key key id md5 key]]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
The following example mandates authentication for areas 0 and 36.0.0.0 of OSPF routing process 201. Authentication keys are also provided.
Router(config)# interface ethernet 0ip address 131.119.251.201 255.255.255.0ip ospf authentication-key adcdefgh!Router(config)# interface ethernet 1ip address 36.56.0.201 255.255.0.0ip ospf authentication-key ijklmnop!Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0network 131.119.0.0 0.0.255.255 area 0area 36.0.0.0 authenticationarea 0 authenticationThe following example assigns a default cost of 20 to stub network 36.0.0.0:
Router(config)# interface ethernet 0ip address 36.56.0.201 255.255.0.0!Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0area 36.0.0.0 stubarea 36.0.0.0 default-cost 20The following example filters prefixes that are sent from all other areas to area 1:
Router(config)# area 1 filter-list prefix-list AREA_1 inThe following example specifies one summary route to be advertised by the ABR to other areas for all subnets on network 36.0.0.0 and for all hosts on network 192.42.110.0:
Router(config)# interface ethernet 0ip address 192.42.110.201 255.255.255.0!Router(config)# interface ethernet 1ip address 192.42.120.201 255.255.255.0!Router(config)# router ospf 201network 192.42.110.0 0.0.0.255 area 0area 36.0.0.0 range 36.0.0.0 255.0.0.0area 0 range 192.42.110.0 255.255.0.0The following example establishes a virtual link with default values for all optional parameters:
Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0area 36.0.0.0 virtual-link 36.3.4.5The following example establishes a virtual link with MD5 authentication:
Router(config)# router ospf 201network 36.0.0.0 0.255.255.255 area 36.0.0.0area 36.0.0.0 virtual-link 36.3.4.5 message-digest-key 3 md5 sa5721bk47For further examples refer to the Cisco IOS Configuration Guides and Command References.
clear console-output
Use the clear console-output command to clear the contents of the message buffer.
clear console-output
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to clear the message buffer.
Router(config)# clear console-outputRelated Commands
clear logging rate-limit
Use the clear logging rate-limit command to clear the log rate.
clear logging rate-limit
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to clear the logging rate.
Router(config)# clear logging rate-limitRelated Commands
logging rate-limit
show logging rate-limitdefault-information originate
Use the default-information originate command to control the redistribution of a default route.
default-information originate [always] [metric value | metric-type {1 | 2} | [route-map map]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
This example shows how to control the redistribution of a default route:
Router(config)# default-information originatedistance
Use the distance command to define OSPF administrative distances based on route type. To restore the default value, use the no form of this command.
distance [intra-area dist1] [inter-area dist2] [external dist3]
no distance
Syntax Description
Defaults
.Default dist1, dist2, and dist3 values are 110.
Command Modes
Router configuration submode.
Command History
Examples
The following example changes the external distance to 200, making it less reliable:
Router A Configuration
Router(config)# router ospf 1Router(config)# redistribute ospf 2 subnetRouter(config)# distance external 200!Router B Configuration
Router(config)# router ospf 2Router(config)# redistribute ospf 1 subnetRouter(config)# distance external 200Related Commands
firewall module
Use the firewall module command to attach a group of controlled VLANs to a module.
firewall module module_number vlan-group firewall_group
Syntax Description
module_number
Specifies the module to attach the VLAN group.
vlan-group
Keyword to specify a VLAN group
firewall_group
Names the VLAN group.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to attach a VLAN group to a module:
Router(config)# firewall 6 vlan-group 20Related Commands
firewall vlan-group
Use the firewall vlan-group command to configure a group of controlled VLANs.
firewall vlan-group firewall_group vlan_range
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to configure a group of controlled VLANs:
Router(config)# firewall vlan-group 20 8, 10-15Related Commands
interface
Use the interface command to enter the interface configuration submode to enter OSPF commands or the shutdown command.
interface interface-name
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to enter the interface configuration submode:
Router(config)# interface swedenRelated Commands
ip prefix-list
Use the ip prefix-list command to configure a prefix list.
ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le le-value
no ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le le-value]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to deny the default route 0.0.0.0/0:
Router(config)# ip prefix-list abc deny 0.0.0.0/0To permit the prefix 35.0.0.0/8:
Router(config)# ip prefix-list abc permit 35.0.0.0/8For further examples refer to the Cisco IOS Configuration Guides and Command References.
logging rate-limit
Use the logging rate-limit command to rate limit the number of syslogs generated from the module. Use the no form of this command to remove access lists from the configuration.
logging rate-limit num [interval] message syslog_id
no logging rate-limit num [interval] message syslog_id
logging rate-limit num [interval] level syslog_level
no logging rate-limit num [interval] level syslog_level
show logging rate-limit
clear logging rate-limit
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
These examples show how to set up logging rate limits:
•
logging rate-limit 10 1 message 106023Because the [interval] is optional and defaults to 1 second, you can specify:
logging rate-limit 10 message 106023•
logging rate-limit 5 level 3•
–
logging rate-limit 10 message 106023logging rate-limit 5 level 1All syslogs other than 106023 in level 1 will be generated at the maximum 5 times per second. 106023 will be generated up to 10 times per second.
–
logging rate-limit 10 message 106023logging rate-limit 5 level 1no logging rate-limit 10 message 106023The configuration will be equivalent to only the following:
logging rate-limit 5 level 1If you set up a configuration in this order:
logging rate-limit 10 message 106023logging rate-limit 5 level 1no logging rate-limit 5 level 1This configuration is equivalent to the following:
logging rate-limit 10 message 106023–
logging rate-limit 5 level 1logging rate-limit 6 level 3logging rate-limit 5 2 level 4The last 1 in the configuration limits the rate of all syslogs in level 4 to 5 in 2 second intervals.
match
Use the match command to define route matching criteria for a route map. Use the no form of this command to disable matching.
match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
[no] match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Route-map configuration submode.
Command History
Examples
This example shows how create a route-map that can be used to redistribute internal routes:
Router(config-route-map)# route-map nameRouter(config-route-map)# match route-type internalRelated Commands
set
route-mapnameif
Use the nameif command to assign a name to an interface. Use the no form of this command to remove the interface name.
nameif vlan_number if_name security_level
no nameif vlan_number [if_name] [security_level]
Syntax Description
vlan_number
Specifies a VLAN.
if_name
Specifies the perimeter interface name.
security_level
Indicates the security level for the perimeter interface. Range is from 1 to 99.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
Specifies the perimeter interface VLAN, name, and security level on an interface.
Examples
This example shows how to assign a name to an interface:
Router(config)# nameif vlan 10 inside security 100network
Use the network area router command to define the interfaces on which OSPF runs and to define the area ID for those interfaces. Use the no form of this command to disable OSPF routing for interfaces defined with the address wildcard-mask pair..
network ip-address wildcard-mask area area id
no network ip-address wildcard-mask area area id
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
This example shows how to initialize the OSPF routing process 109, and defines four OSPF areas: 10.9.50.0, 2, 3, and 0. Areas 10.9.50.0, 2, and 3 mask specific address ranges, while area 0 enables OSPF for all other networks.
Router(config)# interface ethernet 0Router(config)# ip address 131.108.20.1 255.255.255.0Router(config)# router ospf 109Router(config-router)# network 131.108.20.0 0.0.0.255 area 10.9.50.0Router(config-router)# network 131.108.0.0 0.0.255.255 area 2Router(config-router)# network 131.109.10.0 0.0.0.255 area 3Router(config-router)# network 0.0.0.0 255.255.255.255 area 0:ospf
Use the ospf commands configure OSPF.
ospf authentication-key key
ospf authentication [message-digest | null]
ospf cost cost
ospf dead-interval seconds
ospf hello-interval seconds
ospf message-digest-key keyed md5 key
ospf priority number
ospf retransmit-interval seconds
ospf transmit-delay seconds
Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration submode.
Command History
Examples
This example shows how to set the interface cost, the interval between hello packets, and a new message digest key:
The following example sets the interface cost value to 65:
Router(config)# ospf cost 65The following example sets the interval between hello packets to 15 seconds:
Router(config)# ospf hello-interval 15The following example sets a new key 19 with the password 8ry4222:
Router(config)# ospf message-digest-key 19 md5 8ry4222For further examples refer to the corresponding ip ospf commands in Cisco IOS Configuration Guides and Command References.
Related Commands
redistribute
Use the redistribute command to enable redistribution of static or connected routes or routes form another OSPF process. Use the no form of this command to remove redistribution from the configuration.
redistribute {ospf id | static | connect} [{match {internal | external extern-type} metric metric-value | metric-type metric-type [internal | external] tag tag-value | subnets}] route-map map value
[no] redistribute {ospf id | static | connect} [{match { internal | external extern-type} metric metric-value | metric-type metric-type [internal | external] tag tag-value | subnets}] route-map map value
Syntax Description
Defaults
Default metric value is 0 or 20 depending upon the destination protocol.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to specify a network 172.16.0.0 that will appear as an external link-state advertisement (LSA) in OSPF 1 with a cost of 100 (the cost is preserved):
Router(config)# ip address inside 172.16.0.1 255.0.0.0Router(config)# interface insideRouter(config)# ospf cost 100Router(config)# ip address outside 10.0.0.1 255.0.0.0Router(config)# interface outsideRouter(config)# ip address 10.0.0.1 255.0.0.0Router(config)# router ospf 1Router(config-router)# network 10.0.0.0 0.255.255.255 area 0Router(config)# redistribute ospf 2 subnetRouter(config)# router ospf 2Router(config-router)# network 172.16.0.0 0.255.255.255 area 0route
Use the route command to define a static or default route for an interface.
route if_name ip_address netmask gateway_ip [metric]
[no] route [if_name ip_address [mask gateway]]
Syntax Description
Defaults
The default netmask value is 255.255.255.0.
The default metric value is 1.Command Modes
Privileged mode.
Command History
Examples
This example shows how to configure a route on the interface "inside" for the network 10.2.2.0/24 with next hop 10.2.1.5:
FWSM(config)# route inside 10.2.2.0 255.255.255.0 10.2.1.5FWSM(config)# show routeS 0.0.0.0 0.0.0.0 [0/0] via 10.6.13.1, dmzC 10.2.1.0 255.255.255.0 is directly connected, insideS 10.2.2.0 255.255.255.0 [1/0] via 10.2.1.5, insideC 10.3.1.0 255.255.255.0 is directly connected, outsideC 10.6.13.0 255.255.255.0 is directly connected, dmzC 127.0.0.0 255.255.255.0 is directly connected, eobcRelated Commands
show route
router ospf
Use the router ospf command to create or configure an OSPF routing process. Use the no form of this command to remove the routing process from the configuration.
router ospf autonomous-system id
no router ospf autonomous-system id
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to create and OSPF routing process:
Router(config)# router ospf 12345Related Commands
route-map
Use the route-map command to create a route map. Use the no form of this command to remove a route map from the configuration.
route-map map-tag [permit | deny] [seq-num]]
[no] route-map map-tag [permit | deny] [seq-num]]
Syntax Description
Defaults
The permit keyword is the default.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to create a route map:
FWSM# route-map disco permitFWSM# show route-maproute-map disco permit 10Related Commands
match
setset metric
Use the set metric command to define the actions taken on routes that match the criteria defined for a route map. Use the no form of this command to disable metric criteria.
set metric [+ | -] metric-value
[no] set metric [+ | -] metric-value
Syntax Description
+ | -
(Optional) Keyword to specify a positive or negative metric.
metric-value
Specifies a metric value.
Defaults
This command has no default settings.
Command Modes
Route-map configuration submode.
Command History
Examples
This example shows how to set the metric value for the routing protocol to 100:
Router(config-route-map)# route-map set-metricRouter(config)# set metric 100
Note
Related Commands
set metric-type
Use the set metric-type command to specify a metric type for a route map.
set metric-type type-1 | type-2
[no] set metric-type type-1 | type-2
Syntax Description
type-1
Keyword to specify the open Shortest Path First (OSPF) external Type 1 metric.
type-2
Keyword to specify the OSPF external Type 2 metric
Defaults
This command has no default settings.
Command Modes
Route-map configuration submode.
Command History
Examples
This example shows how to set the metric type of the destination protocol to OSPF external Type 1:
Router(config-route-map)# route-map map-typeRouter(config-route-map)# set metric-type type-1:Related Commands
show console-output
Use the show console-output command to view the contents of the message buffer.
show console-output [start_message_number-end_message_number]
Syntax Description
start_message_number
Specifies the starting serial number of the message to be displayed.
end_message_number
Specifies the end serial number of the message to be displayed.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
Messages appearing on the console are redirected to all active Telnet sessions.When no Telnet session is available, the output is saved to a buffer. The buffer output can be subsequently examined when you Telnet to the module application software partition. Individual messages are numbered.
Examples
This example shows how to display the buffer output:
FWSM# show console-outputMessage #1 :Initializing debugger......:Message #2 :Found PCI card in slot:1 bus:2 dev:9 (vendor:0x8086 deviceid:0x1001)Message #3 :Found PCI card in slot:2 bus:2 dev:8 (vendor:0x8086 deviceid:0x1001)Message #4 :Found PCI card in slot:3 bus:1 dev:6 (vendor:0x1014 deviceid:0x1e8)Message #5 :Ignoring PCI card in slot:3 (vendor:0x1014 deviceid:0x1e8)Message #6 :Found PCI card in slot:4 bus:1 dev:5 (vendor:0x1014 deviceid:0x1e8)Message #7 :Ignoring PCI card in slot:4 (vendor:0x1014 deviceid:0x1e8)Message #8 :Found PCI card in slot:5 bus:1 dev:4 (vendor:0x1014 deviceid:0x1e8)Message #9 :Ignoring PCI card in slot:5 (vendor:0x1014 deviceid:0x1e8)Message #10 :Found PCI card in slot:7 bus:0 dev:2 (vendor:0x1011 deviceid:0x22)Related Commands
show crashdump
Use the show crashdump command to display the contents of the crashdump partition.
show crashdump
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the contents of the crashdump partition.
Router(config)# show crashdumpshow firewall module
Use the show firewall module command to display the module configuration.
show firewall module
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the module configuration.
Router(config)# show firewall moduleshow firewall vlan-group
Use the show firewall command to display the configured firewall VLAN groups.
show firewall vlan-group
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the configured firewall VLAN groups.
Router(config)# show firewall 20show interface
Use the show interface command to show all of the VLANs configured.
show interface [interface name] stats
Syntax Description
interface_name
Specifies the perimeter interface name.
stats
Keyword to display the interface state and counters.
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Usage Guidelines
If VLANs are not configured on the MSFC, you will not be able to define any new VLAN interfaces on the Firewall Services Module.
Examples
This example shows how to display the firewall VLANs configured on all interfaces:
Router(config)# show interface dominoRelated Commands
show ip ospf
Use the show ip ospf command to show the OSPF configuration.
show ip ospf border-routers
show ip ospf database [router][network][external]
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-link
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged mode.
Command History
Examples
This example shows how to show the IP OSPF configuration:
Router(config)# show ip ospf border routersRouting Process "ospf 201" with ID 192.42.110.200 Supports only single TOS(TOS0) route It is an area border and autonomous system boundary router Redistributing External Routes from, igrp 200 with metric mapped to 2, includes subnets in redistributionip with metric mapped to 2igrp 2 with metric mapped to 100igrp 32 with metric mapped to 1Number of areas in this router is 3Area 192.42.110.0Number of interfaces in this area is 1Area has simple password authenticationSPF algorithm executed 6 timesFor further examples, refer to the Cisco IOS Configuration Guides and Command References.
Related Commands
show logging rate-limit
Use the show logging rate-limit command to display the logging rate.
show logging rate-limit
Defaults
This command has no default settings
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the logging rate:
Router(config)# show logging rate limitRelated Commands
clear logging rate-limit
logging rate-limitshow vlan
Use the show vlan command to display the list of VLANs assigned to the module through the configuration on the supervisor route process MSFC.
show vlan
Defaults
This command has no default settings
Command Modes
Privileged mode.
Command History
Examples
This example shows how to display the VLANs assigned to the module:
Router(config)# show vlan10, 33, 100,summary-address
Use the summary-address command to create aggregate addresses for external routes. Use the no form of this command to disable aggregate addressing for external routes.
summary-address addr mask [not-advertise] [tag tag]
[no] summary-address addr mask [not-advertise] [tag tag]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Router configuration submode.
Command History
Examples
This example shows the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement.
Router(config)# summary-address 10.1.0.0 255.255.0.0timers lsa-group-pacing
Use the timers lsa-group-pacing command to change the interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing router configuration command. To restore the default value, use the no form of this command.
timers lsa-group-pacing seconds
no timers lsa-group-pacing.
Syntax Description
value
Specifies the umber of seconds in the interval at which LSAs are grouped and refreshed, checksummed, or aged. The range is from 10 to 1800 seconds.
Defaults
The default value is 240 seconds.
Command Modes
Router configuration submode.
Command History
Usage Guidelines
Examples
This example shows how to change the OSPF pacing between LSA groups to 60 seconds:
Router(config)# router ospf 1Router(config-router)# timers lsa-group-pacing 60timers spf
Use the timers spf command to configure the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation. To configure the hold time between two consecutive SPF calculations, use the timers spf router configuration command. To return to the default timer values, use the no form of this command.
timers spf spf-delay spf-holdtime
no timers spf spf-delay spf-holdtime
Syntax Description
Defaults
The default time for the spf-delay value is 5 seconds.
The default time for the spf-holdtime value is 10
Command Modes
Router configuration submode.
Command History
Examples
This example shows how to change the delay to 10 seconds and the hold time to 20 seconds:
Router(config)# timers spf 10 20upgrade-mp
Use the upgrade-mp command to upgrade the maintenance software image.
upgrade-mp tftp[:[[//location] [/tftp_pathname]]]
Syntax Description
Usage Guidelines
The upgrade-mp command lets you download a maintenance software image through TFTP. The image is downloaded, installed to the compact Flash and available on the next module reload (reboot).
If the command is used without the location or pathname optional parameters, then the location and filename are obtained from the user interactively through a series of questions similar to those presented by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command settings. If other optional parameters are supplied, then these values would be used in place of the corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon and anything after it, causes the command to run without prompting for user input.
The location is an IP address that the firewall can reach. The pathname can include any directory names besides the actual last component of the path to the file on the server. The pathname cannot contain spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the upgrade-mp command.
If your TFTP server has been configured to point to a directory on the system from which you are downloading the image, you need only use the IP address of the system and the image filename.
For example, the command causes the TFTP server to receive the command and determine the actual file location from its root directory information:
Router(config)# upgrade-mp tftp://10.1.1.5/mp.1-1-0-3.bin.gzThe server then downloads the TFTP image to the module
Examples
This example causes the module to prompt you for the filename and location before you start the TFTP download:
Router(config)# upgrade-mpAddress or name of remote host [127.0.0.1]? 10.1.1.5Source file name [cdisk]? mp.1-1-0-3.bin.gzcopying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash[yes|no|again]? yes!!!!!!!!!!!!!!!!!!!!!!!Received 1695744 bytes.Maintenance partition upgraded.To set the filename and location specified in the tftp-server command, save memory, and then download the image to Flash memory, use these commands:
Router(config)# tftp-server outside 10.1.1.5 mp.1-1-0-3.bin.gzWarning: 'outside' interface has a low security level (0).write memoryBuilding configuration...Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99[OK]Router(config)# upgrade-mp tftp:copying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!To override the information in the tftp-server command and specify alternate information about the filename and location, use this command:
Router(config)# upgrade-mp tftp://10.0.0.1/mp.1-1-0-3.bin.gzTo specify all information, if you have not set the tftp-server command, use this command:
Router(config)# upgrade-mp tftp://10.0.0.1/mp.1-1-0-3.bin.gzSystem Messages
This section provides the list of system log messages supported in the Firewall Services Module. The module functions similarly to the PIX firewall application software. Refer to the System Log Messages for the Cisco Secure PIX Firewall Version 6.0 documentation for information about the system message logs. The messages are listed by type and by message code within each type.
This appendix includes the following sections:
•
•
•
•
•
•
•
•
•
Note
You can configure the module system software to send these messages to the output location of your choice. For example, you can specify that log messages be sent to the console, to any Telnet session actively connected to the module console, or to a logging server elsewhere on the network.
The module provides three output locations for sending syslog messages: the console, a host running a syslog server, and an SNMP management station. If you send messages to a host, they are sent using either UDP or TCP. The host must have a program (known as a server) called syslogd.
The syslog server runs a Windows NT-based system that accepts TCP and UDP system log messages. The syslog server provides time-stamped syslog messages, accepts messages on alternate ports, and stops the firewall traffic if the server log disk is full or the server goes down.
System Log Messages
System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:
%FWSM-Level-Message_number: Message_text
•
•
•
•
Note
System Message Log Differences
The module provides the following differences to the system message logging of the PIX firewall software:
•
–
–
–
–
•
–
–
–
–
–
–
•
–
–
–
–
•
Failover Messages
This section contains the messages generated by a failover configuration.
Error Message %FWSM-1-103001: (Primary) No response from other firewall (reason code = code).Explanation This message indicates that the primary module is unable to communicate with the secondary module over the failover cable. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify that the secondary module has the exact same hardware, software version level, and configuration as the primary module.
Error Message %FWSM-1-103002: (Primary) Other firewall network interface interface_name OK.Explanation This message indicates that the primary module detected that the network interface on the secondary module is okay. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-103003: (Primary) Other firewall network interface interface_name failed.Explanation This message indicates that the primary module detects a bad network interface on the secondary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the network connections on the secondary module, and check the network hub connection. If necessary, replace the failed network interface.
Error Message %FWSM-1-103004: (Primary) Other firewall reports this firewall failed.Explanation This message indicates that the primary module receives a message from the secondary module indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the status of the primary module.
Error Message %FWSM-1-103005: (Primary) Other firewall reporting failure.Explanation This message indicates that the secondary module reports a failure to the primary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the status of the secondary module.
Error Message %FWSM-1-104001: (Primary) Switching to ACTIVE (cause: reason).
%FWSM-1-104002: (Primary) Switching to STNDBY (cause: reason).Explanation Both instances are failover messages. These messages are logged when you force the failover module pair to switch roles. You can force the failover module pair to switch roles by either entering the failover active command on the secondary module or the no failover active command on the primary module. (Primary) can also be listed as (Secondary) for the secondary module. Possible values for the reason variable are as follows:
–
–
–
–
–
–
Recommended Action If the message occurs because of manual intervention, no action is required. Otherwise, use the cause reported by the secondary module to verify the status of both modules of the pair.
Error Message %FWSM-1-104003: (Primary) Switching to FAILED.Explanation This message indicates that the primary module fails.
Recommended Action Check the system log messages for the primary module for an indication of the nature of the problem (see message %FWSM-1-104001:). (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-104004: (Primary) Switching to OK.Explanation This message indicates that a previously failed module now reports that it is operating again. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105001: (Primary) Disabling failover.Explanation This message indicates that you entered the no failover command on the console. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105002: (Primary) Enabling failover.Explanation This message indicates that you entered the failover command with no arguments on the console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105003: (Primary) Monitoring on interface int_name waitingExplanation The firewall is testing the specified network interface with the other module of the failover pair.
Recommended Action None required. The firewall monitors its network interfaces frequently during normal operations.
Error Message %FWSM-1-105004: (Primary) Monitoring on interface int_name normalExplanation The test of the specified network interface was successful. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105005: (Primary) Lost Failover communications with mate on interface int_name.Explanation This message indicates that this module of the failover pair can no longer communicate with the other module of the pair. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify that the network connected to the specified interface is functioning correctly.
Error Message %FWSM-1-105006: (Primary) Link status 'Up' on interface int_name.
%FWSM-1-105007: (Primary) Link status 'Down' on interface int_name.Explanation Both instances are failover messages. These messages report the results of monitoring the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action If the link status is down, verify that the network connected to the specified interface is operating correctly.
Error Message %FWSM-1-105008: (Primary) Testing interface int_name.Explanation This message indicates that the firewall tested a specified network interface. This testing is performed only if the firewall fails to receive a message from the standby module on that interface after the expected interval. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-105009: (Primary) Testing on interface int_name result.Recommended Action This message reports the result (either Passed or Failed) None required if the result is Passed If the result is Failed, you should check to be sure the network cable is properly connected to both failover modules and that the network itself is functioning correctly, and verify the status of the standby module.
Error Message %FWSM-3-105010: (Primary) Failover message block alloc failedExplanation Block memory has been depleted. This is a transient message and the firewall should recover. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Use the show blocks command to monitor the current block memory.
Error Message %FWSM-1-105011: (Primary) Failover cable communication failureExplanation The failover cable is not permitting communication between the primary and secondary modules. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Ensure that the cable is properly connected.
Error Message %FWSM-1-105020: (Primary) Incomplete/slow config replicationExplanation When a failover occurs, the active firewall detects a partial configuration in memory. This situation is caused by an interruption in the replication service. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Once the failover is detected by the firewall, the firewall automatically reloads itself and loads the configuration from Flash and resynchronizes with another firewall. If failovers happen continuously, check the failover configuration and make sure both firewalls can communicate with each other.
Error Message %FWSM-1-105038: (Primary) Interface count mismatchExplanation Failover initially verifies that the number of interfaces configured on the primary and secondary modules are the same. This message indicates that after the verification that the numbers are not the same. Failover cannot be enabled until both primary and secondary modules have the same number of interfaces. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the VLAN configuration on primary and secondary. Look for any nameif command failure on primary. (Primary) can also be listed as (Secondary) for the secondary module. Once these configurations are verified and corrected, type failover on the primary to enable failover again.
Error Message %FWSM-1-105039: (Primary) Unable to verify the Interface count with mate. Failover may be disabled in mate.Explanation Failover initially verifies that the number of interfaces configured on the primary and secondary modules are the same. This message indicates that the primary module is not able to verify the number interfaces configured on the secondary module. This indicates that the primary module is not able communicate with the secondary module over the failover interface. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the failover VLAN, interface configuration and status on the primary and secondary modules. Make sure the secondary module is running the firewall application and failover is enabled. (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-105040: (Primary) Mate failover version is not compatible.Explanation The primary and secondary module should run the same failover software version to act as a failover pair. This message indicates that the secondary module's failover software version is not compatible with the primary module. Failover would be disabled on the primary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Maintain consistent software versions between primary and secondary to enable Failover.
Error Message %FWSM-1-105041: (Primary) nameif command failed. Number of interfaces is not consistent with mate.Explanation This message indicates that during a configuration sync from the secondary to the primary module the nameif command has failed in the primary module. The nameif command, defines the firewall interfaces in the Firewall Services Module. If this command fails during synchronization the result is that the interfaces are inconsistent across the failover modules. To avoid this situation, failover is disabled. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Correct the reason why nameif failed, and then enable failover
Error Message %FWSM-1-105042: (Primary) Failover interface OKExplanation Interface used to send failover messages to the secondary module is functioning. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required
Error Message %FWSM-1-105043: (Primary) Failover interface failedExplanation Interface used to send failover messages to the secondary module failed. The active module remains as active and standby module remains as standby. There will not be any failure detection or switchover activity until the failover interface becomes normal. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the VLAN and interface configuration of the failover interface is primary and secondary.
Connection Messages
This section contains connection messages and the messages specific to the following message types:
•
•
•
•
•
•
•
Error Message %FWSM-2-106002: protocol Connection denied by outbound list list_ID src laddr dest faddrExplanation This message indicates that the specified connection failed because of an outbound deny command statement. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
Error Message %FWSM-7-106011: Deny inbound (No xlate) charsExplanation This message indicates that a packet was sent to the same interface that it arrived on. This usually indicates that a security breach is occurring. When the module receives a packet, it tries to establish a translation slot based on the security policy you set with the global and conduit commands, and your routing policy set with the route command.
When the module polls both policies the module allows the packet to flow from the higher priority network to a lower priority network, if it is consistent with the security policy. If a packet comes from a lower priority network and the security policy does not allow it, the module routes the packet back to the same interface.
To provide access from an interface with a higher security to a lower security, use the nat and global commands. For example, use the nat command to allow internal users access to external servers, to allow the internal users to access perimeter servers, and to allow perimeter users access to external servers.
To provide access from an interface with a lower security level to a higher security level, use the static and conduit commands. For example, use the static and conduit commands to let external users to access internal servers, external users to access perimeter servers, or perimeter servers to access internal servers.
Recommended Action Fix your configuration to reflect your security policy for handling these attack events.
Error Message %FWSM-2-106012: Deny IP from IP_addr to IP_addr, IP options hex.Explanation An IP packet was detected with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action A security breach was probably attempted. Check the local site for loose source or strict source-routing.
Error Message %FWSM-2-106016: Deny IP spoof from (IP_addr) to IP_addr on interface int_name.Explanation This message indicates that the module discards a packet with an invalid source address. Invalid sources addresses are those addresses belong to the following:
–
–
–
If a sysopt connection enforce subnet is enabled, the module discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.
To further enhance spoof-packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for incorrectly configured clients.
Error Message %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addrExplanation This message indicates that the module received a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet that is designed to attack systems. This attack is referred to as a land attack. If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
Recommended Action None.
Error Message %FWSM-2-106020: Deny IP teardrop fragment (size = num, offset = num) from IP_addr to IP_addrExplanation The firewall discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event to circumvent the module or an intrusion detection system.
Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.
Error Message %FWSM-1-106021: Deny protocol reverse path check from src_addr to dest_addr on interface int_nameExplanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes it to be part of an attack on your module.
This message indicates that you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets sent to an interface; if it is configured on the outside, then the module checks packets arriving from the outside. The following conditions apply:
–
–
–
Recommended Action An attack is in progress. With this feature enabled, no user action is required. The module repels the attack.
Error Message %FWSM-3-201002: Too many connections on static|xlate gaddr! econns nconnsExplanation This message indicates that the maximum number of connections to the specified static address has been exceeded. The econns variable is the maximum number of embryonic connections and nconns is the maximum number of connections permitted for the static or translate (xlate).
Recommended Action Use the show static command to check the limit imposed on connections to a static address. The limit is configurable.
Error Message %FWSM-2-201003: Embryonic limit exceeded neconns/elimit for faddr/fport (gaddr) laddr/lport on interface int_nameExplanation This message indicates that the maximum number of embryonic connections from the specified foreign address through the specified static global address to the specified local address has been exceeded. When the limit on embryonic connections is reached, the module attempts to accept them anyway, but puts a time limit on the connections. This allows some connections to succeed even if the module is very busy. The neconns variable lists the number of embryonic connections received and the limit variable lists the maximum number of embryonic connections specified in the static or nat command. This message indicates a more serious overload than indicated in message 201002. The overload could be caused by SYN attacks, or by a very heavy load of legitimate traffic.
Recommended Action Use the show static command to check the limit imposed on embryonic connections to a static address.
Error Message %FWSM-3-407002: Embryonic limit neconns/elimit for through connectionsExplanation This message provides information about connections through the firewall. This message indicates that the number of connections from a specified foreign address over a specified global address to the specified local address exceeds the maximum embryonic limit for that static. The module attempts to accept the connection if it can allocate memory for that connection. It proxies on behalf of local host and sends a SYN_ACK packet to the foreign host. the module retains pertinent state information, drops the packet, and waits for the client's acknowledgment.
Recommended Action The traffic may be legitimate, or this message might indicate that a denial of service (DoS) attack is in progress. Check the source address to determine where the packets are coming from and whether it is a valid host.
Error Message %FWSM-3-202001: Out of address translation slots!Explanation This message indicates that the module has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This message may also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.
Error Message %FWSM-3-202005: Non-embryonic in embryonic list faddr/fport laddr/lportExplanation This message indicates that a connection object (xlate) is in the wrong list.
Recommended Action Contact your customer support representative.
Error Message %FWSM-3-208005: (function:line_num) FWSM clear command return return_codeExplanation The module received a non-zero value (an internal error) when attempting to clear the configuration in Flash memory. The message includes the reporting subroutine's filename and line number.
Recommended Action For performance reasons, the end host should be configured to not inject IP fragments. This message probably occurred because of NFS. Set the read and write size to be the interface MTU for NFS.
Error Message %FWSM-6-305001:Portmapped translation built for gaddr IP_addr/port laddr IP_addr/portExplanation This message indicates that a translate (xlate) is created for outbound traffic using a PAT global address. This message applies to UDP, TCP, and ICMP packets.
Recommended Action None required.
Error Message %FWSM-6-305002:Translation built for gaddr IP_addr to laddr IP_addrExplanation This message indicates that a translate (xlate) is created for outbound traffic using a global address, or for either outbound or inbound traffic using a static address.
Recommended Action None required.
Error Message %FWSM-6-305003:Teardown translation for global IP_addr local IP_addrExplanation This message indicates that the firewall clears a dynamically allocated translation after the xlate timeout expires.
Recommended Action None required.
Error Message %FWSM-6-305004:Teardown portmap translation for global IP_addr/port local IP_addr/portExplanation This message indicates that a portmapped translation (PAT xlate) no longer in use has been reclaimed.
Recommended Action None required.
Error Message %FWSM-3-305005: No translation group found for protocol.Explanation This message indicates that a nat and global command cannot be found for a protocol. The protocol can be TCP, UDP, or ICMP.
Recommended Action This message can be either an internal error or an error in the configuration.
Error Message %FWSM-3-305006: Regular translation creation failed for protocol src int_name:IP_addr/port dst int_name:IP_addr/portExplanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the module. This message appears as a fix to caveat CSCdr0063 that requested that the module not allow packets destined to network or broadcast addresses. The module provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the module denies translations for a destined IP address identified as a network or broadcast address.
The module uses the global IP and mask from configured static command statements to differ regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the module will not create a translate (xlate) for network or broadcast IP addresses with inbound packets.
Recommended Action This message can be either an internal error or an error in the configuration.
Error Message %FWSM-6-305007: Orphan IP IP_addr on interface interface_nameExplanation This message indicates that after the module attempts to translate an address that it cannot find in any of its global pools. The module assumes that the address has been deleted and drops the request.
Recommended Action None required.
Error Message %FWSM-6-609001: Built local-host int_name:ip_addrExplanation A network state container is reserved for the host IP address connected to the interface name. This is an informational message.
Recommended Action None required.
Error Message %FWSM-6-609002: Teardown local-host int_name:ip_addr duration hh:mm:ssExplanation A network state container for the host IP address connected to interface name is removed. This is an informational message.
Recommended Action None required.
Error Message %FWSM-3-305008: Free unallocated global IP address.Explanation This message indicates an inconsistency condition when trying to free an unallocated global IP address back to the address pool. This abnormal condition may occur if the module is running a stateful failover setup and some of the internal states are momentarily out of sync between the active and standby module. This condition is not catastrophic and the module will recover automatically.
Recommended Action Report this condition to Cisco technical support if you continue to see this message.
Error Message %FWSM-4-307004: Telnet session limit exceeded. Connection request from IP_addr on interface int_name.Explanation This message indicates that the maximum number of Telnet connections to the module is exceeded. The module denies an attempt to connect to its Telnet port from the specified IP address on the specified network.
Recommended Action None required.
Error Message %FWSM-4-308002: static gaddr1 laddr1 netmask mask1 overlapped with gaddr2 laddr2Explanation This message indicates that the IP addresses in one or more static command statements overlap. gaddr is the global address, which is the address on the lower security interface and laddr is the local address, which is the address on the higher security level interface.
Recommended Action Use the show static command to view the static command statements in your configuration and fix the commands that overlap. The most common overlap occurs if you specify a network address such as 10.1.1.0 and in another static command statement, specify a host within that range such as 10.1.1.5.
Error Message %FWSM-4-500004: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_portExplanation This message indicates there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP.
Recommended Action If these messages persist, contact the peer's administrator.
FTP and URL
Error Message %FWSM-3-201005: FTP data connection failed for IP_addrExplanation This message indicates that the module is unable to allocate a structure to track the data connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
Error Message %FWSM-6-303002: src_addr Stored|Retrieved dest_addr: nat_addrsExplanation This message indicates that the specified host successfully stores or retrieves data from the specified FTP site. This message is used by the module manager to generate reports.
Recommended Action None required.
Error Message %FWSM-5-304001: user src_addr Accessed JAVA URL|URL dest_addr: url.Explanation This message indicates that the specified host successfully accesses the specified URL. This message is used by the module manager to generate reports.
Recommended Action None required.
Error Message %FWSM-5-304002: Access denied URL chars SRC IP_addr DEST IP_addr: charsExplanation This message indicates that access from the source address failed.
Recommended Action None required.
Error Message %FWSM-3-304003: URL Server IP_addr timed out URL stringExplanation This message indicates that access from the URL server failed.
Recommended Action None required.
Error Message %FWSM-6-304004: URL Server IP_addr request failed URL charsExplanation This message indicates that a Websense server request fails.
Recommended Action None required.
Error Message %FWSM-7-304005: URL Server IP_addr request pending URL charsExplanation This message indicates that a Websense server request is pending.
Recommended Action None required.
Error Message %FWSM-3-304006: URL Server IP_addr not respondingExplanation The Websense server is unavailable for access, and the module attempts to either try to access the same server if it is the only server installed or another server if there is more than one.
Recommended Action None required.
Error Message %FWSM-2-304007: URL Server IP_addr not responding, ENTERING ALLOW mode.Explanation This message indicates that when you use the allow option of the filter command the Websense servers are not responding. The module allows all Web requests to continue without filtering while the servers are not available.
Recommended Action None required.
Error Message %FWSM-2-304008: LEAVING ALLOW mode, URL Server is up.Explanation This message indicates that when you use the allow option of the filter command that the module received a response message from a Websense server that previously was not responding. With this response message, the module exits the allow mode and enables the URL filtering feature again.
Recommended Action None required.
Error Message %FWSM-4-406001: FTP port command low port: laddr, port to gaddr on interface int_numberExplanation This message indicates the port is not responding.
Recommended Action None required.
Error Message %FWSM-4-406002: FTP port command different address: laddr to gaddr on interface int_numberExplanation This message indicates the interface address is incorrect.
Recommended Action None required.
HTTP
Error Message %FWSM-6-605001: HTTP daemon interface int_name: Connection denied from IP_addrExplanation This message indicates that an HTTP connection to the module was denied.
Recommended Action None required.
Error Message %FWSM-6-605002: HTTP daemon connection limit exceededExplanation This message indicates that the number of HTTP connections to the module for Cisco Secure PDM was exceeded.
Recommended Action None required.
Error Message %FWSM-6-605003: HTTP daemon: Login failed from IP_addr for user "user_id"Explanation This message indicates that Cisco Secure PDM login to the module failed.
Recommended Action None required.
ICMP
Error Message %FWSM-6-106010: Deny inbound icmp src outside: IP_addr dst inside: IP_addr (type dec, code dec)Explanation This message indicates that an inbound connection is denied by your security policy.
Recommended Action None required.
Explanation This message indicates that the module discards an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. It is discarded because the inbound packet cannot specify which PAT host should receive the packet.
Recommended Action None required.
Error Message %FWSM-3-106014: Deny inbound icmp src interface name: IP_addr dst interface name: IP_addr (type dec, code dec)Explanation This message indicates that the module denies any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted using the conduit permit icmp command.
Recommended Action None required.
Error Message %FWSM-2-106018: ICMP packet type ICMP_type denied by outbound list list_ID src laddr dest faddrExplanation This message indicates that the outgoing ICMP packets with a specified ICMP type from a local host to a foreign host is denied by the outbound list.
Recommended Action None required.
Error Message %FWSM-3-313001: Denied ICMP type=icmp_type, code=type_code from IP_addr on interface int_nameExplanation When using the icmp command with an access list, if the first matched entry is a permit entry, ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the module discards the ICMP packet and generates this syslog message. The icmp command enables or disables pinging to an interface. With pinging disabled, the module cannot be detected on the network. This feature is also referred to as configurable proxy pinging.
Recommended Action Contact the peer's administrator.
Error Message %FWSM-3-313003: Invalid destination, ICMP-packet-description, on interface-name interface. Original IP payload, packet-descriptionExplanation The destination for the ICMP error message is different from the source of the IP packet that generated the ICMP error message.
Recommended Action If the message occurs frequently, this could be an active network probe, an attempt to use the ICMP error message as a covert channel, or an IP host that is not operating properly. Contact the administrator of the host that originated the ICMP error message.
Error Message %FWSM-6-602101: PMTU-D packet packet_length bytes greater than effective mtu mtu_value dest_addr=dest_ip, src_addr=source_ip, prot=protocolExplanation This message occurs when the module sends an ICMP destination unreachable message and when fragmentation is needed, but the don't-fragment bit is set.
Recommended Action Ensure that the data is sent correctly.
Routing Messages
This section contains the messages generated by the router configuration.
Error Message %FWSM-1-107001: RIP auth failed from IP_addr: version=vers, type=type, mode=mode, sequence=seq on interface int_nameExplanation This is an alert log message. The module received a RIP reply message with bad authentication. This could be due to an incorrectly configured router or the module or it could be a unsuccessful attempt to attack the module's routing table.
Recommended Action This may be an attack and should be monitored. If you are not familiar with the source IP address listed in this message, change your RIP authentication keys between trusted entities. An attacker may be trying to deduce the existing keys.
Error Message %FWSM-1-107002: RIP pkt failed from IP_addr: version=vers on interface int_nameExplanation This is an alert message. This message indicates a router bug, a packet with non-RFC values inside, or malformed entries. This situation should not happen and may be an attempt to exploit the firewall module's routing table.
Recommended Action This may be an attack and should be monitored. The packet has passed authentication, if enabled, and bad data is in the packet. The situation should be monitored and the keys should be changed if there are any doubts as to the originator of the packets.
Error Message %FWSM-6-110001: No route to dest_addr from src_addrExplanation This message indicates a route lookup failure. A packet is looking for a destination IP address, which is not in the routing table.
Recommended Action Check the routing table and make sure there is a route to the destination.
Error Message %FWSM-3-110002: No ARP for host IP_addrExplanation This is a routing message. This message indicates that the module cannot resolve the address of a host on one of its immediately connected networks. This usually occurs if the specified host does not exist or is not reachable on the network. The module expects it to be on, for example, if the host's address is incorrectly subnetted.
Recommended Action Check the ARP table and ensure the host is available. If necessary, add a static ARP statement with the arp command or set the arp timeout value lower so that the ARP table will refresh sooner.
Check that the host's IP address is appropriate to the network topology and your subnet scheme. Verify that the host is reachable by pinging it from another host. Use the show arp command to display the module's ARP table.The module minimally must be able to resolve the addresses of its SNMP server, routers, and syslog host.
Error Message %FWSM-6-312001: RIP hdr failed from IP_addr: cmd=cmd, version=vers domain=name on interface int_nameExplanation The module received a RIP message with an operation code other than reply, the message has a version number different than what is expected on this interface, and the routing domain entry was non-zero.
Recommended Action This message is informational, but may also indicate that another RIP device is not configured correctly to communicate with the module.
H.225
Error Message %FWSM-4-405101: Unable to Pre-allocate H225 Call Signalling Connection for faddr faddr[/fport] to laddr laddr[/lport]Explanation The module failed to allocate RAM system memory while starting a connection or has no memory available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact customer support. Also, check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This message might be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.
Error Message %FWSM-4-405104: H225 message received from faddr/fport to laddr/lport before SETUPExplanation This message indicates that an H.225 message is received out of order. The H.225 message was received before the initial SETUP message, which is not allowed. The module has to receive an initial SETUP message for that H.225 call-signaling channel before accepting any other H.225 messages.
Recommended Action None required.
Error Message %FWSM-4-405103: H225 message from faddr/fport to laddr/lport contains bad protocol discriminatorExplanation This message indicates that the message with incorrect protocol information.
Recommended Action None required.
H.245
Error Message %FWSM-7-302003: Built H245 connection for faddr faddr/fport laddr laddr/lportRecommended Action This message indicates that an H.245 connection is started from a foreign address to a local address. This message only occurs if the module detects the use of an Intel Internet phone. The foreign port (fport) only displays on connections from outside the module. The local port value (lport) only appears on connections started on an internal port.
Recommended Action None required.
Error Message %FWSM-4-405102: Unable to Pre-allocate H245 Connection for faddr faddr[/fport] to laddr laddr[/lport]Explanation The module failed to allocate RAM system memory while starting a connection or has no memory available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact customer technical support. Also, check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and connections. This message may also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.
H.323
Error Message %FWSM-7-302004: Pre-allocate H323 UDP backconnection for faddr faddr/fport to laddr laddr/lportExplanation This message indicates that an H.323 UDP back-connection is preallocated to a foreign address from a local address. This message is only generated if the module detects the use of an Intel Internet phone. The foreign port (fport) only displays on connections from outside the module. The local port value (lport) only appears on connections started on an internal interface.
Recommended Action None required.
Error Message %FWSM-4-405103: H323 RAS message AdmissionConfirm received from %I/%d to %I/%d without an AdmissionRequestRecommended Action None required.
IP Fragmentation
Error Message %FWSM-4-209003: Fragment database limit of bytes exceeded: src = IP_addr, dest = IP_addr, proto = protocol, id = IDExplanation Too many IP fragments are currently awaiting reassembly. The module limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the module under abnormal network conditions. In general, fragmented traffic should be a small percentage of the total traffic mix. A noticeable exception is in the network environment with NFS over UDP. Consider NFS over TCP in this environment, if such traffic is to be relayed through the module.
Refer to the sysopt connection tcpmss bytes command page in Chapter 5 of the Configuration Guide for the Cisco Secure Firewall Version 5.3 for more information.
Recommended Action If this message persists, a DoS (denial of service) attack might be in progress. Contact the remote peer's administrator or upstream provider.
Error Message %FWSM-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: An IP fragment is malformed.Explanation The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes.
Recommended Action A possible intrusion event may be in progress. If this message persists, contact the remote peer's administrator or upstream provider.
Error Message %FWSM-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.Explanation The module disallows any IP packet that is fragmented into more than 24 fragments.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx int_name command.
SIP
Error Message %FWSM-7-607001: Pre-allocate SIP conn_type secondary channel for outside-interface:address/port to inside-interface:address from sip_message messageExplanation This message indicates that the fixup SIP preallocated a SIP connection after inspecting a SIP message.
Recommended Action None required.
Skinny
Error Message %FWSM-7-608001: Pre-allocate Skinny conn_type secondary channel for outside-interface:address to inside-interface:address/port from skinny_message messageExplanation This message indicates that the fixup skinny preallocated a Skinny connection after inspecting a Skinny message.
Recommended Action None required.
RSH
Error Message %FWSM-3-201005: FTP data connection failed for IP_addrExplanation This message indicates that the module cannot allocate a structure to track the data connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
RTSP
Error Message %FWSM-7-314001: Pre-allocate RTSP UDP back connection for faddr faddr/fport to laddr laddr/lportExplanation This message indicates that the module is unable to allocate and RTSP connection.
Recommended Action None required.
SMTP
Error Message %FWSM-2-108002: SMTP replaced chars: out src_addr in laddr data: charsExplanation This is generated by the fixup protocol smtp command. This message indicates that the module replaces an invalid character in an e-mail address with a space.
Recommended Action None required.
TCP
Error Message %FWSM-2-106001: Inbound TCP connection denied from IP_addr/port to IP_addr/port flags TCP_flags on interface int_nameExplanation This message indicates that an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the module, and it was dropped. The TCP_flags in this packet are FIN,ACK.
The TCP_flags are as follows:
•
•
•
•
•
•
Recommended Action None required.
Error Message %FWSM-6-106015: Deny TCP (no connection) from IP_addr/port to IP_addr/port flags flags on interface int_name.Explanation This message indicates that the module discards a TCP packet that has no associated connection in the module module's connection table. The module looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the module discards the packet.
Recommended Action The action is required unless the module receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
Error Message %FWSM-6-302002: Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason] [(user)]Explanation A TCP connection between two hosts was deleted.
connection id is an unique identifier.
interface, real-address, real-port identify the actual sockets.
duration is the lifetime of the connection.
bytes bytes is the data transfer of the connection.
user is the AAA name of the user.
The reason variable presents the action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed in Table 0-18.
Recommended Action None required.
Error Message %FWSM-3201009: TCP connection limit of limit-count for host host-address on interface exceededExplanation This message indicates that the maximum number of connections to the specified static address was exceeded. The limit-count variable is the maximum of connections permitted for the host specified by the host-address variable.
Recommended Action Use the show static and show nat commands to check the limit imposed on connections to an address. The limit is configurable.
Error Message %FWSM-6-302013: Built {inbound|outbound} TCP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A TCP connection slot between two hosts was created. If inbound is specified, then the original control connection was initiated from the outside.
Recommended Action None required.
Error Message %FWSM-6-302009: Rebuilt TCP connection id for faddr faddr/fport gaddr gaddr/gport laddr laddr/lportExplanation This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other module. The faddr IP address is the foreign host, the gaddr IP address is a global address on the lower security level interface, and the laddr IP address is the local IP address behind the module on the higher security level interface.
Recommended Action None required.
Error Message %FWSM-6-302010: conns in use, conns most usedExplanation This message appears after a TCP connection restarts. conns is the number of connections.
Recommended Action None required.
Error Message %FWSM-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_nameExplanation This message indicates that a header length in TCP is incorrect. Some operating systems do not handle TCP RSTs (resets) correctly when responding to a connection request to a disabled socket. If a client tries to connect to an FTP server outside the module and FTP is not listening, then the server sends an RST. Some operating systems send incorrect TCP header lengths, which causes this problem. UDP uses ICMP port unreachable messages.
The TCP header length may indicate that it is larger than the packet length resulting in a negative number of bytes being transferred. A negative number is displayed by syslog as an unsigned number making it appear far larger than would be normal; for example, showing 4 GB transferred in 1 second.
Recommended Action None required. This message should occur infrequently.
UDP
Error Message %FWSM-2-106006: Deny inbound UDP from faddr/fport to laddr/lport on interface int_name.Explanation This message indicates that an inbound UDP packet is denied by your security policy.
Recommended Action None required.
Error Message %FWSM-2-106007: Deny inbound UDP from faddr/fport to laddr/lport due to DNS flag.Explanation This message indicates that a UDP packet containing a DNS query or response is denied. The flag variable is either Response or Query.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
Error Message %FWSM-6-302015: Built {inbound|outbound} UDP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) [(user)]Explanation A UDP connection slot between two hosts was deleted. If inbound is specified, then the original control connection is initiated from the outside.
Recommended Action None required.
Error Message %FWSM-6-302016: Teardown UDP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [(user)]Explanation A UDP connection slot between two hosts was deleted.
Recommended Action None required.
SSH
Error Message %FWSM-3-315001: Denied SSH session from IP_addr on interface int_nameExplanation This message indicates that the module denies an attempt to connect to the SSH port from the specified IP address on the specified network interface.
Recommended Action From the console, enter the show ssh command to verify that the module is configured to permit SSH access from the host or network.
Error Message %FWSM-6-315002: Permitted SSH session from IP_addr on interface int_name for user "user_id"Explanation This message indicates that an SSH session starts. The ip_addr is the address of the host with the SSH client. The int_name is the interface through which the SSH session is started. The user_ID is the username to which the client is accessing. Use the ssh show sessions command to view the status of SSH sessions.
Explanation None required.
Error Message %FWSM-6-315003: SSH login session failed from IP_addr on (num attempts) on interface int_name by user "user_id"Explanation This message appears after an incorrect user ID or password were entered a certain number of times for the same connection. Up to three attempts are allowed to log into a SSH console session. The ip_addr is the address of the host with the SSH client. The int_name, is the interface through which the SSH session is started. The user_ID is the username that the client is attempting to access.
Recommended Action If this message appears infrequently, no action is required. If this message appears frequently, it can indicate an attack. Inform the user to verify their username and password.
Error Message %FWSM-3-315004: Fail to establish SSH session because FWSM RSA host key retrieval failed.Explanation This message indicates that the module cannot find the module's RSA host key, which is required for establishing an SSH session. The firewall host key may be absent because no module host key has been generated or because the license for this module does not allow DES or 3DES.
Recommended Action From the console, enter the show ca mypubkey rsa command to verify that module's RSA host key is present. If not, also enter the show version command to check whether the module's license allows DES or 3DES.
Error Message %FWSM-4-315005: SSH session limit exceeded. Connection request from IP_addr on interface int_nameExplanation This message indicates that the maximum number of SSH connections to the module is exceeded. The module denies any attempt to connect to its SSH port from the specified IP address on the specified network.
Recommended Action None required.
Error Message %FWSM-6-315011: SSH session from IP_addr on interface int_name for user "user_id" terminated normally
%FWSM-6-315011: SSH session from IP_addr on interface int_name for user "user_id" disconnected by SSH server, reason: "text"Explanation This message appears after an SSH session completes. If you enter quit or exit, this message displays terminated normally. If the session disconnected for another reason, the text describes the reason.
Recommended Action None required.
Telnet
Error Message %FWSM-6-307001: Denied Telnet login session from IP_addr on interface int_name.Explanation This message indicates that the module denies an attempt to connect to the Telnet port from the specified IP address on the inside network.
Recommended Action From the console, enter the show telnet command to verify that the module is configured to permit Telnet access from that host or network. From the Firewall Manager, select Administration>Telnet Hosts for host information.
Error Message %FWSM-6-307002: Permitted Telnet login session from IP_addrExplanation This message logs a successful Telnet connection to the module.
Recommended Action None required.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num attempts) on interface int_name.Explanation This message indicates that an incorrect Telnet password was entered a number of times for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Recommended Action Verify the password and try again.
AAA and ACL
Error Message %FWSM-4-106019: IP packet from src_addr to dest_addr, protocol protocol received from interface int_name deny by access-group acl_IDExplanation This message indicates that an IP packet is denied by the parameters you specified.
Recommended Action None required.
Error Message %FWSM-6-109001: Auth start for user `username' from laddr/lport to faddr/fportExplanation This message indicates that the module is configured for AAA and detects an authentication request by the specified user.
Recommended Action None required.
Error Message %FWSM-6-109002: Auth from laddr/lport to faddr/fport failed (server IP_addr failed) on interface int_name.Explanation This message indicates that an authentication request fails because the specified authentication server cannot be contacted by the module.
Recommended Action Check to be sure the authentication daemon is running on the specified authentication server.
Error Message %FWSM-6-109003: Auth from laddr to faddr/fport failed (all servers failed) on interface int_name.Explanation This message indicates that no authentication server can be found.
Recommended Action Ping the authentication servers from the module. Make sure the daemons are running.
Error Message %FWSM-6-109005: Authentication succeeded for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This message indicates that the specified authentication request succeeds.
Recommended Action None required.
Error Message %FWSM-6-109006: Authentication failed for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This message indicates that the specified authentication request fails, possibly because of a wrong password.
Recommended Action None required.
Error Message %FWSM-6-109007: Authorization permitted for user `user' from laddr/lport to faddr/fport on interface int_name.Explanation This message indicates that the specified authorization request succeeds.
Recommended Action None required.
Error Message %FWSM-6-109008: Authorization denied for user `user' from faddr/fport to laddr/lport on interface int_name.Explanation This message indicates that you are not authorized to access the specified address, possibly because of a wrong password.
Recommended Action None required.
Error Message %FWSM-3-109010: Auth from laddr/lport to faddr/fport failed (too many pending auths) on interface int_name.Explanation This message indicates that an authentication request cannot be processed because the server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication requests. Enable floodguard with the floodguard enable command.
Error Message %FWSM-2-109011: Authen Session Start: user 'user', sid session_numExplanation An authentication session started between the host and the module and has not yet completed.
Recommended Action None required.
Error Message %FWSM-5-109012: Authen Session End: user 'user', sid session_num, elapsed num secondsExplanation The authentication cache has timed out. Users will need to reauthenticate on their next connection. You can change the duration of this timer with the timeout uauth command.
Recommended Action None required.
Error Message %FWSM-3-109013: User must authenticate before using this serviceExplanation The user must be authenticated before using the service.
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
Error Message %FWSM-6-109015: Authorization denied (acl=acl_ID) for user 'username' from src_addr/src_port to dest_addr/dest_port on interface int_nameExplanation The access list check failed; either it matched a deny, or it matched nothing, such as an implicit deny. The connection was denied by the user access list, which was defined per the AAA authorization policy on Cisco Secure ACS.
Recommended Action None required.
Error Message %FWSM-3-109016: Downloaded authorization access-list acl_ID not found for user 'username'Explanation The AAA authorization access-list command statement ID defined on the remote AAA server has not been configured on the module. This error can occur if you configure the AAA server before configuring the module.
Recommended Action Use the same access-list command statement ID on the module as you specified on the AAA server.
Error MessageExplanation The AAA authorization access-list command statement ID defined on the remote AAA server has not been configured on the module. This error can occur if you configure the AAA server before configuring the module.
Recommended Action None required. If errors persist, this may indicate a possible (DoS) denial of service attempt.
Error Message %FWSM-5-111008: User 'user' executed the 'cmd' command.Explanation This message indicates that a command change to the configuration has been made.
Recommended Action None required.
Error Message %FWSM-3-302302: ACL = deny; no sa createdExplanation Proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the administrator for the peer.
Error Message %FWSM-7-701001: alloc_user() out of Tcp_user objectsExplanation This message indicates that the user authentication rate is too high for the module to handle new AAA requests.
Recommended Action Enable floodguard with the floodguard enable command.
Error Message %FWSM-4-106023: Deny protocol src [inbound-interface]:[src_address / src_port] dst outbound-interface:dst_address / dst_port [type {type}, code {code}] by access_group access-list-nameExplanation An IP packet was denied by the access list.
Recommended Action Change permission of access list if a permit policy is desired. If messages persist from the same source address, messages could indicate a foot-printing or port-scanning attempt. Contact the remote host administrator.
Error Message %FWSM-5-501101: User transitioning priv levelExplanation The privilege level of a command was changed.
Recommended Action None required.
Error Message %FWSM-5-502101: New user added to local dbase: Uname: username Priv: priv_lvl Encpass: encrypted_paswdExplanation A new user was added to the local database.
Recommended Action None required.
Error Message %FWSM-5-502102: User deleted from local dbase: Uname: username Priv: priv_lvl Encpass: encrypted_paswdExplanation A user was deleted from the local database.
Recommended Action None required.
Error Message %FWSM-5-502103: User priv level changed: Uname: username From: old_priv_lvl To: new_priv_lvlExplanation The privilege level you changed.
Recommended Action None required.
Error Message %FWSM-6-610101: Authorization failed: Cmd: cmd_string Cmdtype: command_modifierExplanation Command authorization failed for the specified command.
Recommended Action None required.
Error Message %FWSM-6-611101: User authentication succeeded: Uname: usernameExplanation User authentication when accessing the module succeeded.
Recommended Action None required.
Error Message %FWSM-6-611102: User authentication failed: Uname: usernameExplanation User authentication failed when attempting to access the module.
Recommended Action None required.
Error Message %FWSM-5-611103: User logged out: Uname: usernameExplanation The specified user logged out.
Recommended Action None required.
Configuration
Error Message %FWSM-5-111001: Begin configuration: IP_addr writing to deviceExplanation This message indicates that you entered the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby module, or the console terminal). The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-6-199005: FWSM Startup beginExplanation This message indicates that the module starts up.
Recommended Action None required.
Error Message %FWSM-7-709001: FO replication failed: cmd=command returned=code
%FWSM-7-709002: FO unreplicable: cmd=commandExplanation These failover messages only appear during the development debug testing phase.
Recommended Action None required.
Error Message %FWSM-1-709003: (Primary) Beginning configuration replication: Receiving from mate.Explanation This message indicates that the active module starts replicating its configuration to the standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-709004: (Primary) End Configuration Replication (ACT)Explanation This message indicates that the active module completes replicating its configuration on the standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-709005: (Primary) Beginning configuration replication: Receiving from mate.Explanation This message indicates that the standby module received the first part of the configuration replication from the active module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-1-709006: (Primary) End Configuration Replication (STB)Explanation This message indicates that the standby module completes replicating a configuration sent by the active module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action None required.
Error Message %FWSM-2-709007: Configuration replication failed for command command_nameExplanation This message indicates that the standby module cannot complete replicating a configuration sent by the active module. The command that caused the failure displays at the end of the message.
Recommended Action Write down the command name and contact customer technical support.
FWSM Management
Error Message %FWSM-5-111003: IP_addr Erase configurationExplanation This message indicates that you erased the contents of Flash memory, either by entering the write erase command at the console, or by clicking OK to clear Flash memory in the Firewall Manager. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action After erasing the configuration, you must reconfigure the module and save the new configuration. Alternatively, you can restore information from a configuration that was previously saved, either on floppy or on a TFTP server elsewhere on the network.
Error Message %FWSM-5-111004: IP_addr end configuration: [FAILED]|[OK]Explanation This message indicates that you entered the config floppy/memory/ network command or the write floppy/memory/network/standby command. The IP_addr indicates whether the login was made at the console port through Telnet connection.
Recommended Action No action is required if the message ends with OK. If the message indicates a failure, try to fix the problem. For example, if writing to a floppy, ensure that the floppy is not write protected; if writing to a TFTP server, ensure that the server is up.
Error Message %FWSM-5-111005: IP_addr end configuration: OKExplanation This message indicates that you exited configuration mode. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-5-111006: Console Login from user at IP_addrExplanation This message indicates that you connected to the module. If authentication is enabled, the username is reported; otherwise, the string nobody appears. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-5-111007: Begin configuration: IP_addr reading from device.Explanation This message indicates that you enter the reload or configure command to read in a configuration. The device text can be floppy, memory, net, standby, or terminal. The IP address indicates whether the login was made at the console port through Telnet connection.
Recommended Action None required.
Error Message %FWSM-7-111009:User user_name executed cmd:commandExplanation This syslog message is for accounting purposes. You entered a command that does not modify the configuration.
Recommended Action None required.
Error Message %FWSM-2-112001:FWSM clear finished.Explanation This message indicates that a request to clear the module configuration has finished. The source file and line number are identified.
Recommended Action None required.
Error Message %FWSM-5-199001: FWSM reload command executed from IP_addr.Explanation This message indicates the address of the host initiating a module reboot with the reload command.
Recommended Action None required.
Error Message %FWSM-6-199002: FWSM startup completed. Beginning operation.Explanation This message indicates that after the module finishes its initial boot and Flash memory reading sequence, and is ready to begin operating normally.
Recommended Action None required.
Error Message %FWSM-6-307002: Permitted Telnet login session from IP_addrExplanation This message indicates a successful Telnet connection to the module.
Recommended Action None required.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num attempts) on interface int_name.Explanation This message indicates that an incorrect Telnet password was entered a number of times for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Recommended Action Verify the password and try again.
Error Message %FWSM-6-308001: FWSM console enable password incorrect for num tries (from IP_addr).Explanation This message indicates the number of times you incorrectly typed the password to enter privileged mode. The maximum is three attempts.
Recommended Action The privileged mode password is not necessarily the same as the password for Telnet access to the module. Verify the password and try again.
Error Message %FWSM-3-309001: Denied manager connection from IP_addr.Explanation This message indicates that the Firewall Manager denies an attempt to connect to its Telnet port from the specified IP address on the inside network.
Recommended Action None required.
Error Message %FWSM-6-309002: Permitted manager connection from IP_addr.Explanation This message indicates a successful Firewall Manager connection.
Recommended Action None required.
Error Message %FWSM-4-309004: Manager session limit exceeded. Connection request from IP_addr on interface int_nameExplanation This message indicates that the maximum number of module management connections has been exceeded. The module denies an attempt to connect to its management port from the specified IP address on the specified network.
Recommended Action None required.
PDM
Error Message %FWSM-6-606001: PDM session number num from IP_addr startedExplanation This message indicates that a PDM session has been started.
Recommended Action None required.
Error Message %FWSM-6-606002: PDM session number num from IP_addr endedExplanation This message indicates that a PDM session has ended.
Recommended Action None required.
Stateful Failover
Error Message %FWSM-3-210001: LU SW_Module_Name error = error_codeExplanation This message indicates that a Stateful Failover error occurred.
Recommended Action If this error persists after traffic lessens through the module, report this error to customer support.
Error Message %FWSM-3-210002: LU allocate block (size) failed.Explanation Stateful Failover could not allocate a block of memory to transmit stateful information to the standby module.
Recommended Action Check the failover interface to make sure its transmit is normal using the show interface command. Also, check the current block of memory using the show block command. If current available count is 0 within any of the blocks of memory, then reload the module software to recover the lost blocks of memory.
Error Message %FWSM-3-210003: Unknown LU Object IDExplanation Stateful failover received an unsupported Logical Update object and was unable to process it. This situation could be caused by corrupted memory, LAN transmissions, and other events.
Recommended Action If you see this error infrequently, then no action is required. If this error occurs frequently, check the Stateful Failover link LAN connection. If the error was not caused by a faulty failover link LAN connection, determine if an external user is trying to compromise the protected network. Check for incorrectly configured clients.
Note
Error Message %FWSM-3-210005: LU allocate connection failedExplanation Stateful failover cannot allocate a new connection on the standby module. This may be caused by little or no RAM memory available within the module.
Recommended Action Check the available memory using the show mem command to make sure the module has free memory in the system. If there is no available memory, add more physical memory to the module.
Error Message %FWSM-3-210006: LU look NAT for IP_addr failedExplanation Stateful failover was unable to locate an NAT group for the IP address on the standby module. The active and standby modules probably are out of synchronization.
Recommended Action Enter the write standby command on the active module to synchronize system memory with the standby module.
Error Message %FWSM-3-210007: LU allocate xlate failedExplanation Stateful failover failed to allocate an translation slot (xlate) record.
Recommended Action Check the available memory using the show mem command to make sure that the module has free memory in the system. If the memory has been used up, you may need to add more physical memory.
Error Message %FWSM-3-210008: LU no xlate for laddr/l_port faddr/f_portExplanation Unable to find an translation slot (xlate) record for a stateful failover connection; unable to process the connection information.
Recommended Action Enter the write standby command on the active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-3-210010: LU make UDP connection for faddr:f_port laddr:l_port failedExplanation Stateful failover was unable to allocate a new record for a UDP connection.
Recommended Action Check the available memory with the show memory command to make sure that the module has free memory in the system. If the memory has been used up, you may need to add more physical memory.
Error Message %FWSM-3-210020: LU PAT port port_number reserve failedExplanation Stateful failover is unable to allocate a specific PAT address which is in use.
Recommended Action If this error reappears frequently, enter the write standby command on the active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-3-210021: LU create static xlate global_IP ifc int_name failedExplanation Stateful failover is unable to create a translation slot (xlate).
Recommended Action If this error reappears frequently, use the write standby command on the active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-6-210022: LU missed number updatesExplanation Stateful failover assigns a sequence number for each record sent to the standby module. When a received record sequence number is out of sequence with the last updated record, the information in between is assumed lost and this error message is sent.
Recommended Action Unless there are LAN interruptions, check the available memory on both modules to ensure there is enough memory to process the stateful information. Use the show failover command to monitor the quality of stateful information updates.
Error Message %FWSM-6-311001: LU loading standby startExplanation This message indicates that stateful failover update information was sent to the standby module.
Recommended Action None required.
Error Message %FWSM-6-311002: LU loading standby endExplanation This message indicates that stateful failover update information is done being sent to the standby module.
Recommended Action None required.
Error Message %FWSM-6-311003: LU recv thread upExplanation This message indicates that an update acknowledgment has been received from the standby module.
Recommended Action None required.
Error Message %FWSM-6-311004: LU xmit thread upExplanation This message indicates that a stateful failover update is transmitted to the standby module.
Recommended Action None required.
Memory and Resource Allocation
This section contains the messages generated by memory and resources.
Error Message %FWSM-3-211001: Memory allocation ErrorExplanation Failed to allocate RAM system memory.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently, contact customer technical support.
Error Message %FWSM-2-211003: CPU Utilization for number_seconds seconds = cpu_utilizationExplanation CPU utilization exceeds 100 percent. The utilization time in seconds (number_seconds) and the percentage of CPU usage (cpu_utilization). This is a value greater than 100 percent.
Recommended Action Report this error to customer technical support.
SNMP
This section contains the messages generated by SNMP.
Error Message %FWSM-3-212001: Unable to open SNMP channel (UDP port udp_port) on interface interface_name, error code = codeExplanation This message indicates that the module cannot receive SNMP requests destined for the module from SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the module through any interface.
Recommended Action An error code of -1 indicates that the module could not open the SNMP transport for the interface, and once the module reclaims some of its resources when traffic is lighter, use the snmp-server host command for that interface again.
Error Message %FWSM-3-212002: Unable to open SNMP trap channel (UDP port udp_port) on interface interface_name, error code = codeExplanation This message indicates that the module will not be able to send its SNMP traps from the module to SNMP management stations located on this interface. This does not affect the SNMP traffic passing through the module through any interface.
An error code of -1 indicates that module could not open the SNMP trap transport for the interface An error code of -2 indicates that module could not bind the SNMP trap transport for the interface.
Recommended Action After the module reclaims some of its resources when traffic is lighter, enter the snmp-server host command for that interface again.
Error Message %FWSM-3-212003: Unable to receive an SNMP request on interface interface_name, error code = code, will try again.Explanation This message indicates that of an internal error for an interface was received.
Recommended Action None required. The module SNMP agent will wait for the next SNMP request.
Error Message %FWSM-3-212004: Unable to send an SNMP response to IP Address IP_addr Port port interface interface_name, error code = codeExplanation This message indicates that of an internal error occurred in sending an SNMP response from the module to the specified host on the specified interface.
Recommended Action None required.
Error Message %FWSM-3-212005: incoming SNMP request (number bytes) on interface int_name exceeds data buffer size, discarding this SNMP request.Explanation This message indicates that the length of the incoming SNMP request, which is destined for the module, exceeds the size of the internal data buffer (512 bytes) used for storing the request during internal processing; therefore, the module cannot process this request. This does not affect the SNMP traffic passing through the module through any interface.
Recommended Action Configure the SNMP management station to resend the request with a shorter length, for example, instead of querying multiple MIB variables in one request, try querying only one MIB variable in a request. You may need to modify the configuration of the SNMP manager software.
DHCP
Error Message %FWSM-6-604103: DHCP daemon interface int_name: address granted MAC_addr (IP_addr)Explanation The module DHCP server granted an IP address to an external client.
Recommended Action None required.
Error Message %FWSM-6-604104: DHCP daemon interface int_name: address releasedExplanation An external client released an IP address back to the module DHCP server.
Recommended Action None required.
VPN
Error Message %FWSM-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=IP_addr, prot=protocol, spi=spiExplanation Received an IPSec packet that specifies that the SPI does not exist in the server address database. This situation may be a temporary condition due to slight differences in aging of server addresses between the IPSec peers, or it may be because the local server addresses have been cleared. It may also be because of incorrect packets sent by the IPSec peer. This message might also indicate an attack.
Recommended Action The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.
Error Message %FWSM-4-402102: decapsulate: packet missing packet_type, destadr=dest_addr, actual prot=protocolExplanation Received IPSec packet is missing an expected AH or ESP header. The peer is sending packets that do not match the negotiated security policy. This may be an attack. The packet type is either AH or ESP.
Recommended Action Contact the peer's administrator.
Error Message %FWSM-4-402103: identity doesn't match negotiated identity (ip) dest_addr= IP_addr, src_addr= IP_addr, prot= protocol, (ident) local=IP_addr, remote=IP_addr, local_proxy=IP_addr/IP_addr/port/port, remote_proxy=IP_addr/IP_addr/port/portExplanation An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. This situation may be due to a security association selection error by the peer. This situation may be a hostile event.
Recommended Action Contact the peer's administrator to compare policy settings.
Error Message %FWSM-4-402106: Rec'd packet not an IPSEC packet (ip) dest_addr= IP_addr, src_addr= IP_addr, prot= protocolExplanation Received packet matched the crypto map ACL, but it is not IPSec-encapsulated. IPSec Peer is sending unencapsulated packets. This situation may occur because of a policy setup error on the peer. This may also be a hostile event.
Recommended Action Contact the peer's administrator to compare policy settings.
Error Message %FWSM-4-404101: ISAKMP: Failed to allocate address for client from pool pool_idExplanation The Internet Security Association and Key Management Protocol (ISAKMP), failed to allocate an IP address for the VPN client from the pool you specified with the ip local pool command.
Recommended Action Enter the ip local pool command to specify additional IP addresses for the pool.
Error Message %FWSM-6-602102: Adjusting IPSec tunnel mtuExplanation The MTU for an IPSec tunnel is adjusted from path MTU discovery.
Recommended Action Check the MTU of the IPSec tunnels. If an affected MTU is smaller than normal, check intermediate links.
Error Message %FWSM-6-602301: sa createdExplanation A new security association was created.
Recommended Action Informational message only.
Error Message %FWSM-6-602302: deleting saExplanation A security association was deleted.
Recommended Action Informational message only.
Error Message %FWSM-7-702301: lifetime expiringExplanation A security association lifetime has expired.
Recommended Action Debugging message only.
Error Message %FWSM-7-702303: sa_requestExplanation IPSec has requested internet key exchange (IKE) for new security associations.
Recommended Action Debugging message only.
Internet Protocol Routing
Error Message %FWSM-3-317001: No memory available for limit_slowExplanation The requested operation failed because of a low memory condition.
Recommended Action Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.
Error Message %FWSM-3-317003: IP routing table creation failure - reasonExplanation An internal software error occurred, which prevented the creation of new IP routing table.
Recommended Action Copy the message exactly as it appears, and report it to your technical support representative.
Error Message %FWSM-3-317004: IP routing table limit warningExplanation The number of routes in the named IP routing table has reached the configured warning limit.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
Error Message %FWSM-3-317005: IP routing table limit exceeded - reason, ip_address ip_maskExplanation Further routes will be added to the table.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
Error Message %FWSM-4-408001: IP route counter negative - reason, ip_address Attempt: numberExplanation Attempt to decrement IP route counter into negative value failed.
Recommended Action Enter the clear ip route * command to reset the route counter. If the message continues to appear consistently, copy the messages exactly as they appear, and report it to your technical support representative.
OSPF
Error Message %FWSM-3-318002: Flagged as being an ABR without a backbone areaExplanation The router was flagged as an area border router without a backbone area configured in the router.
Recommended Action Restart the OSPF process.
Error Message %FWSM-6-613001: Checksum Failure in database in area ospf_complain Link State Id ip_address Old Checksum old_checksum New Checksum new_checksumExplanation OSPF has detected a checksum error in the database due to memory corruption.
Recommended Action Restart the OSPF process.
Error Message %FWSM-4-409001: Database scanner: external LSA ip_address ip_mask is lost, reinstallsExplanation The software detected an unexpected condition. The router will take corrective action and continue.
Recommended Action None required.
Error Message %FWSM-4-409002: db_free: external LSA ip_address ip_maskExplanation An internal software error occurred.
Recommended Action None required.
Error Message %FWSM-4-409003: Received invalid packet: reason from ip_address, int_nameExplanation An invalid OSPF packet was received. Details are included in the error message. The cause might be a incorrect OSPF configuration or an internal error in the sender.
Recommended Action Check the OSPF configuration of the receiver and the sender configuration for inconsistency.
Error Message %FWSM-3-318003: Reached unknown state in neighbor state machineExplanation An internal software error occurred.
Recommended Action None required.
Error Message %FWSM-4-409004: Received reason from unknown neighbor ip_addressExplanation The OSPF hello, database description, or database request packet was received, but the router could not identify the sender.
Recommended Action This situation should correct itself.
Error Message %FWSM-4-409005: Invalid length number in OSPF packet from ip_address (ID ip_address), int_nameExplanation The system received an OSPF packet with a filed length of less than normal header size or inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error in the sender of the packet.
Recommended Action From a neighboring address, locate the problem router and reboot it.
Error Message %FWSM-4-409006: Invalid lsa: reason Type number, LSID ip_address from ip_address, ip_address, int_nameExplanation The router received an LSA with an invalid LSA type. The cause is either memory corruption or unexpected behavior on a router.
Recommended Action From a neighboring address, locate the problem router and reboot it. To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409007: Found LSA with the same host bit set but using different mask LSA ID ip_address ip_mask New: Destination ip_address ip_maskExplanation An internal software error occurred
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409008: Found generating default LSA with non-zero mask LSA type : number Mask : ip_address metric : number area : nameExplanation The router tried to generate a default LSA with the wrong mask and possibly wrong metric due to an internal software error
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409009: OSPF process number cannot start. There must be at least one \up\ IP interface, for OSPF to use as router IDExplanation OSPF failed while attempting to allocate a router ID from the IP address of one of its interfaces.
Recommended Action Make sure that there is at least one interface that is up and has a valid IP address. If there are multiple OSPF processes running on the router, each requires a unique router ID. You must have enough interfaces up so that each of them can obtain a router ID.
Error Message %FWSM-4-409010: Virtual link information found in non-backbone area: area_nameExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-3-318004: area area_name lsid ip_address mask ip_address adv ip_address type numberExplanation OSPF has a problem locating the LSA, which could lead to a memory leak.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-3-318005: lsid ip_address adv ip_address type number gateway ip_address metric number network ip_address mask ip_address protocol number attr number net-metric numberExplanation OSPF has a problem locating the LSA.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message OSPF found inconsistency between its database and IP routing tableExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-6-613002: interface interface_name has zero bandwidthExplanation The interface reports its bandwidth as zero.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-3-318006: if string if_state numberExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-5-503001: Process number, Nbr ip_address on int_name from name to name, reasonExplanation An OSPF neighbor has changed its state. The message describes the change and the reason for it. This message appears only if the log-adjacency-changes command is configured for the OSPF process.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-6-613003: ip_address ip_mask changed from area areaname to area areanameExplanation An OSPF configuration change has caused a network range to change areas
Recommended Action Reconfigure OSPF with the correct network range.
Error Message %FWSM-3-318007: OSPF is enabled on string during idb initializationExplanation An internal error occurred.
Recommended Action To determine what is causing this problem, contact your Cisco technical support representative for assistance.
Error Message %FWSM-4-409011: OSPF detected duplicate router-id ip_address from ip_address on interface interface_nameExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action OSPF router- ID should be unique. Change the neighbors router ID.
Error Message %FWSM-4-409012: Detected router with duplicate router ID ip_address in area area_nameExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action OSPF router- ID should be unique. Change the neighbors router ID.
Error Message %FWSM-4-409013: Detected router with duplicate router ID ip_address in Type-4 LSA advertised by ip_addressExplanation OSPF received a hello packet from a neighbor that has the same router ID as this routing process. A full adjacency cannot be established.
Recommended Action OSPF router- ID should be unique. Change the neighbors router ID.
Error Message %FWSM-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-idExplanation OSPF process is being reset, and it is going to select a new router ID, which will bring down all virtual links. To make the links work again, the virtual link configuration needs to be changed on all virtual link neighbors.
Recommended Action Change virtual link configuration on all the virtual link neighbors, to reflect our new router ID.
Error Message %FWSM-3-319001: Acknowledge for arp update for IP address dest_addr not received (number).Explanation The ARP process in the Firewall Services Module lost internal synchronization because the system was overloaded.
Recommended Action No immediate action is required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319002: Acknowledge for route update for IP address dest_addr not received (number).Explanation The routing module in The FWSM lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319003: Arp update for IP address dest_addr failed (number).Explanation The ARP module in the FWSM lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319004: Route update for IP address dest_addr failed (number).Explanation The routing module in The FWSM lost internal synchronization because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average load of the system and make sure it is not used beyond its capabilities.
Shun
Error Message %FWSM-4-401001: Shuns clearedExplanation The clear shun command was entered to remove existing shuns from memory.
Recommended Action None required. This message provides a record of shunning activity.
Error Message %FWSM-4-401002: Shun added: IP_addr IP_addr port portExplanation A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available.
Recommended Action None required. This message provides a record of shunning activity.
Error Message %FWSM-4-401003: Shun deleted: IP_addrExplanation A single shunned host was removed from the shun database.
Recommended Action None required. This message provides a record of shunning activity.
Error Message %FWSM-4-401004: Shunned packet: IP_addr ==> IP_addr on interface int_nameExplanation A packet was dropped because the host defined by IP source is a host in the shun database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an external host on the Internet can be shunned on the outside interface.
Recommended Action None required. This message provides a record of the shunned hosts activity. This message and the next message (%FWSM-4-401005) can be used to evaluate further risk assessment concerning this host.
Error Message %FWSM-4-401005: Shun add failed: unable to allocate resources for IP_addr IP_addr port portExplanation The module is out of memory; a shun could not be applied.
Recommended Action The Cisco Secure Intrusion Detection System should continue to attempt to apply this rule. Attempt to reclaim memory and reapply shun manually, or wait for the Cisco Secure Intrusion Detection System to do this process.
Standards Compliance Specifications
Refer to Appendix A, "Specifications," in the Catalyst 6000 Family Installation Guide for the standards compliance specifications.
FCC Class B Compliance
This equipment has complies with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco's installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. There is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco's written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.
Note
Refer to the Catalyst 6000 Family Installation Guide for additional FCC class compliance information.
Related Documentation
For more detailed installation and configuration information, refer to the following publications:
•
•
–
–
–
–
–
–
–
–
–
–
–
–
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
–
–
–
•
–
–
–
–
–
•
–
–
–
–
–
–
–
–
Cisco IOS Software Documentation Set
Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2002, 2003 Cisco Systems, Inc.
All rights reserved.
