Table Of Contents
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Software Release 3.1(x)
Important Notes
Upgrading the Software
Chassis System Requirements
Management Support
New Features
Software License Information
Limitations and Restrictions
Open Caveats in Software Release 3.1
Resolved Caveats in Software Release 3.1(13)
Resolved Caveats in Software Release 3.1(12)
Resolved Caveats in Software Release 3.1(11)
Resolved Caveats in Software Release 3.1(10)
Resolved Caveats in Software Release 3.1(9)
Resolved Caveats in Software Release 3.1(8)
Resolved Caveats in Software Release 3.1(7)
Resolved Caveats in Software Release 3.1(6)
Resolved Caveats in Software Release 3.1(5)
Resolved Caveats in Software Release 3.1(4)
Resolved Caveats in Software Release 3.1(3)
Resolved Caveats in Software Release 3.1(2)
Related Documentation
Hardware Documents
Software Documents
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Software Release 3.1(x)
November 2008
This document contains release information for the following FWSM releases:
•
3.1(13)
•3.1(12)
•3.1(11)
•3.1(10)
•3.1(9)
•3.1(8)
•3.1(7)
•3.1(6)
•3.1(5)
•3.1(4)
•3.1(3)
•3.1(2)
•3.1(1)
This document includes the following sections:
•Important Notes
•Upgrading the Software
•Chassis System Requirements
•Management Support
•New Features
•Software License Information
•Limitations and Restrictions
•Open Caveats in Software Release 3.1
•Resolved Caveats in Software Release 3.1(13)
•Resolved Caveats in Software Release 3.1(12)
•Resolved Caveats in Software Release 3.1(11)
•Resolved Caveats in Software Release 3.1(10)
•Resolved Caveats in Software Release 3.1(9)
•Resolved Caveats in Software Release 3.1(8)
•Resolved Caveats in Software Release 3.1(7)
•Resolved Caveats in Software Release 3.1(6)
•Resolved Caveats in Software Release 3.1(5)
•Resolved Caveats in Software Release 3.1(4)
•Resolved Caveats in Software Release 3.1(3)
•Resolved Caveats in Software Release 3.1(2)
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Important Notes
•You must install maintenance software Release 2.1(2) before you upgrade to FWSM Release 3.1. See Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1 for detailed information about upgrading to 2.1(2).
•For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM. You can disable the limited TCP normalization support for the FWSM using the no control-point tcp-normalizer command.
Upgrading the Software
See Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module from Release 2.x to Release 3.1 for detailed information about upgrading to Release 3.1.
To upgrade between 3.1(x) maintenance releases, see the "Managing Software, Licenses, and Configurations" chapter in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.
Note Due to CSCse74946, hitless upgrades using failover between 3.1(1) and other 3.1(x) maintenance releases are not supported. Only 3.1(1) is affected.
Chassis System Requirements
The switch models that support the FWSM include the following platforms:
•Catalyst 6500 series switches, with the following required components:
–Supervisor engine with Cisco IOS software (known as supervisor IOS) or Catalyst operating system (OS). See Table 1 for supported supervisor engine and software releases.
–MSFC 2 with Cisco IOS software. See Table 1 for supported Cisco IOS releases.
•Cisco 7600 series routers, with the following required components:
–Supervisor engine with Cisco IOS software. See Table 1 for supported supervisor engine and software releases.
–MSFC 2 with Cisco IOS software. See Table 1 for supported Cisco IOS releases.
Note The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static VLANs. However, the WAN port can connect to the MSFC, which can connect to the FWSM.
Table 1 shows the supervisor engine version and software. Please also consult and check the switch software requirements.
Table 1 Support for FWSM 3.1
| |
|
Cisco IOS
|
12.2(18)SXF and higher
|
720, 32
|
12.2(18)SXF2 and higher
|
2, 720, 32
|
Cisco IOS Software Modularity
|
12.2(18)SXF4
|
720, 32
|
|
|
8.5(3) and higher
|
2. 720, 32
|
Management Support
The FWSM supports the following management methods:
•Cisco ASDM—Software Release 5.0F supports FWSM software Release 3.1 features. ASDM is a browser-based configuration tool that resides on the FWSM. The system administrator can configure multiple security contexts. If desired, individual context administrators can configure only their contexts.
•Command-line interface (CLI)—Access the CLI by sessioning from the switch or by connecting to the FWSM over the network using Telnet or SSH. The FWSM does not have its own external console port.
New Features
Table 2 lists the new features for FWSM software Release 3.1(1).
Table 2 FWSM 3.1 Enhancements
Type of Feature
|
Feature
|
Description/Benefits
|
Authentication, Authorization, and Accounting (AAA)
|
Support for simultaneous RADIUS accounting servers
|
Ability to send START/STOP accounting records to multiple RADIUS servers simultaneously.
Provides higher scalability for RADIUS accounting.
|
Accounting for management traffic
|
AAA accounting records are generated for management connections to the box. Only TACACS+ is supported.
Allows backtracking of administrative commands that may have caused problems.
|
Configure FTP authentication challenge
|
Specifies if the user should be challenged for FTP traffic based on prior authentication of other interactive traffic (Telnet, HTTP, HTTPS) and whether to challenge and block unauthorized FTP traffic. This allows traffic from internal authenticated hosts to go through, while blocking traffic from unauthenticated users.
|
MAC-based AAA exemption
|
Allows specifying AAA exemption based on a MAC and an IP address that was dynamically allocated or relayed by the DHCP server or DHCP Relay. This supports dynamic addressing of devices like printers and IP phones behind a firewall.
|
Cut-through proxy authentication using local database
|
Authentication of cut-through traffic using a local username database, as a backup for AAA services. This allows disconnected use of policies when a AAA server is not available.
|
AAA server checks all TFTP commands for authorization
|
If command authorization is turned on, then all TFTP server commands are checked by the AAA server for authorization. If users are not authorized to use the command, then the request is denied. In previous releases, only the configure net command was checked for authorization.
Note Note: If you have many access lists configured for your network, then this could result in a delay while the server is checking them.
|
Access Lists
|
Time-based ACE
|
Defines a time range (time of the day and week) when certain ACEs become active. Provides more granular policy, identical to the Cisco IOS software implementation.
|
Modular Policy Framework
|
Provides a modular and consistent framework that identifies traffic flows, classifies traffic, and defines policies. Policies include inspection policies, connection policies, and TCP connection timeouts. The Modular Policy Framework lets you apply these policies to specific classes of traffic.
|
Access list editing
|
ACEs can be added in the middle of an access list between two consecutive ACEs based on the ACE line number. This allows more flexible policy definitions.
|
Interface keyword as address in access lists
|
Allows the use of the interface keyword with the access-list command.
|
Network Address Translation
|
NAT control
|
NAT configuration is no longer required to pass traffic through the FWSM.
|
Overlapping static NAT configuration
|
Overlapping static statements are allowed and only a warning message is issued. FWSM performs the Longest Prefix lookup for the static statements.
|
Inspection Engines (Fixups)
|
TCP stream assembly for application inspection
|
Assembly of VoIP/TCP streams which are processed by the inspection engines (such as SIP, Skinny, and MGCP) instead of individual packets. This allows interoperability with the latest version of Cisco CallManager.
|
Persistent TCP connections and TCP pools for URL filtering
|
The FWSM uses established connections for requests instead of creating a new TCP connection to the URL server for each HTTP request. It creates a pool of five connections and reuses them in round robin fashion. This improves the performance of Websense and N2H2 URL filtering.
|
Configurable application inspection engines
|
Inspection engines can be enabled for specific interfaces or globally (the fixup command has been renamed inspect). This provides more granular control of application inspection.
|
ESMTP application inspection
|
Extended SMTP (ESMTP) allows e-mail that includes graphics, audio, video, and text in various national languages. SMTP is still supported in accelerated mode. This enhances client-to-server communication.
|
FTP command filtering
|
Strict FTP inspection includes FTP command request filtering for over ten FTP commands. This provides additional security, including hiding the reply to the system command and protecting against username discovery. This feature also provide more granular control of FTP.
|
Active X/Java filtering
|
Filters objects, such as ActiveX objects or Java applets, that may pose security risks.
|
PPTP PAT and application inspection enhancement
|
PAT support and stateful inspection is added for PPTP so that only TCP port 1723 needs to be opened. This simplifies FWSM configuration for remote client connections.
|
VoIP Inspection Engines (Fixups)
|
H.323 enhancement - T.38
|
Allows inspection and modification of T.38 (FAX over IP) within H.323 sessions. This protects FAX messages transmitted between endpoints over an IP network.
|
H.323 enhancement -GKRCS
|
GKRCS application inspection opens pin-holes between endpoints, which allows firewalls to be placed between an H.323 gatekeeper and the end points.
|
MGCP NAT
|
Supports NAT of the IP address and opening pin-holes according to the NATed/PATed IP address and port information. This allows firewalls to be placed between media gateways and end points.
|
GTP application inspection
|
GTP application inspection provides advanced stateful inspection capabilities for GSM/GPRS wireless service provider (3GPP—Third Generation Partnership Project) environments.
|
SIP instant messaging application inspection
|
Provides Instant Messaging (IM) support for RTC client for Windows Messenger version 4.7.0105. Support for new SIP methods MESSAGE/INFO and new response 202 as described by RFC #3428 and RFC 3265. Allows stateful inspection of IM over SIP.
|
TAPI/CTIQBE application inspection
|
TAPI/CTIQBE application inspection translates the embedded IP addresses or port numbers and opens pinholes for subsequent media transmission between call endpoints. CTIQBE is a VoIP protocol developed by Cisco for Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications for call setup with Cisco CallManager.
|
Skinny video support
|
Supports Skinny (SCCP) video application inspection by handling Skinny video messages that carry embedded IP addresses and ports for the video channels and by opening pinholes for video RTP/RTCP streams. Interoperates with video over IP in Cisco CallManager 4.0.
|
Application Firewall
|
HTTP inspection engine enhancements
|
Provides deep payload inspection of HTTP traffic to detect and block Port 80 misuse and deter web-based attacks.
|
Detect and block applications and attacks tunneled over HTTP
|
Detects a list of pre-defined port 80 tunneling applications, such as instant messaging (AIM, MSN Messenger, Yahoo), and peer-to-peer (Kazaa). Permits or blocks traffic based on user policy configured using the Modular Policy Framework. Also generates a message for any port 80 misuse event. Prevents malicious applications from being tunneled over HTTP.
|
RFC compliance checking
|
Specifies whether all traffic that is not compliant with the HTTP standard should be permitted or logged. This provides HTTP protocol anomaly detection.
|
HTTP command filtering
|
Determines if the Request Message is an RFC-defined method (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or an extension method (INDEX, MOVE, and so forth.). If the check fails, the user may be alerted, a message may be generated, and the TCP connection may be reset. This lets you select the HTTP methods to allow or deny.
|
MIME type filtering
|
Permits passing a predefined list of mime-types (such as image/Jpeg, text/html, application/msword, audio/mpeg) or all mime-types through the firewall. This helps control the types of content that can traverse the firewall.
|
Checks for minimum and maximum size of HTTP message, header length and URI
|
Permits or denies traffic based on whether a requestor response HTTP message meets the configured size constraints. Checks the maximum header length for the HTTP request and response messages and checks the maximum size of URI permitted through the firewall. Allows control of HTTP messages that violate the criteria defined for URI length and request/response message header size.
|
Content validation
|
Verifies that the content-type specified in the header matches the content-type defined in the body of the HTTP message. Validates that the content-type in the response message matches the request message accept-type field. If the check fails, the user may be alerted, a message may be generated, and the TCP connection may be reset.
|
HTTP message filtering based on keywords
|
Filters HTTP messages based on keywords and takes appropriate action. Improves control and deters port 80 misuse.
|
High Availability
|
Active/active
|
Contexts can be active on one blade, standby on the second blade, while other contexts are in standby in the first blade and active in the second blade. This provides high resilience in multi-group HSRP style.
|
Pre-empt option for active/active
|
Allows redundant FWSMs to preempt one another depending on the configured priority. Allows the design of deterministic traffic paths with redundant firewalls.
|
Asymmetric routing support
|
Traffic that arrives on a different unit or interface than the traffic originated can be forwarded to the unit or interface where the traffic originally was passed. This provides resilient WAN connectivity.
|
Scalability
|
Support for 250 virtual contexts
|
Maximum number of supported virtual contexts is increased from 100 to 250. This provides high scalability for virtual contexts.
|
Apply the write mem command to all contexts
|
The write mem command saves configuration for all contexts without having to enter the command for each individual context. This makes configuring a large number of virtual contexts easier.
|
Increase number of global statements to 4 K
|
The total number of global statements within the system is increased from 1 K to 4 K. This improves scalability when defining a pool of global addresses.
|
Access list memory enhancements
|
Increase of 20% in total available access list memory. This improves scalability for access lists.
|
Sessions for non-TCP/UDP packets
|
Non-TCP/UDP packets are forwarded through the fast path instead of the slow path. This improves performance for GRE, ESP, and multicast traffic.
|
Support up to ten DHCP relay statements
|
Increases the number of DHCP relay statements from four to ten, which allows better scalability.
|
80 HTTPS sessions for ASDM
|
Increases the current number of possible HTTPS sessions from 32 to 80 for ASDM.
|
Network Integration
|
Mixed L2 & L3 mode support
|
A mixture of L2 and L3 modes on the same FWSM is allowed, which enables flexible network deployments.
|
Multiple pairs of L2 interfaces per context
|
The number of supported interfaces in transparent mode is increased from a single pair up to eight pairs pairs. This improves scalability and reusability of L2 contexts.
|
Private VLAN support
|
FWSM is now aware of PVLANs configured on the Cisco Catalyst 6000 Supervisor and properly processes traffic coming from a secondary VLAN that is configured as a secure VLAN with 802.1Q tagging of the primary. This leverages the logical separation and traffic isolation provided by PVLANs.
|
Per interface DHCP relay
|
Allows DHCP relay (helper addresses) to be configured for each interface rather than for the entire context. This allows better granularity and control of DHCP services.
|
Core IP Enhancements
|
IPv6 Phase 1
|
Support for inspection, security checks on headers, access lists, routing, and management to the device for IPv6 traffic. This supports the expanded addressing capabilities and native security offered by IPv6.
|
Multicast support
|
Support for PIM-SM version 2 (RFC2362) dynamic routing as well as IGMP v2. This provides secure integration in distributed video conferencing and collaborative computing environments and reliable delivery of sensitive real-time streaming updates.
|
dNAT for multicast
|
Destination NAT on the group addresses after packets are replicated protects internal resources from an external multicast source.
|
OSPF neighbor
|
Allows FWSM to push OSPF routes over a VPN tunnel by statically defining neighbors and exchanging databases using unicasts. OSPF hello updates and OSPF adjacencies can be established over VPN tunnels.
|
Monitoring and Management
|
SSHv2
|
SSHv2 provides a more secure way of accessing FWSM and improves security for management connections.
|
Ping, logging and memory management enhancements
|
Extended ping, logging of subsystem identification when packets are dropped or discarded, enhanced messages for memory depletion conditions, user-configurable system message buffer size, and sanity checks for detecting memory corruptions.
|
Syslog server failure policy for TCP transport
|
The FWSM can be configured to stop or continue processing if the syslog server fails when using TCP as the syslog transport.
|
4 K+ certificate support
|
The FWSM can work with certain certificate authorities for administrator authentication by supporting 4 K key sizes. For example, Microsoft CA defaults to 4 K key sizes.
|
SNMPv2c
|
SNMPv2C agent supports new features, such as 64-bit counters, enhanced MIBS (SNMPv2 MIB [RFC 1907], and the IF-MIB [RFC 1573,2233]). Provides uniform SNMP agent/MIB support with Cisco PIX security appliance and VPN 3000.
|
Additional MIBs
|
Includes other MIBs currently available on the Cisco PIX security appliance and VPN 3000 platforms. New additions are: CISCO-CRYPTO-ACCELERATOR-MIB.my, IF-MIB.my, CISCO-FIREWALL-MIB.my, CISCO-PROCESS-MIB.my, CISCO-SYSLOG-MIB.my, CISCO-REMOTE-ACCESS-MONITOR-MIB.my,CISCO-IPSEC-FLOW-MONITOR-MIB.my, ENTITY-MIB.my. This provides uniform SNMP agent/MIB support with Cisco PIX security appliance and VPN 3000.
|
Enhanced parser and CLI
|
FWSM CLI is enhanced by porting the Cisco IOS software parser and by providing functions such as command alias, comments in configuration file, command completion, command syntax check, and context sensitive help.
|
Out of band management
|
Restricts management traffic to a specific interface. Enhances security for management connections.
|
Prompt slot/status reporting
|
CLI enables/disables reporting the slot number and failover status as part of the FWSM session prompt. Identifies the slot in which the FWSM is installed and the failover status of the module.
|
Debug message timestamp
|
Adds a timestamp for debugging messages. This improves ease of use for logged debug messages.
|
System context logging to external syslog server
|
The system context can send logs to an external syslog server. This provides logging messages from the system context.
|
Include ACE info as part of message 106023
|
The specific ACE entry is identified in the message, rather than just the access list name. This helps isolate traffic issues.
|
Software License Information
The FWSM supports the following licensed features:
•Multiple security contexts. The FWSM supports two virtual contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:
–20
–50
–100
–250
•GTP/GPRS support.
Limitations and Restrictions
See the following limitations and restrictions on the FWSM:
•Multiple context mode does not support dynamic routing protocols such as RIP and OSPF. Use static routing instead.
•Transparent firewall mode supports a maximum of eight interface pairs per context.
•For transparent firewall mode, you must configure a management IP address per interface pair.
•The outbound connections (from a higher security interface to a lower security interface) from an interface that is shared between the contexts can only be classified and directed through the correct context if you configure a static translation for the destination IP address. This limitation makes cascading contexts unsupported, because configuring the static translations for all the outside hosts is not feasible.
•The CPU-intensive commands, such as copy running-config startup-config (the same as the write memory command), might affect system performance, including reducing the successful rate of inspection and AAA connections. When a CPU-intensive action completes, the FWSM might produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might unexpectedly reach the maximum rate. We recommend using these commands during low traffic periods. Other CPU-intensive actions include the show arp command, polling the FWSM with SNMP, loading a large configuration, and compiling a large access list.
•If you try to save a new configuration file with the write memory all command in the system execution space, and there is not enough space on the disk, then the error "writing disk: message" displays; the new configuration is not saved, and the FWSM removes the existing old configuration file from the disk.
Be sure to either:
–Free some space from the disk.
–Go to each context and issue the write memory command instead of saving them all from the system.
Open Caveats in Software Release 3.1
This section contains open caveats in the latest maintenance release.
If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from later releases. For example, if you are running Release 3.1(4), then you need to add the caveats in this section to the resolved caveats from 3.1(5) and later to determine the complete list of open caveats.
•CSCei85820
When multicast routing is enabled and multicast packets are forwarded by the FWSM, forwarding statistics shown with the show mfib command are incorrect.
Workaround: None.
•CSCse07315
After removing a secondary VLAN from a firewall VLAN group on the switch, and then adding the VLAN to another group, the first VLAN group cannot be added to the FWSM, and a warning message such as the following appears:
Secondary vlan 339 can't be configured as secure for module 9. Command rejected.
Workaround: None.
•CSCse13916
Windows Messenger Version 5.0 or 5.1 does not sign on with Live Communication Server 2003, Live Communication Server 2005, or any other SIP application that multiple SIP messages within the same packet; the packets are dropped. Cisco IP Phones that run SIP are not affected by this caveat.
Workaround: Configure your SIP applications to send smaller SIP messages, or increase the MTU on the FWSM interface using the mtu command if it was previously configured with a smaller than default MTU. The default MTU is 1500 bytes.
•CSCse56960
With bidirectional PIM, if the router that is configured as the RP is directly connected to the FWSM, no joins are sent to the RP by the FWSM. The debug logs show the following error message: "NO RPF NEIGHBOR o send J/P." The show mroute and show mfib commands display correct flags and RPF neighbors.
Workaround: Do not make the directly-connected router the RP.
•CSCsg75173
URL filtering with Websense causes high CPU in high traffic loads.
Workaround: None.
•CSCsi73738
High CPU is seen when a client accesses an ISEE server (sPOP) and HTTP inspection is enabled.
Workaround: Disable the tcp normalizer using the no control-point tcp-normalizer command or disable HTTP inspection.
•CSCsk01370
The FWSM is not forwarding all DNS requests from the outside interface to the inside interface when the inspect dns max-length command is used.
Workaround: Disable the inspect dns max-length command.
•CSCsk35549
Connections that have their TCP state bypassed (using the set connection advanced-options tcp-state-bypass command) generate SYN Timeout syslog messages when they idle out. The TCP SYN packets do indeed pass through the FWSM, but the syslog message indicates the tear down reason as a SYN timeout.
For example:
Teardown TCP connection 13223832 for outside:10.10.10.100/1304 to
inside:192.168.1.100/1234 duration 2:02:53 bytes 7798136 SYN Timeout
Also the connection flags for a connection with its TCP state bypassed indicate one of the following groups of flags:
bBs - (b)State bypass, (B)initial SYN from outside, (s)awaiting outside SYN
bBS - (b)State bypass, (B)initial SYN from outside, (s)awaiting inside SYN
bs - (b)State bypass, (s)awaiting outside SYN
bS - (b)State bypass, (s)awaiting inside SYN
Since the FWSM is not tracking the state of the connection, flags indicating the direction of traffic and whether or not correct SYN packets were received, may be inconsistent and misleading.
Workaround: None.
•CSCsk61834
Directed BOOTP messages are redirected to a DHCP server if DHCP Relay is enabled on the FWSM and DHCP Relay servers are configured.
Workaround: None.
•CSCsl10122
The primary and secondary FWSMs might crash in Thread name: snmp. This is caused when there is no proper response from the NP due to high traffic. Also there is no snmp-server host command configured in the system but in the configuration, there is the snmp-server enable traps snmp authentication linkup linkdown coldstart command.
Workaround: Remove the snmp-server traps command.
•CSCsl63063
The FWSM might unexpectedly stop passing traffic and reload. The output of the show crash command shows a traceback in thread "doorbell_poll". The NP Hard Debu in the NP Hard Assert Info (included in the show crash output shows a crash in processor NP1 or NP2 at PC 0x3a1a.
Workaround: None.
•CSCsm46399
In single mode, using FTP with inspect ftp enabled results in a 10% drop in connections per second handled by the FWSM. Once a connection is established, data traffic does not experience any drop.
Workaround: None.
•CSCsm73157
Failover is not working on the FWSM in transparent mode. When connectivity is broken on one or two interfaces, The FWSM is not updating the MAC address with the updated path. Therefore, users are losing their connections.
Workaround: None.
•CSCso38838
In rare circumstances, traffic matching a static policy NAT statement may fail with a "no translation group found" syslog message even though it matches the policy access list.
Workaround: Try redefining the policy access list with a different access list name and applying that to the static.
•CSCsv50778
Outside policy PAT in multiple context mode uses an inactive access list to create xlates after the memory partition of the context is changed using the allocate acl-partition command.
Workaround: Reconfigure the access list and policy PAT after changing the memory partition.
•CSCsv71697
When outside policy PAT is configured and traffic is sent from outside to inside host, then xlates on a standby unit have incorrect flags of Identity (I) instead of portmap (r) and shows the xlate as NAT instead of PAT.
Workaround: None.
Resolved Caveats in Software Release 3.1(13)
•CSCsu43711
The FWSM reloads when a Cisco ASA 5500 series adaptive security appliance is configured as its failover peer and placed on the respective failover control VLAN.
Workaround: Disallow the FWSM failover control VLAN on all trunks and access ports of the switch, or configure a failover key.
The caveats in Table 3 were resolved in Release 3.1(13), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 3 Caveats Resolved in Release 3.1(13)
Caveat ID
|
Title
|
CSCsf03695
|
Crash while creating captures for FWSM
|
CSCsi54863
|
FWSM: new MPC command to clear TCP Sack-Permitted option in 3WHS - SACK
|
CSCsm90200
|
Show memory displays incorrect data in multi context mode
|
CSCsq61452
|
Multicontext FWSM pair has continual reload with no crashinfo written
|
CSCsr47554
|
AAA Authentication request packet for 'show running-config' corrupted
|
CSCsr83767
|
Clear route permanently removes static routes from the NP 3
|
CSCsu01813
|
FWSM 3.2: redirected sqlnet data connections should not be inspected
|
CSCsu02947
|
FWSM: Traceback in Thread Name fast_fixup
|
CSCsu83857
|
console hung after "access-list commit" in 3.2.8 and 4.0
|
CSCsu85193
|
FWSM - policy nat rules are not replicated to standby
|
CSCsv19445
|
FWSM may not program routes into NP3 upon bootup.
|
CSCsv21077
|
FWSM traceback in fast_fixup
|
Resolved Caveats in Software Release 3.1(12)
•CSCsj48421
If you have two dynamic policy NAT commands, and traffic matches the access list in one of the NAT commands; then you change the access list in the other NAT command so there is an overlapping ACE that also matches the same traffic; then no NAT entries are created for that traffic.
Workaround: Remove and reapply the unchanged NAT statement (the NAT statement that was formerly used to match the traffic). This change forces the other NAT pool (with the updated access list) to take effect.
•CSCsm99224
If you have overlapping static commands that both match the same traffic, and you add an ACE using the line keyword to an access list being used by the higher priority static command, then any traffic that should use the higher priority static command now uses the lower priority static command.
Workaround: Remove and readd the static command after you alter the access list.
•CSCsq90172
The FWSM may experience a failover event or stop responding completely after an extensive series of ICMP Echo Request packets is generated either to the FWSM or from the FWSM command line interface.
Workaround: None.
•CSCsq87373
In multiple context mode with Failover, the secondary FWSM might crash after you commit configuration changes on the primary unit. After the crash, reloading the secondary FWSM causes it to enter Failover Off (pseudo-Standby) state. Both units have to be reloaded to re-establish the failover pair.
Workaround: None.
•CSCsq79074
The Maximum Segment Size (MSS) option in the TCP header in the SYN ACK segment is passed unchanged when traversing the FWSM, regardless of what is configured with the sysopt connection tcpmss command. The MSS option on the initial TCP SYN segment is adjusted correctly. This occurs when the TCP options length is small (8 bytes or so).
Workaround: None.
The caveats in Table 4 were resolved in Release 3.1(12), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 4 Caveats Resolved in Release 3.1(12)
Caveat ID
|
Title
|
CSCso02252
|
Overlapping networks dont translate DNS address in 3.1.x
|
CSCso25009
|
FWSM 3.2 : Capture on the egress interface may show corrupt packets
|
CSCsq16078
|
Various Stateful Failover failures in FWSM 3.1.10
|
CSCsq61452
|
Multicontext FWSM pair has continual reload with no crashinfo written
|
CSCsq66164
|
106101: Number of cached deny-flows for ACL log generated incorrectly
|
CSCsq75892
|
assert at ibm_4gs3_ingress:ibm_4gs3_dispatch_pkt+1204
|
CSCsq84306
|
SQLnet inspection overwrites HOST field in the redirect packet
|
CSCsq87373
|
In Multicontext Mode Secondary FWSM crashes when commiting configuration
|
CSCsr05764
|
FWSM blocks traffic due to route mismatch in CP and NP, NIC underruns
|
CSCsr21268
|
FWSM crashed at time_range.c after enabling failover
|
CSCsr29124
|
PAT src port allocation policy negates effect of host port alloc. policy
|
CSCsr40970
|
Strict HTTP inspection - problems with out-of-order packets from server
|
CSCsr45802
|
FWSM fails over when compiling ACLs if CPU also busy inspecting traffic
|
CSCsr51684
|
ERROR: np_logger_query request .Traffic failing on FWSM
|
CSCsr60593
|
FWSM: May crash in Thread Name: accept/http
|
CSCsr62662
|
FWSM may crash during 'fsck disk:' operations
|
CSCsr75501
|
FOVER:Standby MAC addr is improperly registered as Active MAC on Primary
|
CSCsr93090
|
High CPU on FWSM due to AAA accounting/authentication
|
Resolved Caveats in Software Release 3.1(11)
•CSCsm69869
The syslog message 305005 (No translation group found for...) should be generated for packets dropped due to a missing outside NAT exemption rule, but it is not. When outside NAT is configured along with nat-control enabled, all traffic not included in the outside NAT configuration must be included in an outside NAT exemption rule. If not, it is the expected behavior that these packets are dropped.
Workaround: None.
•CSCsk98142
The FWSM might unexpectedly stop passing traffic and reload. The output of the show crash command shows a traceback in thread "doorbell_poll". The NP Hard Debu in the NP Hard Assert Info (included in the show crash output shows a crash in processor NP1 or NP2 at PC 0x59c2.
Workaround: None.
The caveats in Table 5 were resolved in Release 3.1(11), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 5 Caveats Resolved in Release 3.1(11)
Caveat ID
|
Title
|
CSCso22765
|
Configuring overlap nat causes FWSM throws an error and discards config
|
CSCso35706
|
sysopt np completion-unit status not correct in Multicontext mode
|
CSCso63107
|
"Unable to add, fixup config limit reached" when class-map has match ACL
|
CSCso65731
|
"write mem" from HTTPS adds no monitor-interface CLIs to startup config
|
CSCso65918
|
DNS guard does not close DNS connections in cascaded context
|
CSCso69586
|
FWSM failover pair with vlan mismatch may go active/active
|
CSCso75761
|
portmap_index: unable to locate fixup appears when ACL is modified
|
CSCso95053
|
FWSM may report syslogs with very high port numbers
|
CSCsq09303
|
FWSM 3.1: allocate-acl-partition command makes inactive ACE active
|
CSCsq09883
|
AAA shell command set fails for some commands
|
CSCsq19327
|
FWSM drops ftp "Response: 125" after transfering 900+ files
|
CSCsq27152
|
ASDM location commands do not appear in show run all output
|
CSCsq34834
|
traceback in thread snmp during configuration replication
|
CSCsq43713
|
WIth FWSM code 3.2(5) one of the FWSM goes in failed state (DDTS is still in A state)
|
CSCsq55738
|
Addresses used in Static NAT are no longer advertised in OSPF
|
CSCsr14332
|
FWSM may calculate ACL line numbers incorrectly in manual commit mode
|
Resolved Caveats in Software Release 3.1(10)
•CSCsi27512
The FTP client/server does not close a connection in some cases when the server uses a multiline 221 closure sequence:
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 2551 bytes in 1 transfers.
221-Thank you for using the FTP service on orbi.
instead of the classic sequence:
Workaround: Disable FTP inspection or disable the 221 multiline closure sequence.
•CSCsk73347
The FWSM logs syslog message #305006 ("<...> translation creation failed") even when sufficient NAT and/or PAT resources are available. This message occurs when the FWSM has a high NAT or PAT xlate reuse rate.
Workaround: Increase the NAT and/or PAT pool or reload the FWSM to temporary clear the condition.
•CSCsk80400
If you use an access list for static policy NAT and then insert an ACE in the access list; and the access list includes another ACE lower down (at a higher number) that can match the same traffic as the new ACE; then traffic that should match the new ACE because it is hit first instead matches the older ACE at the higher line number.
Workaround: Finalize the access list configuration before attaching it to the static policy NAT command.
•CSCsl04546
The FWSM might crash in Thread Name: websns_rcv_udp when Websense filtering is configured.
Workaround: None.
•CSCsl05878
The FWSM might crash when RIP is running. The crash shows: Thread Name: route_process (Old pc 0x00bbf8b6 ebp 0x0a5fe764)
Workaround: None.
•CSCsm41796
After failover, the inspect ftp feature does not work; the data channel is not opened on the first FTP connection attempt. However, the connection does go through on the second try.
Workaround: Retry your FTP attempt, and the connection succeeds.
•CSCsm69810
When configuring outside policy NAT in conjunction with outside NAT exemption, the policy NAT is never applied as configured. Even though the flow is excluded from the NAT exemption by configuring a deny ACE, a dynamic identity xlate is built for the outside source. All traffic is NAT exempted.
For example:
global (inside) 5 10.10.10.50-10.10.10.60
nat (outside) 0 access-list nonat outside
nat (outside) 5 access-list nat outside
access-list nonat extended deny ip host 192.168.49.57 host 172.16.10.1
access-list nonat extended permit ip any any
access-list nat extended permit ip host 192.168.49.57 host 172.16.10.1
192.168.49.57 should be translated to the global pool, but it is not.
Workaround: The outside NAT exemption is only required when the nat-control command is enabled. If you disable NAT control (no nat-control) then you can remove the outside NAT exemption command.
The caveats in Table 6 were resolved in Release 3.1(10), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 6 Caveats Resolved in Release 3.1(10)
Caveat ID
|
Title
|
CSCsm68082
|
Error: Bad Octal (digit > 7) may appear with MGCP inspect
|
CSCsm84230
|
Policy Nat stops working when ACE duplicated through obj-grp and deleted
|
CSCsm35626
|
FWSM 3.2.2 - conns per sec usage under asdm not accurate
|
CSCsm50370
|
ip address command breaks routing with duplicate statics
|
CSCsm58073
|
When saving a config to disk:/, the time is one day ahead
|
CSCsm87914
|
FWSM 3.2 crash in Thread Name: Logger
|
CSCsm42519
|
FWSM crashes in Thread Name: radius_snd
|
CSCso03094
|
Traceback in 'perfmon' thread
|
CSCso06060
|
Failover packet from FWSM has incorrect DSCP value
|
CSCso00289
|
Unable to Disable TCP Sequence Number Randomization
|
CSCso11666
|
No pim command will not replicate on standby unit
|
CSCso14069
|
FWSM is not processing "stop on error" correctly
|
CSCso17150
|
FWSM 'failover interface-policy' impact on transparent A/A configuration
|
CSCso33286
|
long AAA ACLs requires >1h compilation time.
|
CSCsm86434
|
FWSM user auth dialogue box not re-presented for longer period in 3.1.8
|
CSCso42729
|
Sunrpc sessions are not deleted from np 3 established list
|
CSCsl05878
|
FWSM reload with panic: route_process
|
CSCso71324
|
URL Filtering Traceback with Thread Name HTTP
|
CSCsm53140
|
Inconsistancy in sysopt tcp window-scale configuration
|
Resolved Caveats in Software Release 3.1(9)
•CSCse18085
If an existing BVI interface is remove and then re-added, the interface status shown by the show interface bvi command is seen as "administratively down" with a protocol status of "up" instead of the actual "up" and "up" status. The show interface ip brief command shows the status as "administratively down" with a protocol status of "down" instead of the actual "up" and "up" status.
The functionality of the interface is not affected.
Workaround: Use a bridge group number other than one which was removed. The interface status shows correctly after you reload the FWSM.
•CSCsh62757
The wrong TLV parameters are received by the FP when a TLV update has a wrong field (the function ID is out of the range). This situation causes the FP to assert and generate a crash (door_bell pool).
Workaround: None.
•CSCsj04022
When the last batch of commands committed includes inspection rules, and the new rules caused memory exhaustion, then the new rules are not automatically removed from the configuration even though they exceed the rule limit causing other rules not to load correctly.
Workaround: Remove the last batch of inspection rules from the current configuration.
•CSCsl00215
When both the client and the server agreed with the use of the TCP window scale option, then the FWSM:
a. Does override the MSS of the client (in the first SYN).
b. But does not override the MSS of the server (in the SYN,ACK).
Workaround: Disable TCP Window Scaling on either the server or on the client.
•CSCsl16482
HTTP authentication with the ssl trust-point command is not working after you reload the FWSM. The CA certificate imported is not used after the reload. The following syslog message displays:
%FWSM-3-717023: SSL failed to set device certificate for trustpoint <trustpoint>.
Reason: No device certificate found.
Workaround: Perform the following steps:
a. Enter the no crypto ca trustpoint trustpoint command.
b. Reimport the CA certificate.
c. Enter the ssl trust-point trustpoint command.
•CSCsl29965
The failover interfaces are not reported through SNMP. Snmpwalk shows all interfaces, except the failover ones.
Workaround: None.
•CSCsl33529
Packets might be passed by the standby FWSM in a failover pair during the short period of time that the FWSM is syncing just after booting.
Workaround: None.
•CSCsl47376
NAT exemption is not used for communication between same-security-level interfaces when you have other NAT types configured that match the traffic; NAT exemption is supposed to take priority over other NAT types.
Workaround: Define a policy NAT statement to exclude hosts you wish to exempt.
•CSCsl67421
If you enable SNMP traps when upgrading from 2.3(4) to 3.1(8), then the FWSM might experience a software-forced reload.
Workaround: None.
•CSCsl68230
URL-filtering-denied traffic is unsuccessfully closed; you can see the dropped traffic using the show asp drop command.
Workaround: Disable the TCP normalizer by entering the no control-point tcp-normalizer command.
The caveats in Table 7 were resolved in Release 3.1(9), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 7 Caveats Resolved in Release 3.1(9)
Caveat ID
|
Title
|
CSCsd09483
|
SRFW: Disabling PIM on one interface cause the whole IGMP not working
|
CSCsj81538
|
FWSM running 3.2(1) has ASR feature broken with transparent mode
|
CSCsk81211
|
DHCPrelay binding limit of 100 to be configurable for scalability
|
CSCsl11774
|
'sysopt connection timewait' has no effect on FWSM and should be removed
|
CSCsl24414
|
FWSM:BPDU keep passing through when intf shutdown in transparent context
|
CSCsl34625
|
FWSM crash in assert with c_bridge_group:bridge_group_action
|
CSCsl50309
|
FWSM crashes due to sunrpc inspection.
|
CSCsl52399
|
FTP inspection inserting incorrect PAT address
|
CSCsl57262
|
DHCP discover is dropped by FWSM
|
CSCsl57838
|
Config replication under heavy fast-path load causes NP hang
|
CSCsl60126
|
Converting rpc and rpc_udp fixups to MPF triggers redundant sunrpc
|
CSCsl65187
|
FWSM: crash in telnet/ci capture:destroy_capture
|
CSCsl70414
|
'write standby' on FWSM reintroduces default policy map on standby
|
CSCsl76792
|
Parser Cleanup - passwords should be adjacent to each other
|
CSCsl89773
|
Cos/DSCP of Failover packet is 0, not 5
|
CSCsl97424
|
FWSM displays inconsistent value for 'Configuration last modified'
|
CSCsm01604
|
Ping command with no destination ip specified causes crash
|
CSCsm11988
|
Unable to clear uauth entry by username if username includes backslash
|
CSCsm27076
|
SMTP Fixup dropping 64-byte DATA packet that has 4 zeroes of padding
|
Resolved Caveats in Software Release 3.1(8)
•CSCsc88494
When the configured connection limit (set connection conn-max) is exceeded, the port number shown in system message 201011 is shown in network-byte-order, not host-byte-order. For example, the following system message has the port number as shown:
%FWSM-3-201011: Connection limit exceeded 50/50 for inbound packet from x.x.x.x/260 to
y.y.y.y/17664 on interface outside
The real port numbers in this example are 1025 and 69.
Workaround: Convert the port numbers using the following calculation:
a. Convert the system message port number to hexadecimal. For example:
260 is 0x0104 in hexadecimal.
17664 is 0x4500 in hexadecimal.
b. Exchange the hexadecimal byte pairs. For example:
0x0104 exchanged is 0x0401.
0x4500 exchanged is 0x0045.
c. Convert the exchanged hexadecimal number to decimal to get the true port number. For example:
0x0401 is 1025 in decimal.
0x0045 is 69 in decimal.
•CSCsg49036
The show memory detail command indicates 399% or 400% for the used memory in the admin context:
hostname# changeto context admin
hostname/admin# show mem detail
Used memory: 4294561916 bytes (400%)
------------- ----------------
Total memory: 1073741824 bytes (100%)
Most used memory: - 36676 bytes (400%)
Workaround: None.
•CSCsh99789
If you configure URL filtering for HTTPS, then HTTPS sessions are subject to URL filtering in both the outbound direction (high security to low security interface), which is expected, and the inbound direction (low security to high security interface), which is not expected. For HTTP and FTP, only outbound connections are filtered.
Workaround: None.
•CSCsi05221
When traffic hits an ACE while swapping the ACE order, the access list logging stops. For example, after swapping the ACEs of the below access list:
access-list vbug extended permit ip host 10.1.1.2 host 10.0.0.100 log interval 10
access-list vbug extended deny ip host 10.1.1.5 host 10.0.0.100 log interval 10
To:
access-list vbug extended deny ip host 10.1.1.5 host 10.0.0.100 log interval 10
access-list vbug extended permit ip host 10.1.1.2 host 10.0.0.100 log interval 10
Logs for the permit ACE stop showing up on the console.
Workaround: Stop the traffic, remove the access list, reconfigure it, and reapply.
•CSCsi07224
When traffic matches an ACE, a system log message is generated in the syslog even though logging has been disabled for this ACE. For example:
hostname(config)# access-list outside_in line 16 extended deny tcp host
192.168.120.103 host 172.16.1.28 eq https log disable
Mar 09 2007 18:35:07 VFW1 : %FWSM-1-106100: access-list outside_in denied tcp
outside/192.168.120.103(32365) -> DMZ2/172.16.1.28(443) hit-cnt 1 (first hit)
[0x1a9ac098, 0x24cf570]
Workaround: None.
•CSCsi18503
Free memory on an FWSM slowly decreases over time until no free memory is available, leading to an outage. H323 RAS inspection must be enabled and non-H323 traffic on UDP/1718 and UDP/1719 must be present. This traffic will be dropped by the inspection since it is not H323 RAS traffic.
Workaround: Disable H323 RAS inspection. If this breaks H323 functionality, continuously monitor memory consumption on the FWSM and reload the FWSM when a critical level is reached.
You can verify the drops by looking at the output of the show service-policy command.
•CSCsi60064
When the ICMP inspection is not enabled, if the FWSM could not route the packet from a low security source host to a high security destination host, it sends an ICMP network unreachable error back to the source host with the real IP address of the destination tried, instead of the mapped address. Also, a traceroute from a low security interface to a high security interface returns the real IP address of the destination to the source host.
Workaround: Configure ICMP inspection by entering the following commands:
•CSCsk15655
You cannot delete counters of all access lists by using the clear access-list counters command.
Workaround: You can only delete counters of access lists individually using the clear access-list id counters command.
•CSCsk19447
When using the config net command on the FWSM to copy a configuration from a TFTP server to the running configuration, requests with long file names (more than 56 characters) fail or produce unexpected results.
For example:
config net 192.168.1.100:configurations/filename
where filename is longer than 56 characters.
Workaround: Use shorter configuration filenames.
•CSCsk21233
If you reload the FWSM and you are prompted to save the configuration, then choosing the Save All option only saves the system configuration and not the security context configurations.
Workaround: Enter the write memory all command in the system execution space before you reload.
•CSCsk23179
If you have the maximum of 5 hsi-group commands in an h225-map, and you remove one or more groups, then you cannot add a new hsi-group command or edit an existing one.
Workaround: You must remove the whole h225-map and create a new one.
•CSCsk25334
Changing an interface name causes a memory leak on active and standby FWSMs.
Workaround: None.
•CSCsk31912
In manual commit mode, inactive access lists remain active after they are committed.
Workaround: Use auto-commit mode.
•CSCsk40614
A lot of packets are exchanged between the FWSM and a host in a matter of milliseconds if out-of-order packets arrive on the FWSM in some situations. This situation occurs when the TCP sequence number of a flow changes on either side of the FWSM due to a change in the data payload when NAT is configured.
Workaround: Do not configure NAT.
