Table Of Contents
Upgrading or Downgrading the Software
New Features in Release 4.0(3)
New Features in Release 4.0(2)
New Features in Release 4.0(1)
Open Caveats in Software Release 4.0
Resolved Caveats in Software Release 4.0(3)
Resolved Caveats in Software Release 4.0(2)
Resolved Caveats in Software Release 4.0(1)
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.0(x)
October 2008
This document contains release information for the following FWSM Releases:
•
4.0(3)
•
4.0(2)
•
4.0(1)
This document includes the following sections:
•
Upgrading or Downgrading the Software
•
Open Caveats in Software Release 4.0
•
Resolved Caveats in Software Release 4.0(3)
•
Resolved Caveats in Software Release 4.0(2)
•
Resolved Caveats in Software Release 4.0(1)
•
Obtaining Documentation and Submitting a Service Request
Important Notes
•
For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM.
•
You can disable the limited TCP normalization support for FWSM using the no control-point tcp-normalizer command.
•
When you log in to the system execution space from the switch in multiple context mode, a feature introduced in FWSM Release 3.2 lets you use authentication using a AAA server or local database. Previously, the only method of authentication available was to use the login password defined in the system configuration. The new authentication method is enabled by the aaa authentication telnet console command in the admin context. If you upgrade to Release 3.2 or above, and have this command already in the admin context configuration, then authentication for the system execution space is enabled using the specified server or local database, even if you did not intend to enable it. To use the login password instead, you must remove the aaa authentication telnet console command in the admin context.
•
Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
•
In 3.x, when you used the set connection command for an access list (match access-list), then connection settings were applied to each individual ACE; in 4.0, connection settings are applied to the access list as a whole.
Upgrading or Downgrading the Software
To upgrade from 2.x or 3.x to 4.0, see the "Managing Software, Licenses, and Configurations" chapter in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI. Be sure to save a copy of your 2.x or 3.x configuration if you later want to downgrade.
After you reload the FWSM with the 4.0 image, the configuration is converted (for example, the http-map commands are converted to policy-map type inspect http commands). This converted configuration is not saved to memory until you enter the write memory command (or the write memory all command from the system execution space in multiple context mode).
If you try to downgrade using a converted configuration, many commands will be rejected. Moreover, if you add access lists to the 4.0 configuration to take advantage of larger access list memory space, then downgrading could result in an inability to load all the new access lists.
If you want to downgrade, be sure to copy a saved 2.x or 3.x configuration to the starting configuration before you reload with the 2.x or 3.x image.
Chassis System Requirements
You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC 2).
The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.
Note
The Catalyst operating system software is not supported.
The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static VLANs. However, the WAN port can connect to the MSFC, which can connect to the FWSM.The FWSM runs its own operating system.
Table 1 shows the supervisor engine version and software.
Table 1 Support for FWSM 4.0
FWSM Features: Supervisor Engines1 Trusted Flow Acceleration PISA Integration Route Health Injection Virtual Switching System Cisco IOS Software Release12.2(18)SXF and higher
720, 32
No
No
No
No
12.2(18)SXF2 and higher
2, 720, 32
No
No
No
No
12.2(33)SXI (Not yet released)
720-10GE
No
No
No
Yes
12.2(33)SXI (Not yet released)
720
Yes
No
Yes
No
12.2(33)SXI (Not yet released)
32
Yes
No
Yes
No
12.2(18)ZYA (Not yet released)
32-PISA
No
Yes
No
No
Cisco IOS Software Modularity Release12.2(18)SXF4
720, 32
No
No
No
No
1 The FWSM does not support the supervisor 1 or 1A.
Management Support
The FWSM supports the following management methods:
•
Cisco ASDM—Software Release 6.1F supports FWSM software Release 4.0 features. ASDM is a browser-based configuration tool that resides on the FWSM. The system administrator can configure multiple security contexts. If desired, individual context administrators can configure only their contexts.
•
Command-line interface (CLI)—Access the CLI by sessioning from the switch or by connecting to the FWSM over the network using Telnet or SSH. The FWSM does not have its own external console port.
New Features
This section lists new features for each maintenance release, and includes the following topics:
•
New Features in Release 4.0(3)
•
New Features in Release 4.0(2)
•
New Features in Release 4.0(1)
New Features in Release 4.0(3)
The SCCP (Skinny) inspection has been enhanced to do the following:
•
Support registrations of SCCP version 17 phones.
•
Support SCCP version 17 media related messages for opening up pinholes for video/audio streams.
The following is not supported:
•
Registrations of endpoints that have IPv6 addresses. The Register messages are dropped and a debug message is generated.
•
If IPv6 messages are embedded in the SCCP messages, they are not NATed or PATed; they are left untranslated.
New Features in Release 4.0(2)
There were no new features in Release 4.0(2).
New Features in Release 4.0(1)
Table 2 lists the new features for Release 4.0(1).
Software License Information
The FWSM supports the following licensed features:
•
Multiple security contexts. The FWSM supports two virtual contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:
–
20
–
50
–
100
–
250
•
Trusted Flow Acceleration support.
•
BGP stub support.
•
GTP/GPRS support.
Limitations and Restrictions
Note
These limitations and restrictions also exist in FWSM 3.x.
See the following limitations and restrictions on the FWSM:
•
The following features are not supported when you use TCP state bypass:
–
Application inspection—Application inspection requires both inbound and outbound traffic to go through the same FWSM, so application inspection is not supported with TCP state bypass.
–
AAA authenticated sessions—When a user authenticates with one FWSM, traffic returning via the other FWSM will be denied because the user did not authenticate with that FWSM.
•
Multiple context mode does not support most dynamic routing protocols. BGP stub mode is supported. Security contexts support only static routes or BGP stub mode. You cannot enable OSPF or RIP in multiple context mode.
•
Transparent firewall mode supports a maximum of eight interface pairs per context.
•
For transparent firewall mode, you must configure a management IP address per interface pair.
•
The outbound connections (from a higher security interface to a lower security interface) from an interface that is shared between the contexts can only be classified and directed through the correct context if you configure a static translation for the destination IP address. This limitation makes cascading contexts unsupported, because configuring the static translations for all the outside hosts is not feasible.
•
The CPU-intensive commands, such as copy running-config startup-config (the same as the write memory command), might affect system performance, including reducing the successful rate of inspection and AAA connections. When a CPU-intensive action completes, the FWSM might produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might unexpectedly reach the maximum rate. We recommend using these commands during low traffic periods. Other CPU-intensive actions include the show arp command, polling the FWSM with SNMP, loading a large configuration, and compiling a large access list.
•
Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
•
During URL filtering at high rates, the HTTP connection to the server through the FWSM might not complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled. To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block 128 command in single mode. (CSCsj00658)
•
SIP application inspection does not match regular expressions specified in the message-path against a second or larger instance of the VIA SIP Header. Check whether your purpose is accomplished by matching the regular expression specified in the message-path against the first VIA: SIP Header. (CSCso69892)
•
SIP calls with a SIP URI length greater than 256 characters are dropped by the FWSM. Make the SIP User Agent make SIP calls with a SIP URI length less than 256 characters. (CSCsm37291)
•
If the FWSM uses EIGRP, and receives multiple equal-cost routes to the same destination, it installs all of them in the EIGRP topology table. But the FWSM fails to install all the equal-cost routes into the routing table. (CSCso98423)
Open Caveats in Software Release 4.0
This section contains open caveats in the latest maintenance release.
If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from later releases. For example, if you are running Release 4.0(1), then you need to add the caveats in this section to the resolved caveats from 4.0(2) and later to determine the complete list of open caveats.
•
CSCsm66165
When an FWSM is participating in a PIM multicast network, and the FWSM has been configured to only register certain groups with the PIM RP via an access list, registration for groups might fail even through registration should be allowed. For example, the pim rp-address command is used in conjunction with an access list like below:
access-list pim1 standard permit 209.165.200.224 255.255.255.224access-list pim1 standard permit 209.165.201.0 255.255.255.224access-list pim1 standard deny 209.165.202.128 255.255.255.224pim rp-address 192.168.33.43 pim1This configuration should only allow the groups associated with the 209.165.200.224/27 and 209.165.201.0/27 networks to register with the RP. However, the FWSM might fail to register these groups with the RP.
Workaround: Remove the acl argument from the pim rp-address command. This will allow the FWSM to register all groups with the RP.
•
CSCso32645
The FWSM does not send EIGRP summarized routes under some conditions immediately after a reload even though auto-summary is enabled. This occurs when EIGRP network statements exist for 40 or more interfaces.
Workaround: After the reload, wait for some amount of time (depending on the number of network statements configured) and issue the clear eigrp neighbors command.
•
CSCsr57543
When an access list has more than one access list remark command, and other ACEs form an optimization scenario, one or more remark statements are removed from the optimized output.
Workaround: None.
•
CSCsu01658
If you configure an access list allowing TFTP and attach it to a capture command configured on an interface, then tor a TFTP file transfer, the capture output shows that the transfer is happening to an incorrect port on the client. Also, the size of the transferred file is not shown properly.
Workaround: None.
•
CSCsu69518
Even though SCCP inspection drops the registration message for phones containing IPv6 addresses (dual mode), the FWSM creates an entry for the SCCP phone as seen in the show skinny command output. This entry is not cleared until the FWSM is reloaded. After the registration message is dropped, if the phones keep retrying for registration, then a large number of entries are created for these phones that do not get cleared. Eventually when a large number of false entries are created, the FWSM will be unable to add further entries for phones that try to register later.
Workaround: None.
•
CSCsv00658
Access list optimization might create an access list that is inaccurate compared to the original access list. This may cause packets to be denied when they should be permitted by the access list.
Workaround: Disable access list optimization with the no access-list optimization enable command.
Resolved Caveats in Software Release 4.0(3)
•
CSCso25009
Performing a capture on the FWSM egress interface might show corrupted packets. This effect does not impact real traffic going through the FWSM.
Workaround: None.
•
CSCsq17924
After the supervisor has an SSO switchover (where the secondary supervisor now becomes primary), if you reload the FWSM, then the FWSM will hang.
Workaround: To reset the FWSM, enter the hw-module module module_number reset command at the switch CLI, or power cycle the FWSM in configuration mode by entering the no power enable module module_number command, then the power enable module module_number command.
•
CSCsr56179
If you use a time range in an access list and use manual commit of access lists, access list optimization may not take place correctly even when the access list is active.
Workaround: Use auto-commit mode for access lists.
•
CSCsr57503
When the access list is configured with the interface keyword, and the access list commit mode is manual, then if you change the interface IP address, the access list optimization will not happen correctly.
Workaround: Use auto-commit mode for access lists.
The caveats listed in Table 3 were resolved in software Release 4.0(2), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Resolved Caveats in Software Release 4.0(2)
•
CSCsm69869
When an outside NAT rule is configured on the FWSM and NAT control is enabled, inbound traffic not matching that rule is being silently dropped.
Workaround: There are two options for getting around this. If possible, disable NAT control by entering the no nat-control command. If there are a limited number of networks on the outside coming in, a static outside NAT rule can be configured for those specific networks. For example:
static (outside,inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0•
CSCso22765
FWSM gives an error and discards the configuration when overlapping static commands are configured. For example:
static (inside,outside) tcp 192.168.1.100 www 192.168.2.100 www netmask 255.255.255.255static (dmz,outside) 192.168.1.100 192.168.3.100 netmask 255.255.255.255Workaround: None.
•
CSCso38838
In rare circumstances, traffic matching a static policy NAT statement may fail with a "no translation group found" syslog message even though it matches the policy access list.
Workaround: Try redefining the policy access list with a different access list name and applying that to the static command.
•
CSCso46878
An extra xlate (between the wrong interfaces) gets created when using static policy NAT and the no nat-control command. This seems to occur when the policy NAT access list overlaps with a network on another interface.
Workaround: If applicable, use static NAT without an access list, and filter with an access-group command.
•
CSCso92458
In multiple context mode, if you change the system configuration and a context configuration, and reload without first saving, then you are prompted to save the configurations; the configurations get saved even after typing N at the confirm prompt.
Workaround: None
•
CSCsq12999
When you configure TCP state bypass and match an access list in the class map that uses the time-range option, then a Telnet connection does not have TCP state bypass applied when the access list becomes active from an inactive state.
Workaround: In the class map, remove the match access-list command and add match any.
•
CSCsq19931
A crash could occur if the following conditions are met:
–
Access list group optimization is enabled
–
An ACE is removed from the beginning of an access list, and a remark is added at the beginning of an access list both at the same time.
Workaround: Delete the ACE first and wait for optimization to complete then add the remark.
•
CSCsq24440
In an Active/Active failover configuration, you cannot disable access list optimization in a context that is active on the secondary FWSM; the CLI prompt to disable optimization appears on the primary FWSM, and not the secondary.
Workaround: On the primary unit, do the following:
a.
Set group 2 to be active on the primary FWSM by entering the failover active group 2 command.
b.
Disable optimization by entering the no access-list optimization enable command.
c.
Set group 2 to be active on the secondary FWSM again by entering the no failover active group 2 command.
The caveats listed in Table 4 were resolved in software Release 4.0(2), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 4 Resolved Caveats in Release 4.0(2)
Caveat ID DescriptionCSCsq71071
FWSM crash in Thread Name: doorbell_poll 0x5d05 NP2 thread
Resolved Caveats in Software Release 4.0(1)
•
CSCsm42519
Under rare circumstances when you configure AAA for network access using a RADIUS server, the FWSM might crash due to processing of authentication requests through the FWSM.
Workaround: None.
The caveats listed in Table 5 were resolved in software Release 4.0(1), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Related Documentation
See the following sections for related documentation:
Hardware Documents
See the following related hardware documentation:
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation and Verification Note
•
Catalyst 6500 Series Switch Installation Guide
•
Catalyst 6500 Series Switch Module Installation Guide
Software Documents
See the following related software documentation:
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
•
Release Notes for Cisco ASDM
•
Open Source Software Licenses for FWSM
•
Catalyst 6500 Series Cisco IOS Software Configuration Guide
•
Catalyst 6500 Series Cisco IOS Command Reference
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2008 Cisco Systems, Inc. All rights reserved.

