Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Services Modules

Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, 4.0(x)

Downloads

Table Of Contents

Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.0(x)

Important Notes

Upgrading or Downgrading the Software

Chassis System Requirements

Management Support

New Features

New Features in Release 4.0(3)

New Features in Release 4.0(2)

New Features in Release 4.0(1)

Software License Information

Limitations and Restrictions

Open Caveats in Software Release 4.0

Resolved Caveats in Software Release 4.0(3)

Resolved Caveats in Software Release 4.0(2)

Resolved Caveats in Software Release 4.0(1)

Related Documentation

Hardware Documents

Software Documents

Obtaining Documentation and Submitting a Service Request


Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.0(x)

October 2008

This document contains release information for the following FWSM Releases:

4.0(3)

4.0(2)

4.0(1)

This document includes the following sections:

Important Notes

Upgrading or Downgrading the Software

Chassis System Requirements

Management Support

New Features

Software License Information

Limitations and Restrictions

Open Caveats in Software Release 4.0

Resolved Caveats in Software Release 4.0(3)

Resolved Caveats in Software Release 4.0(2)

Resolved Caveats in Software Release 4.0(1)

Related Documentation

Obtaining Documentation and Submitting a Service Request

Important Notes

For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM.

You can disable the limited TCP normalization support for FWSM using the no control-point tcp-normalizer command.

When you log in to the system execution space from the switch in multiple context mode, a feature introduced in FWSM Release 3.2 lets you use authentication using a AAA server or local database. Previously, the only method of authentication available was to use the login password defined in the system configuration. The new authentication method is enabled by the aaa authentication telnet console command in the admin context. If you upgrade to Release 3.2 or above, and have this command already in the admin context configuration, then authentication for the system execution space is enabled using the specified server or local database, even if you did not intend to enable it. To use the login password instead, you must remove the aaa authentication telnet console command in the admin context.

Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).

In 3.x, when you used the set connection command for an access list (match access-list), then connection settings were applied to each individual ACE; in 4.0, connection settings are applied to the access list as a whole.

Upgrading or Downgrading the Software

To upgrade from 2.x or 3.x to 4.0, see the "Managing Software, Licenses, and Configurations" chapter in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI. Be sure to save a copy of your 2.x or 3.x configuration if you later want to downgrade.

After you reload the FWSM with the 4.0 image, the configuration is converted (for example, the http-map commands are converted to policy-map type inspect http commands). This converted configuration is not saved to memory until you enter the write memory command (or the write memory all command from the system execution space in multiple context mode).

If you try to downgrade using a converted configuration, many commands will be rejected. Moreover, if you add access lists to the 4.0 configuration to take advantage of larger access list memory space, then downgrading could result in an inability to load all the new access lists.

If you want to downgrade, be sure to copy a saved 2.x or 3.x configuration to the starting configuration before you reload with the 2.x or 3.x image.

Chassis System Requirements

You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC 2).

The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.

Note The Catalyst operating system software is not supported.

The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static VLANs. However, the WAN port can connect to the MSFC, which can connect to the FWSM.

The FWSM runs its own operating system.

Table 1 shows the supervisor engine version and software.

Table 1 Support for FWSM 4.0

 
FWSM Features:
 
Supervisor Engines1
Trusted Flow Acceleration
PISA Integration
Route Health Injection
Virtual Switching System
Cisco IOS Software Release

12.2(18)SXF and higher

720, 32

No

No

No

No

12.2(18)SXF2 and higher

2, 720, 32

No

No

No

No

12.2(33)SXI (Not yet released)

720-10GE

No

No

No

Yes

12.2(33)SXI (Not yet released)

720

Yes

No

Yes

No

12.2(33)SXI (Not yet released)

32

Yes

No

Yes

No

12.2(18)ZYA (Not yet released)

32-PISA

No

Yes

No

No

Cisco IOS Software Modularity Release

12.2(18)SXF4

720, 32

No

No

No

No

1 The FWSM does not support the supervisor 1 or 1A.


Management Support

The FWSM supports the following management methods:

Cisco ASDM—Software Release 6.1F supports FWSM software Release 4.0 features. ASDM is a browser-based configuration tool that resides on the FWSM. The system administrator can configure multiple security contexts. If desired, individual context administrators can configure only their contexts.

Command-line interface (CLI)—Access the CLI by sessioning from the switch or by connecting to the FWSM over the network using Telnet or SSH. The FWSM does not have its own external console port.

New Features

This section lists new features for each maintenance release, and includes the following topics:

New Features in Release 4.0(3)

New Features in Release 4.0(2)

New Features in Release 4.0(1)

New Features in Release 4.0(3)

The SCCP (Skinny) inspection has been enhanced to do the following:

Support registrations of SCCP version 17 phones.

Support SCCP version 17 media related messages for opening up pinholes for video/audio streams.

The following is not supported:

Registrations of endpoints that have IPv6 addresses. The Register messages are dropped and a debug message is generated.

If IPv6 messages are embedded in the SCCP messages, they are not NATed or PATed; they are left untranslated.

New Features in Release 4.0(2)

There were no new features in Release 4.0(2).

New Features in Release 4.0(1)

Table 2 lists the new features for Release 4.0(1).

Table 2 New Features for FWSM Release 4.0(1) 

Feature
Description
Routing
 

EIGRP

The following EIGRP features are supported in this release:

Summarization

Stub-routing

Route filtering

Manual Route summarization

Redistribution

Route Health Injection

Note This feature depends on Cisco IOS Release 12.2(33)SXI, and will not be supported until the Cisco IOS software is released.

Route Health Injection is used for injecting the connected and static routes and NAT pools configured on the FWSM into the MSFC routing table on a per context basis. MSFC can then redistribute the route or NAT pools to other router routing tables.

Static route monitoring

If you configure multiple static routes to reach a network, the route monitoring feature can detect if a network goes down so that the next best route can be used.

DHCP
 

DHCP Option 82 support

When the switch is acting as relay agent, to interoperate with HSRP, the FWSM will preserve the Option 82 field set up by the switch.

Modular Policy Framework
 

Inspection policy maps and class maps

The following protocols support inspection policy and/or class maps:

DCERPC

ESMTP

HTTP

SIP

Regular expressions and regular expression class maps

You can create regular expressions and regular expression class maps for use in an inspection policy map or class map.

Filtering
 

HTTPS support with Secure Computing SmartFilter

The FWSM now supports HTTPS filtering using Secure Computing SmartFilter.

Adding the context name to Websense version 4 requests

Because Websense requests initiated from the FWSM use the pre-NATted IP address of clients, which can be overlapping, this can lead to problems in defining policies in the Websense server. Adding the context name to Websense queries lets the Websense server use the context name for policy lookups.

Application Inspection
 

DNS Guard configurability

You can now disable DNS Guard at the CLI.

SIP inspection enhancements

Numerous enhancements were added.

You can now use an inspection policy map to configure special actions for inspection traffic; this method replaces the application map.

HTTP inspection enhancements

Numerous enhancements were added.

You can now use an inspection policy map to configure special actions for inspection traffic; this method replaces the application map.

ESMTP inspection enhancements

Numerous enhancements were added.

You can now use an inspection policy map to configure special actions for inspection traffic; this method replaces the application map.

DCERPC inspection enhancements

Numerous enhancements were added.

You can now use an inspection policy map to configure special actions for inspection traffic; this method replaces the application map.

Access Lists
 

Customizable memory partition sizes

In multiple context mode, you can change the size of memory partitions for rule use, so you can reallocate memory from one partition to another.

Rule reallocation per feature per partition

You can reallocate rules between features on a per-partition basis instead of just globally.

Access list optimization

The access list group optimization feature reduces the number of ACEs per group by merging and/or deleting redundant and conflicting ACEs without affecting the semantics of the access list.

Connections and Switch Integration
 

Trusted Flow Acceleration

Note This feature depends on Cisco IOS Release 12.2(33)SXI, and will not be supported until the Cisco IOS software is released.

Trusted Flow Acceleration lets the FWSM take advantage of the processing power of the switch supervisor to greatly increase packet throughput.

PISA integration

Note This feature depends on Cisco IOS Release 12.2(18)ZYA, and will not be supported until the Cisco IOS software is released.

The FWSM can leverage the high-performance deep packet inspection of the PISA card so that it can permit or deny traffic based on the application type.

Connection rate limiting

You can limit the connection rate for TCP and UDP traffic.

Virtual Switching System (VSS) support

Note This feature depends on Cisco IOS Release 12.2(33)SXI, and will not be supported until the Cisco IOS software is released.

VSS is a system virtualization technology that allows the pooling of multiple Catalyst 6500 switches into a single virtual switch. If you have the FWSM installed, FWSM traffic benefits from this feature. There is no configuration on the FWSM required.

Monitoring
 

New SNMP MIBs

For ACL entries and ACL hit counters (CISCO-IP-PROTOCOL-FILTER-MIB), and ARP table entries (IP-MIB).


Software License Information

The FWSM supports the following licensed features:

Multiple security contexts. The FWSM supports two virtual contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:

20

50

100

250

Trusted Flow Acceleration support.

BGP stub support.

GTP/GPRS support.

Limitations and Restrictions

Note These limitations and restrictions also exist in FWSM 3.x.

See the following limitations and restrictions on the FWSM:

The following features are not supported when you use TCP state bypass:

Application inspection—Application inspection requires both inbound and outbound traffic to go through the same FWSM, so application inspection is not supported with TCP state bypass.

AAA authenticated sessions—When a user authenticates with one FWSM, traffic returning via the other FWSM will be denied because the user did not authenticate with that FWSM.

Multiple context mode does not support most dynamic routing protocols. BGP stub mode is supported. Security contexts support only static routes or BGP stub mode. You cannot enable OSPF or RIP in multiple context mode.

Transparent firewall mode supports a maximum of eight interface pairs per context.

For transparent firewall mode, you must configure a management IP address per interface pair.

The outbound connections (from a higher security interface to a lower security interface) from an interface that is shared between the contexts can only be classified and directed through the correct context if you configure a static translation for the destination IP address. This limitation makes cascading contexts unsupported, because configuring the static translations for all the outside hosts is not feasible.

The CPU-intensive commands, such as copy running-config startup-config (the same as the write memory command), might affect system performance, including reducing the successful rate of inspection and AAA connections. When a CPU-intensive action completes, the FWSM might produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might unexpectedly reach the maximum rate. We recommend using these commands during low traffic periods. Other CPU-intensive actions include the show arp command, polling the FWSM with SNMP, loading a large configuration, and compiling a large access list.

Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).

During URL filtering at high rates, the HTTP connection to the server through the FWSM might not complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled. To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block 128 command in single mode. (CSCsj00658)

SIP application inspection does not match regular expressions specified in the message-path against a second or larger instance of the VIA SIP Header. Check whether your purpose is accomplished by matching the regular expression specified in the message-path against the first VIA: SIP Header. (CSCso69892)

SIP calls with a SIP URI length greater than 256 characters are dropped by the FWSM. Make the SIP User Agent make SIP calls with a SIP URI length less than 256 characters. (CSCsm37291)

If the FWSM uses EIGRP, and receives multiple equal-cost routes to the same destination, it installs all of them in the EIGRP topology table. But the FWSM fails to install all the equal-cost routes into the routing table. (CSCso98423)

Open Caveats in Software Release 4.0

This section contains open caveats in the latest maintenance release.

If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from later releases. For example, if you are running Release 4.0(1), then you need to add the caveats in this section to the resolved caveats from 4.0(2) and later to determine the complete list of open caveats.

CSCsm66165

When an FWSM is participating in a PIM multicast network, and the FWSM has been configured to only register certain groups with the PIM RP via an access list, registration for groups might fail even through registration should be allowed. For example, the pim rp-address command is used in conjunction with an access list like below: 

access-list pim1 standard permit 209.165.200.224 255.255.255.224

access-list pim1 standard permit 209.165.201.0 255.255.255.224 

access-list pim1 standard deny 209.165.202.128 255.255.255.224 


pim rp-address 192.168.33.43 pim1

This configuration should only allow the groups associated with the 209.165.200.224/27 and 209.165.201.0/27 networks to register with the RP. However, the FWSM might fail to register these groups with the RP.

Workaround: Remove the acl argument from the pim rp-address command. This will allow the FWSM to register all groups with the RP.

CSCso32645

The FWSM does not send EIGRP summarized routes under some conditions immediately after a reload even though auto-summary is enabled. This occurs when EIGRP network statements exist for 40 or more interfaces.

Workaround: After the reload, wait for some amount of time (depending on the number of network statements configured) and issue the clear eigrp neighbors command.

CSCsr57543

When an access list has more than one access list remark command, and other ACEs form an optimization scenario, one or more remark statements are removed from the optimized output.

Workaround: None.

CSCsu01658

If you configure an access list allowing TFTP and attach it to a capture command configured on an interface, then tor a TFTP file transfer, the capture output shows that the transfer is happening to an incorrect port on the client. Also, the size of the transferred file is not shown properly.

Workaround: None.

CSCsu69518

Even though SCCP inspection drops the registration message for phones containing IPv6 addresses (dual mode), the FWSM creates an entry for the SCCP phone as seen in the show skinny command output. This entry is not cleared until the FWSM is reloaded. After the registration message is dropped, if the phones keep retrying for registration, then a large number of entries are created for these phones that do not get cleared. Eventually when a large number of false entries are created, the FWSM will be unable to add further entries for phones that try to register later.

Workaround: None.

CSCsv00658

Access list optimization might create an access list that is inaccurate compared to the original access list. This may cause packets to be denied when they should be permitted by the access list.

Workaround: Disable access list optimization with the no access-list optimization enable command.

Resolved Caveats in Software Release 4.0(3)

CSCso25009

Performing a capture on the FWSM egress interface might show corrupted packets. This effect does not impact real traffic going through the FWSM.

Workaround: None.

CSCsq17924

After the supervisor has an SSO switchover (where the secondary supervisor now becomes primary), if you reload the FWSM, then the FWSM will hang.

Workaround: To reset the FWSM, enter the hw-module module module_number reset command at the switch CLI, or power cycle the FWSM in configuration mode by entering the no power enable module module_number command, then the power enable module module_number command.

CSCsr56179

If you use a time range in an access list and use manual commit of access lists, access list optimization may not take place correctly even when the access list is active.

Workaround: Use auto-commit mode for access lists.

CSCsr57503

When the access list is configured with the interface keyword, and the access list commit mode is manual, then if you change the interface IP address, the access list optimization will not happen correctly.

Workaround: Use auto-commit mode for access lists.

The caveats listed in Table 3 were resolved in software Release 4.0(2), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://www.cisco.com/support/bugtools

Table 3 Resolved Caveats in Release 4.0(3) 

Caveat ID
Description

CSCsf03695

Crash while creating captures for FWSM

CSCsi54863

FWSM: new MPC command to clear TCP Sack-Permitted option in 3WHS - SACK

CSCsk55964

FWSM reports WARNING: Restoring security context mode failed.

CSCso02252

Overlapping networks dont translate DNS address in 3.1.x

CSCso14430

"clear xlate state" not working

CSCso38805

Add SCCP v17 support to FWSM

CSCsq16078

Various Stateful Failover failures in FWSM 3.1.10

CSCsq66164

106101: Number of cached deny-flows for ACL log generated incorrectly

CSCsq71071

FWSM crash in Thread Name: doorbell_poll 0x5d05 NP2 thread

CSCsq79074

TCP MSS Not Adjusted in TCP SYN/ACK Segment

CSCsq87373

In Multicontext Mode Secondary FWSM crashes when committing configuration

CSCsq90172

NP-CP Bridge Block Deficiency with ICMP Activity To or From the Blade

CSCsr01682

OSPF losing neighbors during failover

CSCsr05764

FWSM blocks traffic due to route mismatch in CP and NP, NIC underruns

CSCsr06384

'aaa authen clear-conn' cannot be confgd after 'aaa authen include ip'

CSCsr11309

FWSM/TFW: rewrites MAC address for return traffic to HSRP address

CSCsr11384

url-filtering is not working for same-security traffic

CSCsr11888

Capture Output for Inspected Traffic Shows Corrupted

CSCsr11941

Display of access-list hash different between logs and access-list

CSCsr12059

FWSM NP Hard Debug: NP1 thread 19 hit PC 0x3cf5

CSCsr13642

New capture does not capture ingress packets after deleting old capture

CSCsr14332

FWSM may calculate ACL line numbers incorrectly in manual commit mode

CSCsr19679

Clear url-server stats is not clearing the Requests dropped counter

CSCsr21268

FWSM crashed at time_range.c after enabling failover

CSCsr24448

SIP Connection Dropped Abnormally on FWSM

CSCsr24521

Remark ACE get reordered when obj-grp ACE deleted in manual-mode

CSCsr24913

Outside nat does not use ACE added to policy ACL with line 1

CSCsr27446

Reordering of Remark ACE when grp-obj of obj-grp used by ACL is deleted

CSCsr29780

3.1.10.10: New ACE not getting added to correct line no. in manual mode

CSCsr36640

Failover inconsistency while shutting down and removing vlan's

CSCsr36669

Prevent overlapping names in config-url disk:

CSCsr36738

FWSM crashes in ci/console on deleting 'aaa authenticating include ip'

CSCsr40940

FWSM snmp responses indicate flapping links

CSCsr40970

Strict HTTP inspection - problems with out-of-order packets from server

CSCsr42914

Overlapping address for nat and pat should show proper errors

CSCsr45802

FWSM fails over when compiling ACLs if CPU also busy inspecting traffic

CSCsr46459

Crash in Thread name dhcp_daemon related to DHCP relay

CSCsr47554

AAA Authentication request packet for 'show running-config' corrupted

CSCsr48265

3.2.7.3: http login does not reprompt on empty passwd if virtual telnet

CSCsr50360

Capture not working properly when same capture used for 2 interfaces

CSCsr55698

Capture not removed with 'no capture' when multiple cap. on same intf.

CSCsr60110

3.2.7.4: 'clear-conn' cannot be removed by 'no' statement

CSCsr60593

FWSM: May crash in Thread Name: accept/http

CSCsr62662

FWSM may crash during 'fsck disk:' operations

CSCsr67375

FWSM crashes in accept/http when deploying 'nat (0) 0 20.2.1.1' from CSM

CSCsr69909

snmp-map attached to inspect getting deleted with clear conf

CSCsr71168

Traceback: Crash in Thread Name: Route cache

CSCsr75501

FOVER:Standby MAC addr is improperly registered as Active MAC on Primary

CSCsr83441

Crash in manual mode (ACL optimization enabled) when deleting a rule

CSCsr83767

Clear route permanently removes static routes from the NP 3

CSCsr84424

Inter-context traffic on shared vlan fails starting in version 4.0

CSCsr93090

High CPU on FWSM due to AAA accounting/authentication

CSCsr93323

FWSM 4.0: Crash at ssh_receive

CSCsr93953

FWSM doesn't inspect the 3way hand shake for FTP data channel

CSCsr94374

DNS Responses Destined to Port UDP/53 are Blocked


Resolved Caveats in Software Release 4.0(2)

CSCsm69869

When an outside NAT rule is configured on the FWSM and NAT control is enabled, inbound traffic not matching that rule is being silently dropped.

Workaround: There are two options for getting around this. If possible, disable NAT control by entering the no nat-control command. If there are a limited number of networks on the outside coming in, a static outside NAT rule can be configured for those specific networks. For example: 

static (outside,inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

CSCso22765

FWSM gives an error and discards the configuration when overlapping static commands are configured. For example: 

static (inside,outside) tcp 192.168.1.100 www 192.168.2.100 www netmask 
255.255.255.255

static (dmz,outside) 192.168.1.100 192.168.3.100 netmask 255.255.255.255

Workaround: None.

CSCso38838

In rare circumstances, traffic matching a static policy NAT statement may fail with a "no translation group found" syslog message even though it matches the policy access list.

Workaround: Try redefining the policy access list with a different access list name and applying that to the static command.

CSCso46878

An extra xlate (between the wrong interfaces) gets created when using static policy NAT and the no nat-control command. This seems to occur when the policy NAT access list overlaps with a network on another interface.

Workaround: If applicable, use static NAT without an access list, and filter with an access-group command.

CSCso92458

In multiple context mode, if you change the system configuration and a context configuration, and reload without first saving, then you are prompted to save the configurations; the configurations get saved even after typing N at the confirm prompt.

Workaround: None

CSCsq12999

When you configure TCP state bypass and match an access list in the class map that uses the time-range option, then a Telnet connection does not have TCP state bypass applied when the access list becomes active from an inactive state.

Workaround: In the class map, remove the match access-list command and add match any.

CSCsq19931

A crash could occur if the following conditions are met:

Access list group optimization is enabled

An ACE is removed from the beginning of an access list, and a remark is added at the beginning of an access list both at the same time.

Workaround: Delete the ACE first and wait for optimization to complete then add the remark.

CSCsq24440

In an Active/Active failover configuration, you cannot disable access list optimization in a context that is active on the secondary FWSM; the CLI prompt to disable optimization appears on the primary FWSM, and not the secondary.

Workaround: On the primary unit, do the following:

a. Set group 2 to be active on the primary FWSM by entering the failover active group 2 command.

b. Disable optimization by entering the no access-list optimization enable command.

c. Set group 2 to be active on the secondary FWSM again by entering the no failover active group 2 command.

The caveats listed in Table 4 were resolved in software Release 4.0(2), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://www.cisco.com/support/bugtools

Table 4 Resolved Caveats in Release 4.0(2) 

Caveat ID
Description

CSCsq71071

FWSM crash in Thread Name: doorbell_poll 0x5d05 NP2 thread


Resolved Caveats in Software Release 4.0(1)

CSCsm42519

Under rare circumstances when you configure AAA for network access using a RADIUS server, the FWSM might crash due to processing of authentication requests through the FWSM.

Workaround: None.

The caveats listed in Table 5 were resolved in software Release 4.0(1), and were not previously documented. If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://www.cisco.com/support/bugtools

Table 5 Resolved Caveats in Release 4.0(1) 

Caveat ID
Description

CSCsi27512

FTP with multiline 221 lines closes the connection too early

CSCsi73738

High CPU due to ACK storm with a TCP-based inspection enabled

CSCsk41644

FWSM - Issue with sending multiple GETs to the WebSense Server

CSCsk73347

NAT Bitmap Corruption Under High Xlate Use on FWSM

CSCsl04546

FWSM: Crash in Thread Name: websns_rcv_udp

CSCsl05878

FWSM reload with panic: route_process

CSCsl12104

Modifying fixup protocol icmp at a context affects other contexts (3.1)

CSCsm11988

Unable to clear uauth entry by username if username includes backslash

CSCsm35626

FWSM 3.2.2 - conns per sec usage under asdm not accurate

CSCsm41796

After failover, inspect ftp does not work - data channel not opened

CSCsm50370

ip address command breaks routing with duplicate statics

CSCsm58073

When saving a config to disk:/, the time is one day ahead

CSCsm60610

ACL:Cannot configure Access-list with udp port eq 0 on FWSM

CSCsm66984

FWSM resets intermittently

CSCsm68082

Error: Bad Octal (digit > 7) may appear with MGCP inspect

CSCsm69810

Outside NAT fails with outside NAT exemption

CSCsm84230

Policy Nat stops working when ACE duplicated through obj-grp and deleted

CSCsm86434

FWSM user auth dialogue box not re-presented for longer period in 3.1.8

CSCsm87914

FWSM 3.2 crash in Thread Name: Logger

CSCso00289

Unable to Disable TCP Sequence Number Randomization

CSCso03094

Traceback in 'perfmon' thread

CSCso06060

Failover packet from FWSM has incorrect DSCP value

CSCso11666

No pim command will not replicate on standby unit

CSCso14069

FWSM is not processing stop on error correctly

CSCso17150

FWSM 'failover interface-policy' impact on transparent A/A configuration

CSCso33286

long AAA ACLs requires >1h compilation time.

CSCso40091

FWSM may delay URL Server checks causing a server to be marked DOWN

CSCso42729

Sunrpc sessions are not deleted from np 3 established list

CSCso59847

FWSM: Crash in thread skinny.

CSCso69586

FWSM failover pair with vlan mismatch may go active/active

CSCso92618

Inbound inspected tcp connections incorrectly timing out due to gc


Related Documentation

See the following sections for related documentation:

Hardware Documents

Software Documents

Hardware Documents

See the following related hardware documentation:

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation and Verification Note

Catalyst 6500 Series Switch Installation Guide

Catalyst 6500 Series Switch Module Installation Guide

Software Documents

See the following related software documentation:

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

Release Notes for Cisco ASDM

Open Source Software Licenses for FWSM

Catalyst 6500 Series Cisco IOS Software Configuration Guide

Catalyst 6500 Series Cisco IOS Command Reference

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

©2008 Cisco Systems, Inc. All rights reserved.