Table Of Contents
Specifications and System Limitations
Firewall Module and PIX Differences
Open Caveats in Release 1.1(4)
Resolved Caveats in Release 1.1(4)
Open Caveats in Release 1.1(3)
Resolved Caveats in Release 1.1(3)
Open Caveats in Release 1.1(2)
Resolved Caveats in Release 1.1(2)
Open Caveats in Release 1.1(1)
Resolved Caveats in Release 1.1(1)
Cisco IOS Software Documentation Set
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Catalyst 6500 Series and
Cisco 7600 Series Firewall Services Module Software Release 1.1(x)
August 2004
This document contains release information for the following FWSM Releases:
•
1.1(4)
•
•
•
The FWSM requires Cisco IOS Software Release 12.1(13)E or higher and Catalyst operating system software release 7.5 or later.
Note
Note
Note
Note
Contents
•
•
System Requirements
This section describes the system requirements for the Catalyst 6500 series and Cisco 7600 series Firewall Services Module software release 1.1(4).
Memory Requirements
The Catalyst 6500 series and Cisco 7600 series Firewall Services Module memory is not configurable.
Hardware Supported
Before you can use the Catalyst 6500 series and Cisco 7600 series Firewall Services Module, you must have a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a Supervisor Engine 2 (Catalyst operating system and Cisco IOS) and an MSFC 2, and any module with ports to connect server and client networks.
Software Compatibility
Table 1 lists the FWSM software versions supported by Catalyst operating system software and Cisco IOS software.
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
•
•
•
•
•
•
•
•
•
•
Note
•
•
The stateful, connection-oriented ASA creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. You can control all inbound and outbound traffic by applying security policies to each connection table entry.
•
•
•
•
–
–
When the Firewall Services Module software is the platform, PDM will display modified screens for features not supported by the module. To use the PDM to configure the module, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
•
•
•
•
•
Specifications and System Limitations
Table 2 lists the specifications and system limitations of the FWSM.
Table 2 FWSM Specifications and System Limitations
Modules per switch
Maximum of four modules per switch
If you are using failover, you can still have only four modules per switch, even if two of them are in standby mode.
Memory
•
•
Bandwidth
CEF256 module with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus
Filtering servers
16 Websense Enterprise filtering servers
IPSec management connections, concurrent
5 connections
TCP1 or UDP2 connections between any two hosts, including connections between one host and multiple other hosts, concurrent and rate
999,900 connections
100,000 connections per second
Fixup connections, rate
10,000 per second
PC based fixup connections, rate
10,000 per second
Host connections, concurrent
256,000
SSH3 management connections, concurrent
5 connections
System messages, rate
20,000 per second
Telnet management connections, concurrent
5 connections
NAT translations, concurrent
256,000
NAT statements
1,000 statements
High-performance firewall
5 GBps (aggregated)
Concurrent connections.
1 million
Packets-per-second.
3 million pps
New connections per second for HTTP, DNS, and enhanced Simple Mail Transfer Protocol (SMTP).
7,000
VLAN interfaces (no physical interfaces on the module).
100
Static NAT statements
1,000 statements
Global statements
1,000 statements
Shun statements
2,000 statements. The FWSM supports at most 2000 shuns - that number is contingent upon finite hardware resources and cannot be increased.
Alias statements
1,000 statements
User authentication sessions, concurrent
5,000 sessions
User authorization sessions, concurrent
150,000 sessions
Maximum 15 sessions per user.
ARP4 table entries, concurrent
64,000 entries.
Route table entries, concurrent
32,000 entries.
Packet reassembly, concurrent
30,000 fragments.
Filter Rules, Fixup and Filter statements combined.
3,000 rules and statements.
Established CLI Rules
1,000 rules.
Established data
1,000 implicit rules used by TCP and UDP fixups to allow back channels.
3,000 statements.
AAA Rules
3,000 rules, 1,000 rules for authentication, 1K rules for authorization, and 1,000 rules for accounting.
1,000 rules.
ACEs
72,000 ACEs (best case).
1 Transmission Control Protocol
2 User Datagram Protocol
3 Secure Shell
4 Address Resolution Protocol
5 Internet Control Message Protocol
6 HyperText Transfer Protocol
Firewall Module and PIX Differences
The FWSM is a separate implementation from the PIX and has these differences:
•
•
•
•
•
The FWSM behavior has been changed. Overlapping or redundant static address translation entries are no longer accepted. An error is generated and the overlapping or redundant static address is not added to the configuration.
Workaround: None.
•
The FWSM tears down all the connections from or to the shunned IP address, even if specific connection parameters have been specified in the applied shun command. This behavior is different from that of PIX. In the FWSM implementation, when the shun is applied with full connection parameters (source IP, destination IP, source port, destination port and protocol), all connections from or to the source IP address are torn down.
Workaround: None.
•
An attempt to assign an access list to the nat (interface) 0 access-list command that contains protocol or port numbers fails and generates an error message. The behavior for the nat (interface) 0 access-list command differs from that of PIX. For the FWSM, the access list being configured with the nat 0 access-list command cannot contain protocol or port numbers. Only access lists that have no rules with protocols or port numbers will be accepted as part of the nat (interface) 0 access-list command.
•
•
The FWSM does not report the most used connection count. This value is also not reported by the SNMP agent Firewall MIB. The show connection count command displays only the current number of connections and not the most used connections.
Workaround: None.
•
The clear nameif command is not supported and displays an error message.
Workaround: Use the no nameif command. (See caveat CSCdx14699).
•
You cannot change the interface name once it is assigned using a nameif command. Trying to change the name of the interface using the nameif command results in an error message.
Workaround: Delete the old interface using the no nameif command, and assign it with a new name. All configuration parameters tied to that interface are lost when you run the no nameif command. (See caveat CSCdx14768).
New and Changed Information
•
•
•
Note
To create multiple VLAN interfaces on the switch, use these commands:
For Cisco IOS software:
firewall multiple-vlan-interfacesno firewall multiple-vlan-interfacesFor the Catalyst operating system software:
set firewall multiple-vlan-interfaces {enable|disable}•
•
The command-line interface in the FWSM contains changes that add new functionality to manually trigger ACL compiling.
Workaround: None.
•
Error Message Syslog:440520 - ILS <msg_id> from <interface>:<ip/port> to <interface>:<ip/port> has wrong embedded addressExplanation The ILS message source IP does not match the IP address embedded in the payload. This means that the client is more likely behind another NAT device that does not recognize ILS. The message is allowed through the firewall.
Recommended Action This is a warning informational message. No action is required.
Limitations and Restrictions
The following apply:
•
–
–
–
•
A patch will be released for PIX MC to address this issue. The patch version will be PIX MC 1.1(1). With the patch, the PIX MC will not generate the two additional static commands if the device operating system is FWSM Release 1.1(1) or FWSM Release 1.1(2).
Caveats
These sections describe the following release caveats:
•
•
•
•
•
•
•
•
Open Caveats in Release 1.1(4)
Note
This section describes known limitations that exist in the FWSM software release 1.1(4).
•
302001 and 302002 TCP connection system messages are not being generated consistently.
Workaround: None.
•
System message 304001 is not being generated consistently.
Workaround: None.
•
The maximum number of the translation slots (xlates) limit has been reached in the FWSM, and all resources are used.
Workaround: Enter the show xlate count command to determine if the maximum limit of translation slots (xlates) is reached.
•
DNS connections that are initiated by an outbound DNS resolve request are not closing as soon as the reply from the server is received. Instead, the connections are subjected to general UDP timeouts.
Workaround: None.
•
Under stress traffic continuing for long periods of time with SNMP traps and logging enabled may cause the FWSM to lose memory with no recovery.
Workaround: None.
•
Fixup RPC does not work with the NFS version 2 UDP port mapper.
Workaround: None.
•
If you have a Global Pool defined for NAT and one global statement for PAT, the FWSM intermittently begins assigning the same NAT address to multiple inside hosts.
Workaround: Enter the clear xlate command to resolve the issue.
•
When using the FWSM software release 1.1(2), an error stating "The flash device is in use by another task" may occur when you enter the show conf or write mem commands. When this message is logged, the module has only one session active (console), which cannot be halted.
Workaround: Reload the FWSM
Resolved Caveats in Release 1.1(4)
Note
This section describes the resolved caveats in FWSM software release 1.1(4).
•
The NP 3 loses its ingress buffers and gets stuck.
•
Use of manual commit mode with large ACLs may cause the FWSM to crash.
•
After several days of normal operation of FWSM 1.1(3.17) all NPs (including NP 3) may get stuck and no further packet processing is possible.
The show tech command displays the following errors"
------------------ show interface stats -------------Interface stats query failed. Try again.------------------ Fast Path (1) Stats --------------ERROR: np_logger_query request for FP Stats failed------------------ Fast Path (2) Stats --------------ERROR: np_logger_query request for FP Stats failed------------------ Slow path info ------------------ERROR: np_logger_query request for retreiving Slow Path Stats failedIf the FWSM that crashes is used in a failover pair, then both modules become active, causing interruption of networks services. The traffic causing this situation is currently unknown.
Workaround: None.
•
The ACL memory in NP 3 gets depleted with a 400 line ACL and 200 AAA entries. The AAA statements which are the last set of entries added to ACL memory are deleted when the module runs out of ACL memory.
Whenever the ACL memory is exhausted, a message is printed on the console and a syslog message with ID: 106024 is generated. In this case the message did not get printed. Improved memory utilization with some minor optimizations fixes this problem.
Workaround: None.
•
If you configure the FWSM to permit TFTP or Oraserv (ports 69,1525), the module opens up a UDP vulnerability in the Firewall (1.1.x release). This vulnerability can lead to any UDP packets making it across the firewall even if there are ACLs configured to deny such packets.
Workaround: Deny ports 69 and 1525 using access-lists.
•
The FWSM stops logging to syslog server(s), and crashes in the logger thread.
•
Standby FWSM crashed and remained in failed state after reloading
•
With logical update enabled, in some rare situations, a standby blade may experience a watchdog timeout while processing a specific message. Standby encounters a watchdog timeout and crashes. Problem seen in some very rare situations with logical update enabled.
Workaround: None.
•
Large ACL compilation cause failover problem. The problem does not occur when you reload the standby FWSM. It is only when you reload the active FWSM (and it does not make a difference if it is the secondary or the primary unit) that this problem occurs.
Workaround: Use the no fail active command on the active FWSM.
•
The fixup H323, H225, and 1720 is not working properly when it is disabled at bootup. If you run a no fixup h323 h225 1720 command, save the configuration, reload the FWSM, and then run the fixup h323 h225 1720 command the fixup appear to not be working properly. Debug h323 events will not display.
Workaround: Reboot the FWSM to resolve this issue.
•
The FWSM crashes one or two times per day on FIXUP SIP. with the following traceback:
------------Thread Name: udp_sip (Old pc 0x00235cf2 ebp 0x0c51934c)Traceback:0: 005142e51: 00229dae2: 0022a6283: 0022cafa4: 00138c1e5: 001390676: 0013e9d37: 00140d07------------Workaround: None.
•
When running the show console command (included in the show tech command) from a remote SSH management session, the SSH session may hang and cause high CPU use on the module until the SSH session is terminated through another management session.
Using another management tool for example Telnet, console through the switch, and so on), allows you to get the show console command that displays that a very long line is present.
Workaround: Use the Telnet or console to manage the module instead of SSH.
•
FWSM running 1.1.3 crashed during a simultaneous multi-user access.
•
When pushing big configurations with custom scripts, the inside interface stops responding to ICMP. Oracle cluster fails over because the Oracle database servers use ICMP as the keep-alive mechanism. Also when both FWSMs are on-line, as master and slave modules, the push takes much longer than when only one module is online.
Workaround: Break the configuration into smaller parts and push the smaller parts. Or, use a pause between pushes of ACLs to the different interfaces.
•
Standby FWSMs running software release 1.1.3.14 crash at bootup with the logical update (LU) enabled.
Workaround: Disable the logical update (LU) or failover module. We recommend that you upgrade to a later software version.
•
FWSM crashed in h323_ras thread.
Workaround: Disable the H323 RAS fixup with the no fixup protocol h323 ras 1718-1719 command
•
The sysopt connection tcpmss bytes command has no effect on the FWSM.
Workaround: None.
•
Some UPS devices with network management through a Telnet session have an unusual TCP/IP stack. The SYN-ACK segment from such devices may also have the PUSH flag set. The FWSM drops these packets causing the Telnet session through the FWSM to the UPS to fail.
Workaround: None.
•
When connecting a FWSM as the standby module, the active module detects the standby module and sends the configuration to it. However, the compilation fails with a memory error. The compilation will complete properly if compilation is done through the config net command.
Workaround: None.
•
Standby FWSM crashes at the send_xlate_query_to_np.
•
Compilation of ACL fail with no error. Uploading several ACLs or ACEs to the FWSM fails the compilation with no errors sent. Using big files with ACLs or ACEs with groups, may exhaust No errors are displayed until the module is reloaded.
Workaround: Use fewer ACLs or ACEs.
•
The FWSM syslog does not display the UDP connection ID. There is no UDP connection ID displayed at UDP logs so it is not possible to determine which teardown message belongs to which built message.
Workaround: None.
•
The FWSM syslog does not show the UDP syslog information. Duration of UDP connections and transferred bytes are not displayed.
Workaround: None.
•
The FWSM syslog prints incorrect information. The syslog shows connection duration is 0 although a finite time has elapsed for that connection.
Workaround: None.
•
When using FWSM with WS-X6816-DFC3A module, it may take up to 5 minutes for the failover and the stateful failover does not work.
Workaround: None.
•
The output of the show pdm history feature xlate command does not always display the correct number of xlates in use and the most used xlates. The numbers differ from the actual number of xlates represented in the output of the show xlate count command. Because of this situation, when you graph the number of xlates in use, and those xlates most used in the PDM, the output is incorrect.
Workaround: Use the output from the show xlate count command. There is no current workaround when graphing PDM xlates.
•
The show xlate command does not always display all xlates. You can count the number of xlates in the output of the show xlate command and it does not add up to the number represented in the output of the show xlate count command.
Workaround: Use the show local-host command, or use show xlate interface interface command.
•
The aaa accounting include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ command when used on the FWSM causes all TCP traffic to stop passing through the module. UDP traffic still operates correctly. This situation only occurs when AAA accounting is used without AAA authentication or authorization. When all three AAA methods are used together, TCP traffic does not appear affected. This defect occurs on FWSM software releases 1.1(2)5 and 1.1(3).
Workaround: None.
•
When the active FWSM is powered down, the traffic does not resume through the new active module.
Workaround: None.
•
Sometimes during a corner case, the FWSM crashes in the i82543_timer thread when receiving a message on the EOBC port.
Workaround: None.
•
The FWSM does not currently support OSPF Type 10 (Opaque) LSAs. If the FWSM has OSPF neighbors that are passing Type 10 LSAs, the FWSM currently advertises that it will accept them, but drops them when they are received. This situation causes the FWSM to stay in a loading state with the OSPF neighbor that is sending the Type 10 LSAs.
Workaround: Remove traffic engineering configurations on the FWSM's OSPF neighbors. Or, place the FWSM and it's neighbors in their own OSPF area, so that Type 10 LSAs are not included in that area. The FWSM can now advertise that it does not support Type 10 LSAs.
•
During the initial TCP session established through the FWSM, if the inside server NAT responds with 2 simultaneous SYN-ACK packets, the final ACK for session establishment is not permitted back through the FWSM.
Workaround: None.
•
When using cut-through authentication and you configure a finite value for the inactivity timer, you must re-authenticate each time the configured inactivity timer has elapsed, though the inactivity timer has not yet expired. For example, connections you have set up have not been idle or you have set up new connections. This problem was observed in FWSM software release 1.1.3.
Workaround: None.
•
Applying configuration changes to ACLs using the manual-commit mode causes traffic on the interface to which that ACL had been bound to be dropped for some time This problem exists only while using manual-commit mode.
This problem applies to users or the management tools running in the manual-commit mode to apply ACL configuration changes to the module.
Workaround: Use the following command sequence ensure that traffic loss is not observed while making changes with manual-commit mode until the fix is available in a later release.
1.
2.
3.
4.
5.
In this sequence, traffic on the interface to which blah was attached is getting dropped in step2 until the access-group binding is reapplied in step5.
•
Fixup lookup fails with port ranges.
Workaround: None.
•
The FWSM drops WINS traffic if the packets are sourced from a client on a higher security level interface, destined to a server on a lower security level interface.
Workaround: If you are not using NAT, disable the NetBIOS fixup using the no fixup protocol netbios command.
•
When using Policy based NAT (NAT ifc 0 access-list) on FWSMs, not all connections are copied to the standby. In particular fixup specified connections (for example, FTP data connections from the FIXUP protocol FTP) do not appear in the xlate table of the secondary module and they fail following a failover event.
Workaround: Use straight NAT ifc n network,mask constructs.
•
Some traffic stops passing through the FWSM that relies on statics in a failover environment. If the no failover active command is run, the statics disappear on the FWSM on which this command was run. If this command is run on the primary or active module and then run on the secondary or active module, the primary module resumes the role of the active module and the statics will not exist.
If the statics are reconfigured into the active FWSM, the Unable to download Static Entry message is displayed. This problem only exists in fWSM software release 1.1(3.4).
Workaround: Reload both FWSMs at the same time then ensure that the statics remain by running the show config command.
•
If you are using a stateful failover pair of FWSMs running software releases 1.1.(3) and 1.1.(3)3 and you initiate an a FTP session through the active blade, when the primary blade fails the FTP session stays up but the data transfer is terminated. Observing the host's connection through the secondary module only the control channel can be seen as open. Connecting through the active secondary module, and then initiating a GET for the file the transfer begins. When you observe the connection status between the two FWSMs, the secondary module is lacking the data connection which is present on the primary module.
Workaround: None.
•
When configuring a FWSM running software release 1.1.x with the service resetinbound or service resetoutside commands the module does not send a reset back when the denied SYN packet is received. The module however, will perform the standard reset for non-syn packets where no connection is built for this flow.
Workaround: None.
•
Normal priority threads are being starved. If this situation occurs, a counter is incremented allowing you to determine what conditions result in starvation and perhaps implement some corrective actions. You must allow the normal priority queue to process for every 8 processing runs of the high priority queue in which there are still high priority threads that have not yet run. If there are no high priority threads hogging the CPU, the behavior is the same as the currently running scheduler.
Workaround: Change the process scheduler to allow the normal priority threads to run.
•
Under rare circumstances, the FWSM may crash with a thread name: h323_ras. In some cases a packet was intended for the FWSM for a connection which should have been outdated.
Workaround: If you are not passing H323 RAS messages through the FWSM, then disable the H323 RAS fixup using the no fixup protocol h323 ras 1718-1719 command.
•
Sessions drop on TN3270 users running through the FWSM. The TCP timeout was changed from 1 hour to 8 hours and the connections time ranged from dropping within 5 minutes to staying up to just over 1 hour.
Workaround: None.
•
Some access-lists failed to be downloaded to then network processor causing the FWSM to fail at the next reboot.
Workaround: None.
•
Only the first established command entered into the FWSM will actually take effect. All other established commands are ignored. For example, if these commands are entered into the FWSM:
FWSM(config)# established tcp 514 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535FWSM(config)# established tcp 513 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535FWSM(config)# established tcp 512 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535FWSM(config)# established tcp 23 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535FWSM(config)# established tcp 22 0 permittto tcp 6000-6010 permitfrom tcp 1024-65535FWSM(config)# established tcp 21 0 permitto tcp 6000-6010 permitfrom tcp 1024-65535Only the first command for the outbound TCP connection port 514 works.
Workaround: None.
•
The FWSM stops forwarding traffic at the slow path when AAA authentication and authorization are configured, and there is a high number of users generating traffic.
Workaround: Reload the FWSM.
•
When using FWSM software release 1.x currently the syslogs all denied packets when using syslog ID: 106023. This situation includes packets that are dropped because of the implicit deny ip any any statement at the end of every access-list. This syslog also is logged if no access-list is applied to an interface, because the FWSM defaults to deny all traffic if no ACL is applied. This behavior is inconsistent with PIX and Cisco IOS.
Workaround: The behavior of the FWSM will be modified in a future release so it no longer logs implicitly denied packets. If you want to syslog all denied packets you can add an explicit deny all ACE as the last entry in their ACLs. For example:
WSM(config)# access-list <acl> deny ip any any•
TFTP connections may begin to fail through the FWSM because there is a limit of 1,000 TFTP connections through the FWSM at any one time. The FWSM has a system limitation of 1,000 established nodes and each TFTP connection uses an established node. When the TFTP connection is torn down, the established node should also be removed.
Because of this caveat, TFTP connections can be torn down without removing their associated established node. If this happens several times, no new TFTP connections can be created because no established nodes are available. In this situation, no syslog is generated to alert you that this has occurred. The TFTP connection fails, with no indication as to why. To verify that this problem has occurred, run the show np 3 stats command, and look for the following line:
--> Est<->HO Errors : 850 <---If this number is non-zero, there is a good chance you are running into this problem.
Workaround: Clear the local-host table using the clear local-host command.
Note
•
New vulnerabilities in the OpenSSL implementation for SSL have been announced. An affected network device, running an SSL server based on the OpenSSL implementation, may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable, to this vulnerability, even if it is configured to not authenticate certificates from the client.
This advisory is posted at this URL:
http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml.
Workaround: Refer to the advisory URL for work arounds that are available to mitigate the effects of these vulnerabilities.
•
In rare circumstances, two instances of the same network object might be observed in an object group. The object group is involved in complex access-lists, which requires a lot of CPU resources during the addition of the new members to object group.
The root cause of this problem is that too processing continued too long during the access-list compilation.
Workaround: To dramatically decrease the ACL compile time, delete the object that is listed multiple times, from the CLI, then replace that object. Wait until the operation completes.
•
The FWSM performs through-traffic authentication by matching traffic against an access-list. Caveat CSCeb83847 indicated that the only valid ACEs in a aaa authentication match ACL statement are for FTP, Telnet, HTTP, or TCP/0 which is not correct. Any ACE that is created should be valid when applied to a aaa authentication match ACL command statements. The FWSM should behave as follows:
–
–
–
–
Workaround: None.
•
The FWSM write standby command on the primary FWSM causes failover to occur on the secondary module.
Workaround: None.
•
If the FWSM is started up with the configuration having an interface in the shut down state, error messages appear on the console during startup.
Workaround: None.
•
The NFS mount takes a long time to succeed or fails because the NFS client is on a lower security interface relative to the NFS server.
Workaround: Configure the NFS client on a higher security interface relative to the NFS server.
•
When making calls using gateways to the SIP (SMDS Interface Protocol) proxy, UDP and TCP proxy calls fail to set up, or there is no voice path.
Workaround: Do not use gateways with the SIP proxy.
•
When you enter the config net command with the tftp-server outside 172.17.241.99 /we command in the configuration, the FWSM crashes when the configuration file contains a write mem command.
Workaround: None.
•
Configuring different ICMP types in an access- list not accepted
Workaround: None.
•
When running in a failover configuration, the FWSM does not replicate connections at the second failover because the state of the connection is lost. This condition applies only to those connections that remain alive through both failovers. Both the FTP and RSH connections consist of a control and data channel that are linked. All other connections are considered as control channel only. Connections are being replicated for one of the following reasons:
a.
b.
c.
Workaround: None.
Open Caveats in Release 1.1(3)
Note
This section describes known limitations that exist in the FWSM software release 1.1(3).
•
During failover interface testing when the shutdown command is sent manually, testing continues, and the interface state is reported as "unknown." The interface status should be reported as "Link Down," and the test should not be performed on the interfaces.
Workaround: None.
•
The no routerid ip add routing command does not remove the router identification under OSPF because the routerid syntax is incorrect.
Workaround: Use the no router-id syntax.
•
When the message digest key is configured it cannot be removed using the no ospf message-digest-key key md5 cisco command because the syntax is incorrect.
Workaround: Use the no ip ospf message-digest-key keyid command syntax.
•
No video can be seen using IP TV. The UDP packets seem to be dropped when access-lists are applied to allow only the needed traffic to flow through the FWSM.
Workaround: None.
•
The NFS mount takes a long time to succeed or fails because the NFS client is on a lower security interface relative to the NFS server.
Workaround: Configure the NFS client on a higher security interface relative to the NFS server.
•
When making calls using gateways to the SIP (SMDS Interface Protocol) proxy, UDP and TCP proxy calls fail to set up, or there is no voice path.
Workaround: Do not use gateways with the SIP proxy.
•
The FWSM does not reply to the Address Resolution Protocol (ARP) if ARP is sourced from a non-connected network.
Workaround: Add a specific route or static ARPs on the MSFC.
•
The PIX Device Manager (PDM) performance monitor graphs display only zero values except for the performance monitor intervals. This condition occurs because the performance monitor interval and the PDM poll interval are set to different values.
Workaround: Configure the PDM poll and performance monitor interval to the same value.
•
When the interface IP address is modified, the interface static entry continues working with the old IP address but not with the new IP address.
Workaround: Remove and reconfigure the interface static line after the interface IP address has been changed.
•
When running in a failover configuration, the FWSM does not replicate connections at the second failover because the state of the connection is lost. This condition applies only to those connections that remain alive through both failovers. Both the FTP and RSH connections consist of a control and data channel that are linked. All other connections are considered as control channel only. Connections are being replicated for one of the following reasons:
a.
b.
c.
Workaround: None.
•
When overlapping static statements are specified, the static entries cannot be removed from the configuration.
Workaround: Avoid using overlapping network addresses in different static statements, or change the order of the static statements in the configuration.
•
The maximum idle time that can be configured for a connection is 18 hours and 12 minutes. If a timeout is configured for a time that is greater than 18 hours and 12 minutes, the timeout wraps around and has a value of 18 hours and 12 minutes.
Workaround: Configure a maximum idle time value lower than 18 hours and 12 minutes.
•
The show conn command displays connections with the idle timeout larger than the timeout configured.
Workaround: None.
•
When configuring the OSPF processes and the SVI interfaces on both the MFSC and the FWSM to perform MD5 authentication, the OSPF process in the FWSM becomes stuck in the loading state and cannot reach the full state. The output of the show ip ospf neighbor command displays this information:
Neighbor ID Pri State Dead Time Address Interfacex.x.x.x 1 LOADING/DR 0:00:33 y.y.y.y outsideThis syslog message displays:
409005: Invalid length 1504 in OSPF packet from y.y.y.y (ID x.x.x.x), outsideThis situation occurs when the LS update packets from the MFSC are fragmented and both of the OSPF neighbors are configured to perform MD5 authentication.
Workaround: Do not use MD5 authenticating. Use clear text authentication, or do not configure authentication. Cisco IOS releases that do not fragment LS updates do not cause this problem on the FWSM.
•
If a protocol is not associated to the AAA server group when using the aaa-server tag protocol tacacs/radius command, any new server group is always considered as the TACACS server.
If a radius server is specified with the aaa-server tag [(if_name)] host ip_address [key] [timeout seconds] command and the tag used is not associated with the radius protocol, AAA authentication, authorization, or accounting fail because the firewall assumes that the AAA server is a TACACS server and attempts to make requests to port 49 on the specified server.
Workaround: Always create a server group by associating it with the required protocol before assigning servers to that group, as in this example:
FWSM(config)# sh aaaFWSM(config)# sh aaa-aaa-server radius-authport 1812aaa-server radius-acctport 1813aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localFWSM(config)# aaa- TEST_RADIUS (dmz) host 10.6.0.3 ciscoradius time 2FWSM(config)# sh aaa-aaa-server radius-authport 1812aaa-server radius-acctport 1813aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localaaa-server TEST_RADIUS protocol tacacs+aaa-server TEST_RADIUS (dmz) host 10.6.0.3 ciscoradius timeout 2 [ACTIVE]FWSM(config)#•
If SIP messages are split across multiple TCP segments, the FWSM does not take any action (such as NAT or connection pre-allocation) on them.
Workaround: Do not use Network Address Translation (NAT) or Port Address Translation (PAT) and disable the fixup SIP using the no fixup protocol sip 5060 command.
•
Outbound TFTP requests fail if PAT is using an interface IP address that is configured on the FWSM. The TFTP file download works correctly with other PAT IP addresses.
Workaround: None.
•
If the FWSM is started up with the configuration having an interface in the shut down state, error messages appear on the console during startup.
Workaround: None.
Resolved Caveats in Release 1.1(3)
Note
This section describes the resolved caveats in FWSM software release 1.1(3).
•
When failover is configured, using a write standby command resets the configurations on the secondary FWSM.
Workaround: None.
•
With some configuration and with fragmented ICMP, HTTP, FTP traffic, and RTSP, the network processors lose their ingress buffers, causing both FWSMs to become active or causing the secondary FWSM to report as failed.
Workaround: None.
•
When using show run and write mem commands from two simultaneous sessions into the FWSM, and when the show run command completes first, the write mem command fails in cfglck.c line 76 upon completion.
Workaround: Perform CLI commands from only one session at a time.
•
The FWSM in a stateful failover configuration may not replicate TCP connections correctly. This behavior shows up in configurations where the NAT 0 ACL is used.
Workaround: Use NAT 0 or statics.
•
When two FWSMs are used with stateful failover, unnecessary failovers can occur, caused by the garbage collection thread on the standby module. When a translate (xlate) process ages to one hour, the standby FWSM constantly queries the process to verify if the process is still in use or if the process can be torn down. During this time, the failover hello messages are dropped, resulting in a failover.
Workaround: Disable stateful failover.
•
Stateful synchronization does not operate correctly after switchover. When there is a switchover due to a short communication failure between the active and the standby FWSM, the logical unit (LU) flag is not set correctly on the network processors (NPs) after the switchover, which stops the stateful synchronization from the active FWSM to the standby FWSM.
Workaround: Remove the stateful link configuration, and add it back on the active FWSM with the no failover link stateful and failover link stateful commands.
•
If there is an ACL with an access-list entry using object-groups, and it expands to a large number of ACL lines (up to 10,000-12,000), then when this configuration is synchronized through failover, some commands that follow after the ACE might be missing on the standby FWSM after the synchronization.
Workaround: Do not use ACE with object groups that expand to a large number (up to 10,000-12,000).
•
The FWSM fails when performing two write terminal or show running commands in concurrently running sessions that are on the same FWSM with pager enabled.
Workaround: Change the number of pager lines in the configuration to a different value, or disable the pager completely.
•
When there is an overflow with randomization that causes large file transfers to fail intermittently, this situation indicates that the sequence number has not been calculated correctly.
Workaround: Disable randomization on related address translation.
•
Changing the object group entry does not allow the access list to properly compile.
Workaround: Remove and reapply the ACL.
•
If the timeout reauthentication (uauth) absolute session is disabled (value 00:00:00), and inactivity is enabled (any value greater than 00:00:00), the FWSM still times out every uauth session immediately after the authentication.
Workaround: Increase the absolute timeout to the maximum value to minimize the effect of reauthenticating frequently.
•
The first interface shuts down without an IP address and packets from the processor complex (PC) are dropped when fixup-enabled traffic fails.
Workaround: Configure the IP address on the first interface.
•
If AAA authentication and HTTP fixups are both enabled, the original URL requested by the client is modified by the FWSM, making the URL unreachable after the user has successfully been authenticated.
Workaround: Disable HTTP fixup.
•
A no nameif command on the FWSM for any nameif statement resets the fragment size from the configured value to the default of 1.
Workaround: Reconfigure the fragment size on the interfaces.
•
When performing the show running command from multiple sessions into the same FWSM module, upon completion of the second command, the FWSM reboots.
Workaround: Avoid performing commands from multiple simultaneous sessions into the same FWSM module.
•
Connections to a server are interrupted during a standby reboot, causing the following conditions:
–
Hosts that see the ARP request go out from the standby FWSM (with the active IP addresses) update their ARP table and associate the standby module MAC addresses with the active IP addresses. This condition results in packet loss because the clients that update their ARP table will now forward packets to the standby FWSM, which drops the packets.
–
The MAC-to-Port mapping in the CAM table on the Catalyst 6500 switch (or the Catalyst 7600 router) is incorrectly populated. The switch forwards packets destined to the active FWSMs MAC address to the primary FWSM (in standby mode), and the packets are dropped.
Workaround: None.
•
Static or connected routes from non-OSPF interfaces cannot be redistributed The FWSM supports the OSPF routing protocol and allows at most two-OSPF processes to run at one time. The FWSM allows redistribution only between OSPF domains. In FWSM release 1.1(1), there is no support to redistribute RIP or static routes into the OSPF domain (or the reverse).
Workaround: There is no workaround for re-distribution between the RIP and OSPF domains. To redistribute static routes into the OSPF domain, one OSPF process must be started on the OSPF interfaces, which then allow the associated routes to redistribute into the existing OSPF domain.
Open Caveats in Release 1.1(2)
Note
This section describes known limitations that exist in the FWSM software release 1.1(2).
•
Configuring a NAT rule on interface number 32 may fail.
Workaround: Configure a dummy interface as the interface number 32.
•
After upgrading the image from 1.1(2) to 1.1(2), the FWSM may fail to boot up.
Workaround: Upgrade the FWSM application partition (AP) image from the maintenance partition (MP).
•
If you run commands like show ip ospf simultaneously from multiple sessions, this action could cause the FWSM to malfunction.
Workaround: Do not run the same commands from multiple sessions.
•
If a SSH session is disconnected because of a session timeout, the FWSM may still show the session with IP address 0.0.0.0 as connected.
Workaround: None.
•
Syslog ID 109003 does not specify the IP addresses correctly for command authorization.
Workaround: None
•
During authentication of traffic, the following message may be printed on the console:
uauth_procline:null uap->proxyWorkaround: None
•
The following auth-prompt command help message is incorrect:
Usage:[no | clear] auth-prompt [prompt | accept | reject] "<prompt text>"The help message should not contain quotation marks and should appear as:
Usage:[no | clear] auth-prompt [prompt | accept | reject] <prompt text>Workaround: Do not use quotation marks (" ") when specifying the prompt text.
•
If an access-list specified in a route-map is removed, then the next configured access-list is added into the route-map.
Workaround: Remove the errant ACL and reapply the correct ACL.
•
Matching by route-source or next hop in route-maps does not work on the FWSM
Workaround: Do not configure route-sources or next hops in route-maps.
•
If an area range is specified with the range being a subnet of a connected route, then that connected route fails. Hosts located on the failed interface are not reachable unless there is another more specific route available.
Workaround: Specify an area range which is not a subnet of connected interface.
•
For AAA authenticated HTTP connections on the FWSM, the module changes the CRLF to LF, even if the client sends a CRLF. However, the FWSM behavior is still compliant with RFC1945.
Workaround: None
•
When an ACL is configured with a source port specified for a match rule in AAA, the source port is ignored.
Workaround: Do not use a source port in the AAA configuration.
•
After an FTP connection is closed, the FIN+ACK packet is dropped.
Workaround: None.
•
If a logging host command is configured on the standby module and is saved on the compact flash memory, any existing connections on the active module to the configured logging server get interrupted during a standby reboot.
Workaround: Do not have a logging host command saved on the standby module's compact flash memory.
•
Although adjacency is in the full state, the FWSM OSPF database goes out of synchronization for an LSA, which may result in a missing route.
Workaround: Issuing a clear ip ospf process_id process command rectifies the problem.
•
Sometimes a nameif, no nameif, nameif, ip address command sequence causes the connected route entry for the interface to be lost. The IP address of the interface is set correctly.
Workaround: Reissue the ip address command with the same parameters.
•
The ip address command is case sensitive. You must use case-insensitive names for interfaces.
Workaround: None.
•
The Windows 2000 FTP server connection is dropped after a switchover. This problem occurs because the Windows 2000 FTP server closes the connection after a few unsuccessful retries. As a result, the FTP data connection is dropped.
Workaround: None.
•
OSPF may not transition from the EXCHANGE to the FULL state.
Workaround: Reset the OSPF process by issuing the clear ip ospf pid process command.
•
Packets belonging to authentication traffic that requires fragmentation may not be fragmented.
Workaround: None.
•
When using the clear xlate command, connections are cleared but those required to be accounted for (as specified in the aaa account ... command) do not generate the corresponding STOP record.
Workaround: None
Resolved Caveats in Release 1.1(2)
Note
This section describes caveats that have been resolved in FWSM software release 1.1(2).
•
The return TFTP connection from the client on the inside of the firewall to the server on the outside of the firewall fails when an FWSM is in the path.
Workaround: None.
•
The FWSM does not release the console after you send a show access-list command.
Workaround: None.
•
The interface configuration synchronization times out too soon.
Workaround: None.
•
When configuring ACLs for UDP with a port number specified, the display is incorrect. When a port number is not specified, the display is correct. The configuration is synchronized to the standby module the first time. After a switchover, the configuration does not synchronize to the new active module. This problem is not seen while configuring an ACL for permitting TCP.
Workaround: None.
•
The wr mem command requires several minutes to complete.
Workaround: None.
•
If an OSPF redistribution access list has been configured, after clearing all access lists you may not able to configure any new access lists.
Workaround: Reboot the module.
•
An internal stack error may occur, and the secondary module may continue to reboot when the traffic through the module includes HTTP, FTP, UDP with fragmentation, and UDP with protocol 85 and protocol 170.
Workaround: None.
•
A memory allocation error occurs with HTTP, FTP, UDP, fragmentation UDP, protocol 85, and protocol 170 traffic flowing through the module.
Workaround: None.
•
When removing named interfaces (nameifs) from the active console, the parse_thread_helper reports "NO valid ifc found for vlan <vlan id>" causes a "Disabling failover" message due to the number of interfaces that are not consistent on the active and standby modules.
Workaround: None.
•
During an AAA authorization configuration attempt, after removing the aaa authentication enable console NT_tacacs command and attempting to continue configuration after a Telnet login, the FWSM enters debugging mode.
Workaround: None.
•
Failover occurs when reconfiguring the failover LAN primary module.
Workaround: To recover modules from the failure, use the no failover command on both modules. Configure one module as the primary to active module, activate failover on the secondary module, and then reload the secondary module. Avoid the failure with the no failover command running on both modules. Reconfigure the modules as primary and secondary modules. First enable the primary failover module, then the secondary module, which will get the configuration synchronization from the primary module.
•
Buffers that are 1550 bytes long are lost, and errors are displayed on the console.
Workaround: None.
•
When configuring AAA on connections through the FWSM on VLANs higher than 255, AAA does not work. Any time the source interface of the traffic that is to be authenticated is higher than 255, the username and password prompts do not appear, and the connection is closed.
Workaround: None.
•
With HTTP and UDP traffic, the FWSM fails in scp_check_resp_packet while downloading VLANs from the switch.
Workaround: None.
•
During the configuration with an existing DHCPD address pool, an internal error occurred when a new DHCPD address pool was assigned.
Workaround: None.
•
A user can access the FWSM through a Telnet connection without authentication.
Workaround: None.
•
When using the LOCAL username database as an authentication function for SSH sessions to the FWSM console, the authentication fails.
Workaround: None.
•
The FWSM debug process begins when you access the console, leave the username field blank, and type in any password using the SSH client application.
Workaround: None.
•
When an SSH session is made to FWSM, the 109005 or 109006 syslog messages that are displayed are incorrect.
Workaround: None.
•
The FWSM is unable to reach hosts defined with the static command because of overlapping addresses.
Workaround: None.
•
When one IP address is used when both NAT and PAT are defined with the static command, the FWSM generates the "LU allocate xlate failed" syslog message on the standby module after the failover switchover completes.
Workaround: None.
•
The FWSM fails with HTTP, FTP fragmentation, UDP, TCP, protocol 85, and protocol 170 traffic flowing through the module.
Workaround: None.
•
The minimum transmission unit (MTU) number is taken as an as signed number. Traffic is dropped when setting for the MTU greater than 32767 bytes.
Workaround: None.
•
Due to an internal error, the FWSM fails in the Block.c location during test.
Workaround: None.
•
The crypto command-line interface is not intuitive and does not give all options, as other commands do.
Workaround: None.
•
If a total of 1024 ICMP, SSH, or Telnet commands have been configured since the last time the module booted (even though the current number of commands are much less), you will not be able to add anymore rules without rebooting the module.
Workaround: None.
•
An error occurs when the shut and no shut commands are used on the logical unit interface in the network processor during FTP traffic.
Workaround: None.
•
The service command is not supported.
Workaround: None.
•
Established connections do not relearn the MAC address if the MAC address changes.
Workaround: None.
•
When receiving a link state advertisement (LSA) with a large number of links into the router LSA, OSPF on the FWSM stops loading.
Workaround: None.
•
The FWSM accepts a 32-bit integer for an area when using the router ospf command, but it displays the integer as a 31-bit integer when using the show router ospf command.
Workaround: None.
•
Both the primary and secondary module fail during the failover process due to an internal error.
Workaround: None.
•
The show local command applied to an active FWSM displays connections as 0/0 when there are 220 connections configured.
Workaround: None.
•
With PIX Device Manager (PDM) running, a secondary module can enter the debug process at the "print_metric_history" location after issuing the no failover active and no failover commands on the active primary module.
Workaround: None.
•
A new product object ID was added for the FWSM.
Workaround: None.
•
Command-line interface lines longer than 200 characters cause the module to fail.
Workaround: None.
•
When running a clear config all command on the standby module, the active module reboots.
Workaround: None.
•
OSPF can be configured from the enable mode. OSPF should only be configured from the configuration submode like other FWSM commands, for example, the nameif command.
Workaround: None.
•
If you use the static command with an embryonic limit, and the client (lower security) interface used in the command has a VLAN that is numerically greater than 255, connections that are intercepted will not mature.
Workaround: When configuring an embryonic limit with the static command, make sure that the client (lower security) interface VLAN is numerically less than or equal to 255.
•
The syslog 201002 shows the wrong value for the number of embryonic connection counts and total connection counts.
Workaround: None.
•
Specifying set or match statements for route maps with multiple sequence numbers does not work.
Workaround: Do not configure route maps with multiple sequence numbers. Use only one sequence number, and specify multiple set or match statements for that sequence.
•
Configuring AAA "exclude" rules does not exempt the intended hosts or networks as it should.
Workaround: Configure the "exclude" rules before the "include" rules as follows:
a.
b.
c.
d.
e.
•
Configuration in the FWSM for AAA user policy protocols can be done in two different ways:
–
aaa authentication include telnet inside 10.6.25.0 255.255.255.0 10.8.89.40 255.255.255.255 TACACS+–
access-list aaa permit tcp any anyaaa authentication match aaa inside TACACS+Only one of these two methods can be used without mixing the two types of rules. When switching from one format to another, the command-line interface parser complains in some cases that the system does not support hybrid mode, although no AAA rule is configured at that time.
Workaround: Use the clear aaa command, and configure the AAA rules again.
•
When the security level associated to two already defined interfaces is modified from the original values, any configuration that uses those security levels is not automatically updated. For example, the static command assumes inbound or outbound traffic based on the security levels for that port. If the security levels are reversed using the nameif command, these security levels are not automatically fixed. Such configuration causes problems in the FWSM.
Workaround: If the security level for a nameif command has to be modified, use a no nameif command for that interface first, followed by the nameif command with the new security level.
•
After clearing the ARP table on the FWSM, any HTTP connection that arrives at the FWSM and needs authentication will not receive the username and password prompt for 30 seconds. The same situation occurs if there is no ARP entry in the FWSM for the host that requires authentication. The behavior is corrected after approximately 30 seconds, and the HTTP connections are then authenticated.
Workaround: None.
•
When an address translation is created for AAA traffic, under certain conditions the translations do not get timed out when all connections are torn down, even after the timeout period has expired. Eventually these translations are removed, but the collection process may take a number of hours.
Workaround: Use the clear xlate command to clear that translation.
•
A Telnet session from either the route processor or an external host to the FWSM fails when AAA traffic is present.
Workaround: Use the secure shell (SSH) to connect to the firewall, or reduce the amount of AAA traffic until you complete the Telnet session.
•
When nameif or no nameif commands are issued continuously during configuration synchronization between two FWSM modules, a reboot may occur when one of the FWSM modules is on standby.
Workaround: Wait for the configuration synchronization to complete and then issue the nameif or no nameif commands.
•
For UDP connections on port 111, the module is applying the TCP timeout instead of the UDP connection timeout.
Workaround: None.
•
When sending traffic (AAA or HTTP authentication) and then disabling the HTTP fixup, the module experiences an internal error.
Workaround: None.
•
Certain sequences of events (like switchovers under heavy stress, disabling and enabling logical update link continuously) can result in stateful (connection) information not getting replicated from the active to the standby module.
Workaround: Disable failover on the standby module, and then reenable it.
•
Some syslog messages are not rate-limited, even after you have configured rate limiting for the syslog level to which the syslog belongs.
Workaround: Configure the rate limit for the specific syslog ID using the message option.
•
When there are ambiguous NAT commands issued, the error message "LU allocate xlate failed" is seen on the standby module. This error message is displayed only when the wr standby command is specified.
The following example shows a NAT configuration that could trigger this action:
nat (inside) 11 40.10.1.1 255.255.255.255 0 0nat (inside) 11 40.10.1.0 255.255.255.0 0 0where 40.10.1.1 is overlapped in both of the NAT configurations.
Workaround: None.
•
Outgoing OSPF router link state advertisements (LSA) are restricted to a length of 1300 bytes. For most deployments this is not a problem, but in some cases the router LSA being generated for an area exceeds this limit.
Workaround: To reduce the size of the LSA, do the following:
–
–
–
•
When configuring console authentication (a subset of AAA), and the authentication command is issued with the wrong syntax after the mandated location for the console keyword, the authentication is internally translated to a wrong command. Later attempts to remove that command fail.
For example, the following syntax is correct:
FWSM(config)# aaa authentication http console TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+The following syntax is incorrect:
FWSM(config)# aaa authentication http inbound 0.0.0.0 0.0.0.0 TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+FWSM(config)# no aaa authentication http console TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+FWSM(config)#Workaround: Enter the command that was first issued, preceded by the no keyword, or use clear aaa authentication or the clear aaa commands to clear the related AAA configuration.
•
Whenever application inspection "fixup" for FTP is enabled and an FTP session is terminated from the client, the FWSM always generates the syslog message number 106015.
Workaround: None.
•
When OSPF is configured in the FWSM to have a virtual link and a not-so-stubby-area (NSSA) in the same routing process, upon removal of the virtual link the type 4 LSAs may be applied to the NSSA. The application of type 4 LSAs to the NSSA results in warnings being displayed in other routers connected to the FWSM in the NSSA. This caveat is not known to have any other adverse affect on functionality.
Workaround: None.
•
When configuring together AAA authentication and "fixup" for the HTTP protocol, the fixup is not applied to the first user connection (the connection that is prompted for a username password).
Workaround: Use the virtual HTTP feature.
To use the virtual HTTP feature on the FWSM, you must do the following:
–
–
–
•
Incorrect behavior occurs for the high availability (HA) switchover.
Workaround: None.
•
The timeout command does not get replicated to the standby module if a partial command is issued, for example: time conn 5.
Workaround: Use the full form of the command instead. For example: timeout conn 5.
•
The no mtu interface_name mtu_value command does not reset the interface MTU to the default value, which is 1500 bytes.
Workaround: Use the mtu interface_name 1500 command to set the interface MTU to the default value of 1500 bytes.
•
Configuring the command authorization database with the aaa authentication match acl_name rules configured generates an error. Using PDM to configure the command authorization and AAA authentication results in the same error.
Workaround: If the configuration is being done through FWSM command-line interface, configure the AAA authentication rules instead of the match access-list syntax as follows:
aaa authentication include tcp iside 123.45.67.0 255.255.255.0 group_tag
If you are using the PDM application for configuration, use the previous rule type and configure the AAA rule through the PDM command-line interface window.
•
A failure on an active module does not show failover with 50 percent failed interrupts in the show fail command display.
Workaround: None.
•
If the username is configured on the system, the following message gets printed on the standby module during wr standby command action:
Username exists. Only privilege level can be updated for existing usernames. Username addition failed.Workaround: Issue a clear username command on the standby module before issuing a wr standby command on the active module.
•
Connections get synchronized in standby mode, even if the logical unit (LU) interface is in shutdown.
Workaround: None.
•
In the FWSM, the moduleIpAddress command returns the incorrect value.
Workaround: None.
•
When OSPF and failover are configured on the module, the following message is displayed on the standby firewall when the network...area command for OSPF is abbreviated:
"FO unreplicable:cmd=ne"Workaround: Enter the network ... area command again without abbreviation.
•
Configuring the NAT 0 ACL and regular NAT in the same interface is not supported in this release. Such a configuration causes packets on the interface to use the wrong translation.
Workaround: None.
•
During a TFTP download of the image, when a configuration synchronization takes place, the download does not complete successfully.
Workaround: None.
•
Single-session performance problems should not affect behavior on the modules.
Workaround: None.
•
Extra spaces for connected routes display in the console output.
Workaround: None.
•
Issuing the ca generate rsa key size command on the active module sometimes causes switchover to the standby module. The RSA key generation algorithm (started by the ca generate rsa key size command) may converge correctly. A convergence delay happens if the size is set to 1024 bytes or 2048 bytes. If the failover poll time is set to a small value (for example:3 seconds), a switchover may occur because the active module is busy generating the key and not responding during a poll, causing the standby to take over.
Workaround: Disable failover on the active module and the standby module before generating the key to avoid switchover. Failover can be reenabled once the key generation operation is complete.
•
New connections through the FWSM are not allowed, but existing connections continue to go through. When a TCP syslog server is unreachable, the module prevents new connections. However, once the connectivity with the TCP syslog server is re-established, new connections still do not pass.
Workaround: Run the no logging on command to allow the new connections through the FWSM to resume. Remove the configuration for the failed syslog server, and re-enable the logging.
•
The FWSM does not support the inside interface as the default interface for the URL server. The inside interface is an optional firewall interface in the FWSM.
Workaround: Define the interface when entering the url-server statement.
Open Caveats in Release 1.1(1)
Note
This section describes known limitations that exist in the FWSM software release 1.1(1).
•
If an access-list specified in a route-map is removed then the next configured access-list is added into the route-map.
Workaround: Remove the errant ACL and reapply correct ACL.
•
Matching by route-source or next hop in route-maps does not work on FWSM.
Workaround: None.
•
If an area range is specified, with the range being a subnet of a connected route, then the route for the connected route is missed. If there is no other more specific route for hosts on that interface, the hosts are not reachable
Workaround: Specify an area range which is not a subnet of the connected interface.
•
When ACL is configured with a source port specified for the match rule in AAA, AAA does not check the source port field.
Workaround: None.
•
After an FTP Connection is closed, the FIN+ACK packet is dropped.
Workaround: None.
•
When a static port is configured with an embryonic limit and the client (lower security) interface used in the static command has a VLAN that is numerically greater than 255, connections that are intercepted on this static port will not mature.
Workaround: When configuring a static port with an embryonic limit, make sure that the client (lower security) interface VLAN is numerically less than or equal to 255.
•
The syslog 201002 shows the wrong value for the number of embryonic connection counts and total connection counts.
•
Specification of set or match statements for route maps with multiple sequence numbers does not work.
Workaround: Do not configure route maps with multiple sequence numbers. Use only one sequence number, and specify multiple set or match clauses for it.
•
Configuring AAA `exclude' rules do not exempt the intended hosts or networks as it should under some conditions.
Workaround: Configure the `exclude' rules before the `include' rules. for example by doing:
Configuring the rules in any order,
Typing the show aaa command,
Copying the rule into a clipboard,
Typing the clear aaa command
Pasting the rules back into the command-line interface prompt (and they are now ordered).•
Configuration in the FWSM for AAA user policy protocols can be done in two different ways:
–
aaa authentication include telnet inside 10.6.25.0 255.255.255.010.8.89.40 255.255.255.255 TACACS+–
access-list aaa permit tcp any anyaaa authentication match aaa inside TACACS+Only one of these two methods can be used without mixing the two type of rules. When switching from one format to another, the command-line interface parser complains in some cases that system does not support hybrid mode (`do not support hybrid configuration') even though no AAA rule is configured at that time.
Workaround: Do `clear aaa' and configure the intended AAA rules again.
•
When the security level associated to two already define interfaces are modified from their original values, any configuration that uses those security levels is not automatically updated. For example, the static command assumes inbound or outbound based on the security levels for that port. If the security levels are reversed using the nameif command, these commands are not automatically fixed. Such configuration could lead to some problems in the FWSM.
Workaround: If the security levels for a nameif command has to be modified, use a no nameif command for that interface first, followed by nameif command with the new security level.
•
If a logging host command is configured on the standby module's configuration saved on flash, any existing connections on the active module to the configured logging server gets interrupted during a standby reboot.
Workaround: Do not have a logging host command saved on the standby module's flash.
•
After clearing the ARP table on the FWSM, any HTTP connection that arrives at the FWSM needing authentication will not receive the username and password prompt for 30 seconds. The same situation occurs if there is no ARP entry in the FWSM for the host that requires authentication. After approximately 30 seconds the behavior is corrected and the HTTP connections starts being authenticated.
Workaround: None.
•
Under some rare conditions the FWSM OSPF database goes out of synchronization for an LSA, although adjacency is in full state which may result in a missing route.
Workaround: Issuing a clear ip ospf process_id process command rectifies the problem.
•
When an xlate is created for AAA traffic, under certain conditions, the xlates do not get timed out once all connections are torn down, even after the timeout period. Eventually these xlates are garbage collected but it may take some hours.
Workaround: Use the clear xlate command to clear that xlate.
•
Under heavy load a Telnet to the firewall fails intermittently. This occurs when the firewall is subject to heavy AAA load.
Workaround: Use SSH to connect to the firewall, or temporarily reduce the amount of AAA traffic.
•
When many nameif or no nameif commands are issued continuously during configuration synchronization, a reboot on standby may occur.
Workaround: Wait for the configuration synchronization to complete and then issue the nameif or no nameif commands.
•
Connected route entry for a firewall interface is missing. Sometimes a nameif, no nameif, nameif, ip address command sequence results in the connected route entry for the interface to be lost. The IP address of the interface is set correctly.
Workaround: Reissue the ip address command with the same parameters.
•
The ip address command cannot differentiate between two interfaces with names that differ only in the case of the letters used in the name, for example between INSIDE and inside.
Workaround: Use case-insensitive names for interfaces.
•
Certain sequence of events (like switchovers under heavy stress, disabling and enabling logical update link continuously) can disrupt stateful (connection) information from getting replicated from the active to the standby module.
Workaround: Disable failover on the standby module, and then reenable it.
•
Some syslog messages do not get rate limited, even after configuring rate limiting for the syslog level to which the syslog belongs.
Workaround: Configure the rate limit for the specific syslog ID using the message option if the level option for that syslog ID does not work.
•
After a switchover, the data connection for an FTP connection is dropped by the Windows 2000 FTP server. This problem occurs because the Windows 2000 FTP server closes the connection after a few unsuccessful retries. As a result, the FTP data connection is dropped.
Workaround: None.
•
When there are ambiguous NAT commands issued, the following error message will appear on the standby module:
LU allocate xlate failedThis error message is seen only when the wr standby command is specified.
The following is a sample NAT configuration that could trigger this action:
nat (inside) 11 40.10.1.1 255.255.255.255 0 0nat (inside) 11 40.10.1.0 255.255.255.0 0 0where 40.10.1.1 is overlapped in both the NAT configurations.
Workaround: None.
•
The OSPF process gets stuck in exchange and adjacency does not go to the FULL state.
Workaround: Reset the OSPF process by issuing the clear ip ospf pid process command.
•
The following message is printed when LSAs generated for an area exceed the limit:
OSPF:Too many secondary addresses or globalsOutgoing OSPF router LSAs are restricted to a length of 1300 bytes. For most deployments this will not be a problem, but in some cases the router LSA being generated for an area exceeds this limit.
Workaround: To reduce the size of the LSA:
–
–
–
•
Configuring large number of fixup and filter rules causes the active FWSM to switch over to standby mode. This problem is seen when a large number of fixup and filter rules are added to an active FWSM and the failover poll frequency is configured as a low value.
Workaround: Disable failover while configuring filter and fixup rules.
•
Packets belonging to authentication traffic that requires fragmentation may not be fragmented.
Workaround: None.
•
When a data-channel is opened with a sequence number close to the maximum 32-bits value, the subtraction of the random delta sequence number might lead to a carry problem. The TCP state machine will not recognize the final acknowledge and the connection stays in the 2-FIN state. The connection is aged-out depending on when the 2-FIN state time out.
Workaround: None.
•
When configuring console authentication (a subset of AAA), and the command is entered with incorrect syntax where the console keyword should be, the authentication is internally translated to a wrong command, and later attempts to remove that command, will fail.
This example shows the correct syntax:
FWSM(config)# aaa authentication http console TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+This example shows the incorrect syntax:
FWSM(config)# aaa authentication http inbound 0.0.0.0 0.0.0.0 TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+FWSM(config)# no aaa authentication http console TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+FWSM(config)#Workaround: Type the same command that was first issued with the no keyword in front, or use the clear aaa authentication or clear aaa commands to clear the related AAA configuration.
•
When OSPF in the FWSM is configured to have a virtual link and an NSSA in the same routing process, upon removal of the virtual link, type 4 LSAs may be injected in the NSSA. This results in warnings being displayed in other routers connected to FWSM in the NSSA. This caveat is not known to have any other adverse affect on functionality.
Workaround: None.
•
When configuring together AAA authentication and fixup for the HTTP protocol, the fixup is not applied to the first user connection (the connection that is prompted for a username password).
Workaround: Use the virtual HTTP feature.
To use the virtual HTTP feature on the FWSM you must do the following:
–
–
–
•
The timeout command does not get replicated to standby if a partial command is issued, for example: time conn 5.
Workaround: Use the full form of the command. For example: timeout conn 5.
•
The wr mem command entered on the active module will occasionally take a long time (3 minutes) to complete. This situation causes the active module to switch to the standby or failed state and the standby module to switch to the active state. After some time (3 minutes) the new standby comes out of the failed state and continue to act as a normal standby.
Workaround: None.
•
If authentication (AAA) traffic is directed to a particular local host, the displayed connection count for some of those local hosts (output of the show local-host command) may be more than the maximum connection limit configured for those local hosts.
Workaround: None.
•
The no mtu interface_name mtu_value command does not reset the interface MTU to the default (1500) value.
Workaround: Use the mtu interface_name 1500 command to set the interface MTU to the default value of 1500 bytes.
•
Sometimes when the wr mem command is issued from a PDM session, the command may take several minutes, but eventually it completes.
Workaround: None.
•
Configuring the command authorization database with the aaa authentication match acl_name rules configured generates an error. Using PDM to configure the command authorization and AAA authentication results in the same error.
Workaround: If the configuration is being done through FWSM command-line interface, configure the AAA authentication rules instead of the match access-list syntax as follows:
aaa authentication include tcp iside 123.45.67.0 255.255.255.0 group_tag
If you are using the PDM application for configuration, use the previous rule type and configure the AAA rule through the PDM command-line interface window.
•
When the system is under heavy stress, some show commands may result in partial or no results.
Workaround: Repeat the command.
•
Under heavy HTTP traffic that requires URL-filtering, the URL filtering server status on the FWSM toggles between the active and failed states. The FWSM generates the following syslog messages when toggling the status.
304007:URL Server not responding, ENTERING ALLOW mode 304008:LEAVING ALLOW mode, URL Server is upBecause of a large number of pending URL status request messages, the URL filtering server sometimes fails to send a reply to keep alive messages sent by the FWSM. This situation causes the FWSM to report the URL server status as failed. The URL server status comes back to the active state after a keepalive response is received from the URL filtering server.
Workaround: None.
•
Sometimes the PDM application fails to load the configuration from the FWSM if the PDM host is located multiple Layer-3 hops away from the module.
Workaround: Launch PDM from a host that is on the same subnet as the FWSM interface.
•
If the username is configured on the system, the following message gets printed on the standby module during wr standby command action:
Username exists. Only privilege level can be updated for existing usernames. Username addition failed.Workaround: Issue a clear username command on the standby module before issuing a wr standby command on the active module.
•
When the FWSM is configured as a designated router (DR), it may fail to refresh the Network LSA (link state advertisement) for an area. On occasion, the Network LSA for interfaces, where the module is configured as designated router (DR), is missing from all routers in the same area.
Workaround: Do not configure the module as a designated router (DR). By default, the module does not boot as the designated router (DR). The default OSPF priority of an interface is set to 0 for the module.
•
Heavy stress caused by HTTP, SMTP, FTP, UDP, and ICMP traffic passing through the module can introduce intermittent communication loss between the active and standby modules. Any switchover caused by the failover active or the no failover active commands can result in configuration synchronization failure and a reboot on the new standby module.
Workaround: None.
•
The show route command displays both an OSPF route and a static route. The command should show only the static route. The routing occurs correctly through the static route.
Workaround: None.
•
The FO unreplicable:cmd=net message is displayed on the standby firewall when the network...area command for OSPF is abbreviated. This message occurs when OSPF and failover are configured.
Workaround: Enter the network ... area command again without abbreviation.
•
Configuring the NAT 0 ACL and regular NAT in the same interface is not supported in this release. Such a configuration will cause packets on the interface to use the wrong translation.
Workaround: None.
•
Under stress, the connection count shown by the show local-host command may not be accurate. The number of connections shown on the local host may be more than the actual connections that exist at that given time. This situation occurs under stress, as some control messages may be lost within the system, causing the connection count in the local host to be out of sync with the actual number of connections. This condition is eventually resolved by the garbage collection process.
Workaround: None.
•
The SSH management connection to the FWSM appears to hang while downloading an image to the Flash. The SSH connection recovers once the copying is complete. You will not see the copy progressing while doing the same through a Telnet management connection. There are no other side effects.
Workaround: None.
•
When reloading the module, the switch may not boot the module and may deny it power.
Workaround: Use these commands on the Route Processor console:
Router#> configure-terminalRouter(config)# no power enable module module_numRouter(config)# power enable module module_num•
Under heavy stress with traffic flowing to the NP slowpath, valid fragmented traffic may be seen as overlapping fragments and may be dropped.
Workaround: None.
•
Issuing ca generate rsa key size command on the active sometimes causes switchover. The RSA key generation algorithm (started by the ca generate rsa key size command) may take up to three minutes to converge, as it is based on a random seed. This happens if the size is set to 1024 or 2048. In this case, if failover poll time is set to a small value (for example: three seconds), a switchover may occur. This condition occurs because the active module is busy generating the key preventing the module from responding which causes the standby to take over.
Workaround: Disable failover on the active and standby modules before generating the key to avoid switchover. Failover can be reenabled once the key generation is done.
•
When the interface static command is configured, the fragmented echo replies that are sent in that interface with the same IP address as the interface are dropped. This condition occurs only when the interface keyword is used along with the static command and when the destination IP address is the same as the interface IP address.
Workaround: None.
•
The FWSM disables all connections from or to the shunned IP address, even if specific connection parameters have been specified in the applied shun command. This behavior is different from that of PIX, where if full connection parameters are passed, only that connection is torn down and all the other connections from or to the source (shunned) IP address do not pass traffic (are starved).
Once the shun is removed from the starved connection, all shunned connections that are not timed out will resume passing traffic. In the FWSM implementation, even if the shun is applied with full connection parameters (source IP, destination IP, source port, destination port and protocol), all connections from or to the source IP address are disabled.
Workaround: None.
•
An attempt to assign an access list to the nat (interface) 0 access-list command that contains protocol or port numbers will fail and will generate an error message. The behavior for the nat (interface) 0 access-list command differs from that of PIX. For the FWSM, the access list being configured with the nat 0 access-list command cannot contain protocol or port numbers. In PIX, such an access list is accepted. However, the protocol and port numbers are ignored when used for NAT. In the FWSM, only access lists that have no rules with protocols or port numbers will be accepted as part of the nat (interface) 0 access-list command.
Workaround: Configure only those access lists that have rules with no protocols or port numbers.
•
The FWSM does not report the most used connection count. This value is also not be reported by the SNMP agent Firewall MIB. The show connection count command displays only the current number of connections and not the most used connections.
Workaround: None.
•
New connections through the FWSM are not allowed, but existing connections continue to go through. When a TCP syslog server is unreachable, the module prevents new connections, as it is designed. However, once the connectivity with the TCP syslog server is re-established, new connections still do not pass.
Workaround: If you run the no logging on command, the new connections through the FWSM will resume. Remove the configuration for the failed syslog server, and re-enable the logging.
•
UDP connections are not counted when calculating the maximum connections configured for the static command. The connection count and connection count limit in the static command are for TCP connections only.
Workaround: None.
•
New and maximum connection limits specified with the NAT command-line interface are not used for outbound connections. These limits are only valid for inbound connections, even when they are specified along with the NAT command-line interface command.
Workaround: None. This is the correct behavior.
•
There is no support for the inside interface as the default interface for the URL server. The inside interface is an optional firewall interface in the FWSM.
Workaround: Define the interface when entering the url-server statement.
•
Debug output shows at the Telnet prompt before a user logs in.
Workaround: None.
•
The clear nameif command is not supported and displays an error message.
Workaround: Use the no nameif command. Refer to caveat CSCdx14699.
•
You cannot change the interface name once it is assigned using a nameif command. Trying to change the name of the interface using the nameif command results in an error message.
Workaround: Delete the old interface using the no nameif command, and assign it with a new name. All configuration parameters tied to that interface are lost when you run the no nameif command. (Refer to caveat CSCdx14768.)
Resolved Caveats in Release 1.1(1)
Note
There are no resolved caveats in FWSM software release 1.1(1).
Documentation Updates
This section contains update information for the Firewall Services Module (FWSM) software releases 1.1(1), 1.1(2), 1.1(3), and 1.1(4).
•
System messages 109009 and 109014 documented in the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Guide are not applicable to the FWSM. These system messages are as follows:
Error Message %FWSM-6-109009: Authorization denied from laddr/lport to faddr/fport (not authenticated) on interface int_name.Explanation This message indicates that the module is configured for AAA, and you attempted to make a TCP connection across the module without prior authentication.
Recommended Action None.
Error Message %FWSM-7-109014: uauth_lookup_net fail for uauth_in()Explanation A request to authenticate did not have a corresponding request for authorization.
Recommended Action Ensure that both the AAA authentication and AAA authorization command statements are provided in the configuration.
•
System messages 610001 and 610002 are invalid and should be removed from the documentation.
Error Message %FWSM-3-610001: NTP daemon interface int_name: Packet denied from IP_addrExplanation An NTP packet was received from a host that does not match one of the configured NTP servers. The module is an NTP client only; it is not a time server and does not respond to NTP requests.
Recommended Action None.
Error Message %FWSM-3-610002: NTP daemon interface int_name: Authentication failed for packet from IP_addrExplanation The received NTP packet failed the authentication check.
Recommended Action Ensure that both the module and the NTP server are set to use authentication and have the same key number and value.
Workaround: None.
•
The following system log message is not applicable to the FWSM 1.1(3) image.
Error Message %FWSM-1-106022: Deny protocol connection spoof from src_addr to dest_addr on interface int_nameExplanation This message indicates that a connection exists, and a packet matching the connection arrives on a different interface from the interface on which the connection began. For example, if you start a connection on the internal interface, but the module detects the same connection arriving on a perimeter interface, then either the module has more than one path to a destination, which is known as asymmetric routing and is not supported on the module, or an attacker is attempting to append packets from one connection to another as a way to break into the module. In either case, the module displays this message and drops the connection.
Recommended Action This message indicates that the ip verify reverse-path command is not configured. Check to ensure that routing is not asymmetric.
•
The FWSM 1.1(x) documentation incorrectly state the following:
You cannot establish IPSec tunnels across the firewall; any tunnel initiated by a VPN client on another switch should terminate at the Firewall Services Module.
It is possible to establish IPSec tunnels through FWSM. The FWSM does not allow VPN tunnels to terminate on the FWSM for traffic destined to addresses other than the FWSM; only management traffic to the FWSM is allowed. VPN tunnels established from a VPN client to a VPN server on the other side of the FWSM are allowed if you configure the FWSM to allow VPN traffic.
Related Documentation
For more detailed installation and configuration information, refer to the following publications:
•
•
–
–
–
–
–
–
–
–
–
–
–
–
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
–
–
–
•
–
–
–
–
–
•
–
–
–
–
–
–
–
–
Cisco IOS Software Documentation Set
Cisco IOS Configuration Guides and Command References—Use these publications to help you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM modules.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/index.shtml
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
http://cisco.com/univercd/cc/td/doc/pcat/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Resolved Caveats in Release 1.1(1)" section.
Copyright © 2004, Cisco Systems, Inc.
All rights reserved.
Guest
