Table Of Contents
Limitations and Restrictions on the FWSM
Limitations and Restrictions in Cisco IOS Software
Limitations and Restrictions in the Catalyst Operating System
Open Caveats in Software Release 2.3(5)
Resolved Caveats in Software Release 2.3(5)
Resolved Caveats in Software Release 2.3(4)
Resolved Caveats in Software Release 2.3(3.2)
Resolved Caveats in Software Release 2.3(3)
System Message and SNMP Caveats
Resolved Caveats in Software Release 2.3(2)
Resolved Caveats in Software Release 2.3(1)
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 2.3(5)
July 2006
These release notes describe the features, modification, and caveats for the Firewall Services Module (FWSM) software release 2.3(5).
Note
The FWSM 2.3(3.2) and later releases passed Cisco Safe Harbor testing in single routed firewall mode and in single transparent firewall mode.
This document includes the following sections:
•
•
•
•
•
•
•
•
Important Notes
See the following important notes for configuring the FWSM:
•
•
Chassis System Requirements
The switch models that support the FWSM include the following platforms:
•
–
–
•
–
–
Table 1 shows the supervisor engine version, software, and supported FWSM features.
Table 1 Support for FWSM 2.3 Features
12.1(13)E
2
No
No
12.1(19)E
2
Yes
No
12.1(22)E and higher
2
Yes
Yes
12.2(14)SY and higher
2
Yes
No
12.2(14)SX
2, 720
No
No
12.2(17a)SX3
2, 720
Yes
Yes
12.2(17b)SXA
2, 720
Yes
Yes
12.2(17d)SXB and higher
2, 720
Yes
Yes
12.2(18)SXF
32, 2, 720
Yes
Yes
7.5(x)
2
No
No
7.6(1) through 7.6(4)
2
Yes
No
7.6(5) and higher
2
Yes
Yes
8.2(x)
2, 720
Yes
Yes
8.3(x)
2, 720
Yes
Yes
1 The FWSM does not support Supervisor Engine 1 or 1A.
2 Supports multiple switched VLAN interfaces (SVIs) between the MSFC and FWSM. An SVI is a VLAN interface that is routed on the MSFC.
3 Supports transparent firewall mode when you use failover. Failover requires BPDU forwarding to the FWSM, or else you can have a loop. Other releases that do not support BPDU forwarding only support transparent mode without failover.
4 When you use Catalyst OS on the supervisor engine, you can use any of the supported Cisco IOS releases above on the MSFC. (When you use Cisco IOS software on the supervisor engine, you use the same release on the MSFC.) The supervisor engine software determines the FWSM feature support. For example, if you use Catalyst software release 7.6(1) on the supervisor engine and Cisco IOS Release 12.1(13)E on the MSFC, then the switch does support multiple SVIs, because Catalyst software release 7.6(1) supports multiple SVIs.
Management Support
The FWSM supports the following management methods:
•
•
•
New Features
Table 2 lists the new features for FWSM software release 2.3(1).
Upgrading the Software
The following command allows you to upgrade from FWSM software release 1.1 (or pre-release versions of 2.x) to FWSM software release 2.3. For other upgrade options for upgrading from Release 2.x, such as upgrading to a different application partition or from a different type of server, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.
To upgrade the application software to the current application partition, enter the following command. For multiple context mode, you must be in the system execution space.
hostname# copy tftp://server[/path]/filename flash:For example, enter the following command:
hostname# copy tftp://209.165.200.226/cisco/c6svc-fwm-k9.2-1-1.bin flash:Software License Information
FWSM software release 2.2 introduced a software license for multiple security context support. With the basic license, the FWSM supports two contexts plus the special admin context. You can buy a license for additional security context support, up to 100 contexts. See the Cisco.com website for more information about licensing options. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for more information about entering a license activation key.
Limitations and Restrictions
This section lists the limitations and restrictions for the following operating systems:
•
•
•
Limitations and Restrictions on the FWSM
See the following limitations and restrictions on the FWSM:
•
•
•
•
•
Limitations and Restrictions in Cisco IOS Software
See the following limitations and restrictions in Cisco IOS software for interoperating with the FWSM. See also the "Chassis System Requirements" section for the FWSM feature support in Cisco IOS software.
•
•
•
Limitations and Restrictions in the Catalyst Operating System
See the following limitations and restrictions in the Catalyst operating system for interoperating with the FWSM. See also the "Chassis System Requirements" section for FWSM feature support.
•
•
•
Open Caveats in Software Release 2.3(5)
This section contains open caveats in software release 2.3(4). If you are a registered cisco.com user, view Bug Toolkit on Cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered Cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
•
Because the FWSM does not allow Telnet to the lowest security interface, if you configure a context with only one interface, you cannot Telnet to it because it is inherently the lowest security interface.
Workaround: Configure a second interface at a lower security level, and then delete the interface; the FWSM now allows Telnet to the one remaining interface.
•
If you change any crypto map commands, the changes are made in the configuration, but the FWSM still uses the old settings.
Workaround: Reapply the crypto map to the interface by entering the no crypto map interface command to remove it, and then reapply the crypto map.
•
When you set the fragment command to 1, the show fragment command displays the value as 0. The FWSM uses the correct value of 1 even though the display is incorrect.
Workaround: None.
•
When you use Reflection X as an XDMCP client, the connection gets reset after 2 hours.
Workaround: Enter the timeout conn command to set the TCP connection timeout to 4 hours on the FWSM instead of the default of 1 hour.
•
When a duplicate route with a lower metric cost through a different interface is configured the show route command displays the incorrect interface.
Workaround: Remove the initial route that is going to be replaced and then configure the new route.
•
When a Smurf attack occurs against the FWSM, the FWSM correctly drops the traffic, but does not generate a system message or SNMP trap about the Smurf attack.
Workaround: None.
•
In manual commit mode for access lists, the show access-list command shows the standard (OSPF) access lists as not being committed. The display is incorrect, and the standard access lists behave as expected.
Workaround: None.
•
In multiple context mode, the system execution space cannot send system messages to an external syslog server through the admin context; you can only view these system messages from the buffer or on your session monitor.
Workaround: None.
•
When you use Cisco VPN client Release 3.6.3 for management access in routed firewall mode, you cannot use the local database for user authentication.
Workaround: Use RADIUS or TACACS+ for authentication.
•
The CPU goes to 99 percent of capacity when there is a large number of SCCP sessions suddenly being handled. This situation negatively impacts IP routing updates.
Workaround: None.
•
Performance monitoring values do not match the statistics that the resource manager collects.
Workaround: Use the show resource usage command to obtain accurate statistics.
•
The duration value in the translation teardown syslog messages does not correspond to the real duration of the connection.
Workaround: None.
•
The problem occurs when an FWSM has several interfaces with the same security level and IP phones in a different VLAN than the Cisco CallManager and the phones register but when they go off hook, they do not get a dial tone and they reset.
Workaround: Move the IP phones to the same VLAN that Cisco CallManager is on.
•
When you enter the show processes command, the run-time values in the output are not accurate. During high CPU usage on the FWSM, the run-time values are used to determine which processes are using the CPU. Currently, the values are incremented only if the time that the process spends on the CPU is 1 millisecond (ms) or longer. Therefore, an active process that runs frequently on the CPU, but spends less than 1 ms each time, would show a run-time of 0.
Workaround: None.
•
During heavy traffic load, the number of hit counts that are shown from the show ethertype acl output is incorrect.
Workaround: None.
•
The problem occurs with the following topology: an FWSM configured in routed mode with two networks, one inside and one outside, one Skinny phone a Cisco CallManager on the inside network, and an H323 gateway on the outside network.
When a call is placed between two skinny phones through the H323 gateway and one Skinny phone places the call on hold, the Cisco CallManager sends a music-on-hold (MOH) signal. This MOH signal is denied by the FWSM.
Workaround: Explicitly allow all UDP traffic from the Cisco Call Manager to the H.323 gateway.
•
An OSPF route and a static route are configured with a higher administrative distance for the same prefix. Upon deletion of the OSPF route, the statically configured route for the same subnet does not operate.
Workaround: If possible, configure the supernet of the OSPF route as a static route so that the normal routing rules can operate correctly.
•
The transparent firewall cannot learn the MAC addresses for forwarding packets when failover is enabled and mis-configured without having the failover VLAN mapped to the FWSM.
Workaround: Verify that the failover VLAN is mapped to FWSM when configuring failover settings.
•
If two telnet sessions are directed to the same FWSM and both sessions cause the display to present the "more" prompt, one session will remain frozen until the other session enters a character.
Workaround: Use the no pager command so the display does not stop at the "More" prompt.
•
When you enable URL caching, all HTTP traffic stops. The server is up, and as soon as caching is disabled normal traffic flow resumes.
Workaround: Disable URL caching.
•
FWSM crashed at doorbell_poll due to an assert in the slow path (NP3).
Workaround: None.
•
OSPF convergence is not happening properly when OSPF authentication is configured between neighbors. When you first configure OSPF authentication on the FWSM and its neighbors, the convergence happens properly. If you then make the authentication fail by making the key mismatched, then changing the key to match again, then the convergence does not happen properly.
Workaround: None.
•
System log message 313004 shows the following; the interface name is not shown for the source IP address.
Jan 6 07:16:08 172.16.197.100 %FWSM-4-313004: Denied ICMP type=11, from laddr192.168.248.57 on interface to 10.109.230.127: no matching sessionWorkaround: None.
•
A PDM Configuration Refresh hangs when another session is stopped at the <--- More ---> prompt. The PDM displays a window "Please wait while the PDM is loading the current configuration from your firewall." It has a progress bar and the bar hangs at 27%. Only if the first session finishes their display and gets past the <--- More ---> prompt will the progress bar finish out to 100%.
Workaround: Clear the <--- More ---> prompt from the user session.
•
Conditional OSPF Default Route Advertisement does not work (the default-information originate route-map command); the FWSM does not conditionally advertise a default route based on the presence of another route on an FWSM.
Workaround: Configure a static recursive default route for a route learned via OSPF.
•
In multiple context mode, when contexts include large access lists and established statements, then the compilation of access lists might fail, even if the maximum number of access lists is not reached for the memory partition the context is assigned to.
Workaround: Decrease the number of memory partitions to increase their size. See the following document for how to perform this change: /en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c6418.html#wp1105979
•
The FWSM crashed with Thread Name: fast_fixup. The crash occurred when the FWSM was inspecting FTP traffic.
Workaround: Disable the FTP inspection by entering the no fixup ftp command.
•
The write net command fails in a context, even though the context can ping the TFTP server.
Workaround: None.
•
When using manual commit to access list changes, changes made to access lists related to authentication match statements are not effective after the commitment.
Workaround: Use auto commit (the default). The workaround once the access list has become ineffective is to remove and re-insert the authentication match statement.
•
When the FWSM CPU usage is high (due to a large access list compilation or other reasons), the SSL connection between the FWSM and CSM fails. The corresponding defect in CSM is CSCsd35974.
Workaround: None.
•
In the show np 3 acl count output, the NP 3 ACL Uncommitted Add display increments when you add and remove the same access list in manual commit mode.
Workaround: None.
•
AAA is configured for HTTP inbound traffic. FTP or ICMP traffic goes through fine without asking for authentication. But if the host is already authenticated through HTTP, FTP or ICMP traffic is denied. Per-user-override is not configured and dynamic access list permits HTTP. The interface access list permits all traffic.
Workaround: None.
•
Under rare circumstances in multiple context routed mode with shared interfaces, some traffic flows might fail through the FWSM while others flow fine.
Workaround: Fail over to the standby FWSM if possible, and reload the failed FWSM.
•
After removing a name command that is applied to router ospf, The area ID still shows the name. After entering write standby on the active FWSM, the standby FWSM keeps rebooting.
Workaround: None.
•
The DNS fixup translates a DNS response without the dns keyword configured in the static command.
For example, a reflector is configured with the following A Record:
www.cisco.com =192.168.2.104
The FWSM with the DNS fixup enabled has the following static command:
static (DMZ2,outside) 192.168.1.104 192.168.2.104 netmask 255.255.255.254A client makes a DNS request to 192.168.1.104 for www.cisco.com and receives an answer of 192.168.1.104 when the answer should be 192.168.2.104.
Workaround: If fixup protocol dns is disabled, the correct response is received by the client.
•
Zero downtime upgrades fail to work on the FWSM, resulting in both units in an Active state. For example, if one unit is upgraded to another 2.x release, during the version check process the existing Active unit will go into a Disabled state, but continue to pass traffic. The Standby unit will detect that the peer is not Active, and will become Active. At this point, both units are now attempting to pass traffic with the Active IPs.
Workaround: Install the new software on both units, and reboot them both at the same time, resulting in minimal down time.
•
The FWSM unexpectedly stops passing traffic and reloads. This typically occurs at the moment a change is made to an object group.
Workaround: None.
•
When a previous configuration on the FWSM is erased and the FWSM is rebooted, after the FWSM starts up, access-list deny flows are not created.
The following system log message is displayed on the console:
%FWSM-1-106101: Number of cached deny-flows for ACL log has reached limit (0)Workaround: Reenter the access-list deny-flow-max command or save the current configuration and reboot the FWSM.
•
If you connect to the switch console and session to the FWSM, if you enter the show running-config command and hold the space bar pressed, then the FWSM stops responding to keepalives from the switch; the switch then power cycles the FWSM.
Workaround: Do not hold the spacebar pressed down.
Resolved Caveats in Software Release 2.3(5)
This section describes caveats closed in FWSM Release 2.3(5).
•
The FWSM does not reboot after you force a watchdog crash. After the forced crash, a message displays stating that the module will restart but it will not restart.
Workaround: None.
•
FWSM may crash in response to a doorbell_poll, which causes the supervisor to reset each FWSM when there is traffic passing through the switch.
Workaround: None.
•
In single routed mode with fixup dns configured, an FWSM might silently drop a DNS self-query when the client and DNS server are on separate VLANs. No system log message is produced by the FWSM.
Workaround: Remove DNS inspection by entering the no fixup dns command.
•
In some instances, an access list blocks traffic that is supposed to be explicitly allowed.
Workaround: Reload the FWSM.
•
An inbound TCP connection was established through the FWSM. At some point something happens to the network path, and packets are unable to get through. The endpoints know that the connection is down, but the FWSM does not. When the network is restored, the endpoints try to create a new connection but the FWSM thinks this connection is part of the previous one and tries to reset its connection timers. It should RST the previous flow and allow a new one.
Workaround: None.
•
When an external authentication server is configured, and that server connectivity is somehow interrupted on the FWSM during SSH authentication attempts, then the SSH management connections to the FWSM are being refused or denied.
The show resource usage command indicates all SSH resources are being occupied:
Resource Current Peak Limit Denied ContextTelnet 1 2 5 0 SystemSSH 5 5 5 501 SystemA system log message is generated for the denied SSH session:
%FWSM-4-315005: SSH session limit exceeded. Connection request from X on interface outsideWorkaround: There is no workaround to clear out these SSH sessions without doing a reload of the FWSM. If you have a failover unit, you can fail over to the standby unit and reload the active unit having the issues. If this problem continually reoccurs, use local authentication until a fix is available.
The following caveats were fixed between Release 2.3(4) and 2.3(5), and were not previously documented.
For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description.
If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Resolved Caveats in Software Release 2.3(4)
This section describes caveats closed in FWSM Release 2.3(4).
•
When using the same-security-traffic-feature and an access list applied for outbound traffic, the source IP address in the access list displayed by system log message 106023 may not be correct.
Workaround: None.
•
With the sqlnet fixup enabled, the SQL connection is closed after 3 hours from the last SQL query even if the TCP keepalive of the Oracle server is sent.
Workaround: Disable the sqlnet fixup.
•
With an FWSM failover pair, if one FWSM is configured with a named area ID, the other FWSM unit keeps rebooting when trying to replicate the OSPF network configuration.
Workaround: Before syncing the two failover units, remove the line "name ip_address name-A" and change the line "network name-A mask area name-A" to "network name-A mask area ip_address."
•
The dhcp_daemon may crash randomly and the following error message appears on the console: An internal error occurred. Specifically, a programming assertion was violated. If this occurs, save the output of the show version command and the contents of the configuration file and contact Cisco TAC.
Workaround: None.
•
When memory usage exceeds 90%, the clear xlate command may cause an unexpected FWSM reload.
Workaround: None.
The following caveats were found and fixed between Release 2.3(3.2) and 2.3(4), and were not previously documented:
Resolved Caveats in Software Release 2.3(3.2)
This section describes caveats closed in FWSM Release 2.3(3.2).
•
The FWSM in transparent firewall mode drops the first 200 OK message in response to an MGCP MDCX message. The message is retransmitted successfully.
Workaround: Disable the MGCP fixup using the no fixup protocol mgcp 2427 command.
•
The RPC fixup does not always correctly open holes for certain RPC connections using TCP.
Workaround: Configure the server to use static ports for the affected service(s). Modify the access list of the FWSM to allow traffic to these static ports.
•
An FWSM with long-lived FTP sessions may not see connections replicated back to the primary FWSM after a failover event. The primary (active) FWSM will have the connection in its connection table, and the secondary (standby) FWSM will also have the connection. Upon failover, the primary unit will clear the connection table and replicate the connections from the secondary (active) unit. Some of these connections may not be replicated.
To check for this condition, enter the show conn command on both units before and after the failover event. The primary (standby) unit should replicate the connections within a couple of minutes.
Workaround: None. However, the problem will be cleared as connections terminate, and new connections will be properly replicated.
•
When the standby FWSM syncs its config with the active FWSM, the first command it issues is the clear configure all command. This command results in the following two commands being inserted into the standby FWSM configuration:
sysopt nodnsalias inboundsysopt nodnsalias outboundThus, the configurations will not be completely in sync. If a failover occurs from active to standby, then these commands will now be in effect on the newly active FWSM.
Workaround: Manually remove the commands on the standby FWSM.
•
If you configure a dynamic access list using the Cisco ACS RADIUS server for AAA authentication or authorization, authentication or authorization fails. The FWSM sends two RADIUS access requests with the same ID number (packet ID). The time gap between these two requests is very small, and the RADIUS server ignores the second request that requests the dynamic access list causing authentication or authorization to fail. The FWSM then marks the RADIUS server as being down.
Workaround: None.
Resolved Caveats in Software Release 2.3(3)
This section describes caveats closed in FWSM Release 2.3(3) and includes the following topics:
•
AAA Caveats
•
The per-user-acl override feature is configured for FTP and multiple FTP users log in from the same ip address. Sometimes when using this configuration, the per-user-acl override functionality does not work as expected when multiple FTP users connect from the same host. For example, if user_1 is allowed FTP network access through the module and user_2 is not, it is possible that user_2 may have unhindered access even when per-user-acl applied to the user_2 profile has strict network access restrictions.
Workaround: None, unless a restriction is in place to limit FTP users to one per host.
•
On an FWSM in single transparent mode with the TACACS+ authentication configured, when a client passes the AAA authentication, it is denied by the int acl command. The log shows that the AAA authentication is denied by the wrong interface access list.
Workaround: None.
•
Adding more than 5,017 access control entries to an access-list tied to AAA using the AAA match access-list command causes the original AAA configuration statement to be removed and disables the related AAA operation. Also, upload over the network may keep the CPU utilization close to 100% for a long time.
Workaround: None.
•
FWSM does not support the aaa accounting commands, but the parser still accepts these commands.
Workaround: Do not use the deprecated aaa accounting commands.
•
This applies when per-user override is enabled, TACACS+ is used for AAA authentication and authorization, and the source and destination are permitted by the AAA access list, but are denied by the inbound access list. In this configuration, during AAA authentication and authorization, the inbound access list is bypassed. After the user is authenticated and authorized, the inbound access list blocks the new session.
Workaround: None.
•
Configuring an AAA policy and making use of an access list with more than 20K access control entries the FWSM may crash.
Workaround: None. Only a few thousand AAA configurations are supported, so do not configure an access list with more than a few thousand elements as in AAA configuration.
•
User authentication fails when SSH to the FWSM device is enabled and users are authenticated through TACACS+.
Workaround: None.
Access List Caveats
•
After 16K access lists with the log keyword are configured on the FWSM, the message "ERROR: Unable to add access-list (rc=0xc014)" is seen on the FWSM when trying to add another access list rule containing the log keyword.
Workaround: None.
•
Override functionality does not work if a named access list is configured on a RADIUS server. When a user is authenticated, the dynamic access list name is displayed in the Uauth information but access the access list is not applied to traffic. Instead, the interface access takes effect and traffic is passed/denied accordingly.
Workaround: None.
•
When using an access list with access groups and using Internet Explorer to send HTTP SYN packets from a lower security interface to a higher security interface, the hit count against a deny access control entry is not accurate.
Workaround: None.
•
In access list manual commit mode, adding new members to object groups used in access lists that expand to a lot of new access control entries can result in dangling object group access control entries with an "uncommitted deletion" qualifier.
Workaround: Remove the object group access control entries and add them again.
•
Compilations in auto mode can be slow after changes have been made to large object groups tied to access lists. This may happen when back-to-back compilation is triggered.
Workaround: None.
•
When one or more ACEs in a file are copied using the tftp:/disk: command to the running configuration, the last line in the file is missed and does not get copied over.
Workaround: Add a dummy access control entry to the file.
•
After committing a large set of access lists, the FWSM may hang.
Workaround: None.
•
When using AAA authentication, authentication intermittently completely stops working without producing any traces or logs.
Workaround: Reload FWSM.
•
UDP packets with the source port set to 0 bypass the access rule when a destination port is also specified. An attack is possible, given an access list with a deny udp any any eq port dest followed by permit any any or deny udp any any eq port dest followed by permit host attacker any. If the attacker uses SRC port zero then the attacker can bypass the access list and reach any host on any port, including the port explicitly denied in the first access control entry. For this attack to work, there has to be a permit statement for UDP that does not specify any source or destination port (wildcarded).
Workaround: Use the lt 1 port range in the access list.
•
On FWSM Release 2.3(x), under high load conditions (more than 4000 users with downloadable access lists, the FWSM will display the following errors:
•
•
At this point, all downloadable access lists appear empty. This issue is observed until the user traffic is decreased. This is the result of a hard-coded limit of approximately 4000 downloadable access lists (the exact number depends on the structure of the access list).
Workaround: Use the show np3 acl count to determine if the system is approaching the access list limit. Avoid use of repetitive downloadable access lists. Instead, used named downloadable access. Change the infrastructure so that there are fewer downloadable access lists per FWSM.
•
When FWSM Release 2.3.3 is running in single or multimode using translation or authentication rules that require access lists to define interesting traffic, the hit count in the corresponding access lists for certain functions does not increase from 0. The affected functions include NAT 0 access-list, policy NAT, policy static, crypto map match address, and AAA.
Workaround: None.
•
The set of access list configurations on the FWSM does not fit in the FWSM access list memory. The device tries to compile the access lists but runs out of memory while doing so. FWSM deletes all the rules added in that step automatically but the PDM/MC does not report the error and it appears as if the access list has been successfully committed.
Workaround: None. To monitor the access list memory usage, use the show np 3 acl stats command.
•
The problem occurs when you perform the following steps:
1.
2.
3.
4.
Following the previous steps causes the access list configuration to not be synchronized between the active and standby FWSM. The access list configuration should be synchronized.
If you continue sending the access-list commit command, this action causes the access list to be totally out of synchronization between the active and standby modules.
Workaround: None.
Connection Caveats
•
When an RSH (remote shell) connection has been made to two FWSMs, the RST (reset) packet is dropped between the FWSMs. This problem can be seen when traffic must pass through multiple FWSMs.
Workaround: None.
•
When PDM sessions hang or are disconnected abnormally, or when simultaneous multiple access attempts occur to PDM, the following error may be seen: FWSM, 1550 blocks getting depleted, the low counter is reaching 0.
Workaround: none, except for reloading FWSM.
•
After a DHCPINFORM broadcast, when a server sends a unicast reply to a client, the DHCPACK response to DHCPINFORM might get dropped by FWSM acting as a DHCP relay.
Workaround: Explicitly permit the communication from server (udp/67) to client (udp/68).
Routing Protocol Caveats
•
When the Cisco Anamoly Guard is used with an FWSM so that the Guard sits in front of the FWSM and scrubs all incoming traffic before forwarding it to the FWSM, TCP sessions that are intercepted by the FWSM may not work. This is because the FWSM, after intercepting the SYN, sends the SYN-ACK to the Guard instead of sending it to the next hop router.
Workaround: Do not enable TCP Intercept on the FWSM when using it with a Cisco Anamoly Guard.
•
With an FWSM with multiple contexts that share a common VLAN interface, TCP RST packets do not pass two FWSM contexts. The first context receives it and correctly tears down the connection in its connection table, but the RST is not forwarded to the second context where the connection will stay idle until it times out.
Workaround: Change the configuration so that VLAN interfaces are not shared. In other words, route all traffic between contexts using the MSFC or an external router.
•
FWSM may ignore the ARP reply from certain IP address if it has a static route to the host address.
Workaround: None.
•
If FWSM has route pointed to its interface, it does not route the packet.
Workaround: None.
•
When there are multiple routes learned off a single interface, the network processor may fail to be updated with those routes. This prevents packets from being routed properly. Route addition (for a new next hop) may be followed by deletion of the old route.
Workaround: Instead of add then delete, first delete then add.
•
With proper DSCP trust configured on the incoming physical ports and on the interface VLANs attached to the FWSM, DSCP is not being preserved when packets traverse the FWSM on a Sup720 system. This problem does not occur on a Sup2 system. This is a duplicate of CSCef71768.
Workaround: Configure no mls qos rewrite ip dscp in global configuration mode to retain the DSCP value through the FWSM.
<
Guest
