Table Of Contents
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.1(x)
Important Notes
New Features
New Features in Release 4.1(6)
New Features in Release 4.1(1)
Upgrading or Downgrading the Software
Viewing Your Current Version
Upgrading from 2.x or 3.x
Upgrading the Operating System and ASDM Images
Downgrading From 4.1
Important Notes
Downgrading
Chassis System Requirements
Catalyst 6500 Series Minimum Requirements
Cisco 7600 Series Minimum Requirements
Management Support
Software License Information
Limitations and Restrictions
Open Caveats
Resolved Caveats
Resolved Caveats in Release 4.1(13)
Resolved Caveats in Release 4.1(12)
Resolved Caveats in Release 4.1(11)
Resolved Caveats in Release 4.1(10)
Resolved Caveats in Release 4.1(9)
Resolved Caveats in Release 4.1(8)
Resolved Caveats in Release 4.1(7)
Resolved Caveats in Release 4.1(6)
Resolved Caveats in Release 4.1(5)
Resolved Caveats in Release 4.1(4)
Resolved Caveats in Release 4.1(3)
Resolved Caveats in Release 4.1(2)
Resolved Caveats in Release 4.1(1)
Related Documentation
Hardware Documents
Software Documents
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.1(x)
March 2013
This document contains release information for FWSM Release 4.1(1) through 4.1(12).
This document includes the following sections:
•
Important Notes
•New Features
•Upgrading or Downgrading the Software
•Chassis System Requirements
•Management Support
•Software License Information
•Limitations and Restrictions
•Open Caveats
•Resolved Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Important Notes
•For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM.
•You can disable the limited TCP normalization support for FWSM using the no control-point tcp-normalizer command.
•When you log in to the system execution space from the switch in multiple context mode, a feature introduced in FWSM Release 3.2 lets you use authentication using a AAA server or local database. Previously, the only method of authentication available was to use the login password defined in the system configuration. The new authentication method is enabled by the aaa authentication telnet console command in the admin context. If you upgrade to Release 3.2 and later, and have this command already in the admin context configuration, then authentication for the system execution space is enabled using the specified server or local database, even if you did not intend to enable it. To use the login password instead, you must remove the aaa authentication telnet console command in the admin context.
•Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
•In 3.x, when you used the set connection command for an access list (match access-list), then connection settings were applied to each individual ACE; in 4.0 and later, connection settings are applied to the access list as a whole.
New Features
This section includes the new features for FWSM releases.
Note There are no new features in FWSM Releases 4.1(2) through 4.1(5) nor in Releases 4.1(7) through 4.1(10).
•New Features in Release 4.1(6)
•New Features in Release 4.1(1)
New Features in Release 4.1(6)
Table 1 lists the new feature for FWSM Release 4.1(6).
Table 1 New Feature for FWSM Release 4.1(6)
Feature
|
Description
|
Increased SNMP packet size
|
Increased maximum SNMP response size to 1400, which makes it easier to poll multiple OIDs in a single query. Past FWSM design restricted the packet size of SNMP responses to 484 bytes.
|
New Features in Release 4.1(1)
Table 2 lists the new features for ASDM Versions 6.2(1)F through 6.2(3)F. These features were introduced in Version 6.2(1)F. There are no new features for Version 6.2(2)F and 6.2(3)F. All features apply to FWSM Version 4.1(1), as well.
Table 2 New Features for FWSM Version 4.1(1)
Feature
|
Description
|
Platform Features
|
Separate hostnames for primary and secondary blades
|
This feature lets you configure a separate hostname on the primary and secondary FWSMs. If the secondary hostname is not configured, the primary and secondary hostnames are the same.
We modified the following screen: Configuration > Device Setup > Device Name/Password.
|
Firewall Features
|
Creation of UDP sessions with unresolved ARP in the accelerated path
|
If you configure the FWSM to create the session in the accelerated path even though the ARP lookup fails, then it will drop all further packets to the destination IP address until the ARP lookup succeeds. Without this feature, each subsequent UDP packet goes through the session management path before being dropped by the accelerated path, causing potential overload of the session management path.
We modified the following screen: Configuration > Firewall > Advanced > TCP Options.
|
DCERPC Enhancement: Remote Create Instance message support
|
In this release, DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance RPC messages.
No screens were modified.
|
Reset Connection marked for Deletion
|
You can now disable the sending of a reset (RST) packet for a connection marked for deletion. Starting in this release, reset packets are not sent by default. You can restore the previous behavior, so that when the FWSM receives a SYN packet on the same 5-tuple (source IP and port, destination IP and port, protocol) which was marked for deletion, it will send a reset packet.
We modified the following screen: Configuration > Firewall > Advanced > TCP Options.
|
PPTP-GRE Timeout
|
You can now set the timeout for GRE connections that are built as a result of PPTP inspection.
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.
|
IPv6 support in ASDM
|
ASDM now supports configuration of IPv6.
|
Management Features
|
Turning on/off names in Syslog messages
|
This feature enables users to choose whether or not to apply name translation while generating syslogs to the console, syslog server, and FTP syslog server.
We modified the following screen: Configuration > Logging > Logging Setup.
|
Shared Management Interface in Transparent Mode
|
You can now add a management VLAN that is not part of any bridge group. This VLAN is especially useful in multiple context mode where you can share a single management VLAN across multiple contexts.
We modified the following screen: Configuration > Interfaces > Add/Edit Interface.
|
Teardown Syslog Enhancement
|
New syslogs were added for when a connection is torn down.
We introduced the following syslog messages: 302030 through 33.
|
SNMP Buffer enhancement
|
With this enhancement, SNMP requests will be handled more efficiently, so that the allocated blocks for SNMP are freed up quickly, thus leaving enough blocks for other processes.
No screens were modified.
|
Troubleshooting Features
|
Crashinfo enhancement
|
The crashinfo enhancement improves the reliability of generating crash information.
No screens were modified.
|
Packet Capture Wizard
|
The FWSM uses the Packet Capture Wizard to implement a packet sniffer on the FWSM. Cisco TAC might request captures from you to troubleshoot a problem. These captures may be in PCAP format for download and further analysis on products like TCPDUMP or Ethereal.
We modified the following screen: Wizards > Packet Capture Wizard > Capture Wizard.
|
Upgrading or Downgrading the Software
This section describes how to upgrade to the latest version, and includes the following topics:
•Viewing Your Current Version
•Upgrading from 2.x or 3.x
•Upgrading the Operating System and ASDM Images
•Downgrading From 4.1
Note For CLI procedures, see the ASA release notes.
Viewing Your Current Version
The software version appears on the ASDM home page; view the home page to verify the software version of your FWSM.
Upgrading from 2.x or 3.x
Starting in Release 4.0(1), many commands are migrated to new commands (for example, the http-map commands are converted to policy-map type inspect http commands).
If you upgrade from 2.x or 3.x, the configuration is converted. This converted configuration is not saved to memory until you save the configuration by clicking Save at the top of the window.
If you try to downgrade to 2.x or 3.x using a converted configuration, many commands will be rejected. Moreover, if you add access lists to the 4.x configuration to take advantage of larger access list memory space, then downgrading could result in an inability to load all the new access lists.
If you want to downgrade, be sure to copy a saved 2.x or 3.x configuration to the starting configuration before you reload with the 2.x or 3.x image.
Upgrading the Operating System and ASDM Images
This section describes how to install the ASDM and operating system (OS) images to the current application partition .
Note If the FWSM is running Version 4.0 or later, then you can upgrade to the latest version of ASDM (and disconnect and reconnect to start running it) before upgrading the OS.
If the FWSM is running a version earlier than 4.0, then use the already installed version of ASDM to upgrade both the OS and ASDM to the latest versions, and then reload.
To install and start using the new images, perform the following steps:
Detailed Steps
Step 1 From the Tools menu, choose Tools > Upgrade Software from Cisco.com.
In multiple context mode, access this menu from the System. For 6.2F, this menu item is located under Tools > Software Updates.
The Upgrade Software from Cisco.com Wizard appears.
Note If you are running ASDM Version 5.2 or lower, then the Upgrade Software from Cisco.com Wizard is not available. You can download the software from the following URL:
http://www.cisco.com/cisco/software/type.html?mdfid=277413409&flowid=246
Then use Tools > Upgrade Software.
Step 2 Click Next.
The Authentication screen appears.
Step 3 Enter your Cisco.com username and password, and click Next.
The Image Selection screen appears.
Step 4 Check the Upgrade the FWSM version check box and the Upgrade the ASDM version check box to specify the most current images to which you want to upgrade, and click Next.
The Selected Images screen appears.
Step 5 Verify that the image file you have selected is the correct one, and then click Next to start the upgrade.
The wizard indicates that the upgrade will take a few minutes. You can then view the status of the upgrade as it progresses.
The Results screen appears. This screen provides additional details, such as whether the upgrade failed or whether you want to save the configuration and reload the FWSM.
If you upgraded the FWSM version and the upgrade succeeded, an option to save the configuration and reload the FWSM appears.
Step 6 Click Yes.
For the upgrade versions to take effect, you must save the configuration, reload the FWSM, and restart ASDM.
Step 7 Click Finish to exit the wizard when the upgrade is finished.
Downgrading From 4.1
This section describes how to downgrade from 4.1, and includes the following topics:
•Important Notes
•Downgrading
Important Notes
If you configure the shared management VLAN feature that was introduced in 4.1(1), this feature is not supported when you downgrade to a pre-4.1(1) release.
See the following issues when you use this feature, and then downgrade:
•The interface configuration for the shared VLAN is accepted in the first context configuration in which it appears, but is rejected in subsequent transparent mode contexts.
•For these subsequent contexts, if the startup-config has the management VLAN configuration defined directly after another VLAN configuration for through traffic, then the name and security level associated with the (rejected) shared management VLAN is erroneously applied to the immediately preceding VLAN.
Workaround: Remove the interface configuration for the shared VLAN from all contexts before you downgrade.
For example, you have the following configuration in 4.1:
ip address 10.90.90.4 255.255.255.0 standby 10.90.90.5
After downgrading, the shared management interface vlan101 command is rejected if it was already used in another context; so the nameif dmz and security-level 100 commands are applied to VLAN 100, overwriting the original nameif and security-level commands. (The VLAN 101 management-only and ip address commands are rejected because they are not allowed for the interface vlan command pre-4.1). The resulting VLAN 100 configuration is the following:
Downgrading
This section describes how to downgrade the ASDM and operating system (OS) images to the current application partition.
To install and start using the old images, perform the following steps:
Step 1 If you have a Cisco.com login, you can obtain the old OS and ASDM images from the following website:
http://www.cisco.com/cisco/software/type.html?mdfid=277413409&flowid=246
Step 2 If you configured shared management VLANs for transparent mode contexts, see the "Important Notes" section to remove the configuration for each context.
Step 3 From the Tools menu, choose Tools > Software Updates > Upgrade Software from Local Computer.
The Upgrade Software from Local Computer dialog box appears.
Step 4 (Optional) To downgrade ASDM, from the Image to Upload drop-down list, choose ASDM.
ASDM Version 6.2F is backwards compatible with previous versions, so you do not need to downgrade ASDM.
Step 5 Enter the local path to the file on your PC or click Browse Local Files to find the file on your PC.
Step 6 Click Upload Image. The uploading process might take a few minutes; make sure you wait until it is finished.
Step 7 To downgrade your FWSM image, repeat Step 3 through Step 6, except choose FWSM from the Image to Upload drop-down list.
Step 8 You are prompted to reload. Click OK.
Chassis System Requirements
You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in these release notes as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC 2).
The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.
Note The Catalyst operating system software is not supported.
The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static VLANs. However, the WAN port can connect to the MSFC, which can connect to the FWSM.
The FWSM runs its own operating system.
Note Because the FWSM runs its own operating system, upgrading the Cisco IOS software does not affect the operation of the FWSM.
This section includes the following topics:
•Catalyst 6500 Series Minimum Requirements
•Cisco 7600 Series Minimum Requirements
Catalyst 6500 Series Minimum Requirements
The following versions are the minimum required versions. Versions higher than those listed are also supported. Table 3 shows the supervisor engine version and software.
Table 3 Support for FWSM 4.1 on the Catalyst 6500
| |
FWSM Features:
|
| |
|
PISA Integration
|
Route Health Injection
|
Virtual Switching System
|
Cisco IOS Software Release
|
15.1(1)SY and higher
|
720-10GE
|
No
|
Yes
|
Yes
|
15.1(1)SY and higher
|
720
|
No
|
Yes
|
No
|
15.1(1)SY and higher
|
SUP2T
|
No
|
Yes
|
Yes
|
15.0(1)SY and higher
|
720-10GE
|
No
|
No
|
No
|
15.0(1)SY and higher
|
720
|
No
|
No
|
No
|
15.0(1)SY and higher
|
SUP2T
|
No
|
Yes
|
Yes
|
12.2(33)SXJ and higher
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXJ and higher
|
720
|
No
|
Yes
|
No
|
12.2(33)SXJ and higher
|
32
|
No
|
No
|
No
|
12.2(18)SXF and higher
|
720, 32
|
No
|
No
|
No
|
12.2(18)SXF and higher
|
2, 720, 32
|
No
|
No
|
No
|
12.2(33)SXI and higher
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXI and higher
|
720, 32
|
No
|
Yes
|
No
|
12.2(18)ZYA
|
32-PISA
|
Yes
|
No
|
No
|
Cisco IOS Software Modularity Release
|
12.2(18)SXF4
|
720, 32
|
No
|
No
|
No
|
Cisco 7600 Series Minimum Requirements
The following versions are the minimum required versions. Versions higher than those listed are also supported. Table 4 shows the supervisor engine version and software.
Table 4 Support for FWSM 4.1 on the Cisco 7600
| |
FWSM Features:
|
| |
|
PISA Integration
|
Route Health Injection
|
Virtual Switching System
|
Cisco IOS Software Release
|
12.2(33)SRD6
|
720-3C-1GE
|
No
|
No
|
No
|
12.2(33)SRA
|
720, 32
|
No
|
No
|
No
|
12.2(33)SRB
|
720, 32
|
No
|
No
|
No
|
12.2(33)SRC
|
720, 32, 720-1GE
|
No
|
No
|
No
|
12.2(33)SRD
|
720, 32, 720-1GE
|
No
|
No
|
No
|
12.2(33)SRE
|
720, 32, 720-1GE
|
No
|
No
|
No
|
12.2(33)SRE2
|
720-3C-1GE
|
No
|
No
|
No
|
Management Support
The FWSM supports the following management methods:
•Cisco ASDM—Software Release 6.2F supports FWSM software Release 4.1 features. ASDM is a browser-based configuration tool that resides on the FWSM. The system administrator can configure multiple security contexts. If desired, individual context administrators can configure only their contexts.
•Command-line interface (CLI)—Access the CLI by sessioning from the switch or by connecting to the FWSM over the network using Telnet or SSH. The FWSM does not have its own external console port.
Software License Information
The FWSM supports the following licensed features:
•Multiple security contexts. The FWSM supports two virtual contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:
–20
–50
–100
–250
•BGP stub support.
•GTP/GPRS support.
Limitations and Restrictions
Note These limitations and restrictions also exist in FWSM 3.x.
See the following limitations and restrictions on the FWSM:
•The following features are not supported when you use TCP state bypass:
–Application inspection—Application inspection requires both inbound and outbound traffic to go through the same FWSM, so application inspection is not supported with TCP state bypass.
–AAA authenticated sessions—When a user authenticates with one FWSM, traffic returning via the other FWSM will be denied because the user did not authenticate with that FWSM.
•Multiple context mode does not support most dynamic routing protocols. BGP stub mode is supported. Security contexts support only static routes or BGP stub mode. You cannot enable OSPF or RIP in multiple context mode.
•Transparent firewall mode supports a maximum of eight interface pairs per context; however, when multiple bridge-group interfaces exist in a single context, inspection may not work properly. We recommend that you create a separate context for traffic that requires inspection.
•For transparent firewall mode, you must configure a management IP address per interface pair.
•The outbound connections (from a higher security interface to a lower security interface) from an interface that is shared between the contexts can only be classified and directed through the correct context if you configure a static translation for the destination IP address. This limitation makes cascading contexts unsupported, because configuring the static translations for all the outside hosts is not feasible.
•The CPU-intensive commands, such as copy running-config startup-config (the same as the write memory command), might affect system performance, including reducing the successful rate of inspection and AAA connections. When a CPU-intensive action completes, the FWSM might produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might unexpectedly reach the maximum rate. We recommend using these commands during low traffic periods. Other CPU-intensive actions include the show arp command, polling the FWSM with SNMP, loading a large configuration, and compiling a large access list.
•Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
•During URL filtering at high rates, the HTTP connection to the server through the FWSM might not complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled. To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block 128 command in single mode. (CSCsj00658)
•SIP application inspection does not match regular expressions specified in the message-path against a second or larger instance of the VIA SIP Header. Check whether your purpose is accomplished by matching the regular expression specified in the message-path against the first VIA: SIP Header. (CSCso69892)
•SIP calls with a SIP URI length greater than 256 characters are dropped by the FWSM. Make the SIP User Agent make SIP calls with a SIP URI length less than 256 characters. (CSCsm37291)
•If the FWSM uses EIGRP, and receives multiple equal-cost routes to the same destination, it installs all of them in the EIGRP topology table. But the FWSM fails to install all the equal-cost routes into the routing table. (CSCso98423)
•The ENTITY-MIB is not available in the non-admin context. Use the IF-MIB for queries in the non-admin context.
Open Caveats
The caveats listed in Table 5 are open in the latest maintenance release.
If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from later releases. For example, if you are running Release 4.1(1), then you need to add the caveats in this section to the resolved caveats from 4.1(2) and above to determine the complete list of open caveats.
If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 5 Open Caveats
Caveat
|
Description
|
CSCtc19367
|
Discrepancy between max xlate count and show global usage most used cnt
|
CSCte02131
|
show xlate count and show global usage on standby do not match
|
CSCte08789
|
FWSM generates Corrupted crashinfo file
|
Resolved Caveats
This section contains resolved caveats in each maintenance release and includes the following topics:
•Resolved Caveats in Release 4.1(13)
•Resolved Caveats in Release 4.1(12)
•Resolved Caveats in Release 4.1(11)
•Resolved Caveats in Release 4.1(10)
•Resolved Caveats in Release 4.1(9)
•Resolved Caveats in Release 4.1(8)
•Resolved Caveats in Release 4.1(7)
•Resolved Caveats in Release 4.1(6)
•Resolved Caveats in Release 4.1(5)
•Resolved Caveats in Release 4.1(4)
•Resolved Caveats in Release 4.1(3)
•Resolved Caveats in Release 4.1(2)
•Resolved Caveats in Release 4.1(1)
Resolved Caveats in Release 4.1(13)
The following caveats were resolved in Release 4.1(13) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 6 Resolved Caveats in FWSM Release 4.1(13)
Caveat
|
Description
|
CSCue65757
|
FWSM: Additional inspect statements in standby on certain procedure.
|
CSCue65785
|
vPif_isVpifNumValid:pifNum out of range! message in the show conn output.
|
CSCuf47624
|
FWSM Traceback in d2_receive_thread.
|
Resolved Caveats in Release 4.1(12)
The following caveats were resolved in Release 4.1(12) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 7 Resolved Caveats in FWSM Release 4.1(12)
Caveat
|
Description
|
CSCub52268
|
FWSM: Auth proxy, when user logs out Authen In Progress increments.
|
CSCuc82649
|
VSS/FWSM - failover - multicast commands not being config synced
|
CSCuc96578
|
FWSM: Conn-max limit enforced incorrectly when conn-rate-limit defined
|
CSCud16814
|
Traceback in IPv6 ND Thread
|
CSCue39138
|
FWSM crashes after configuring the nameif command
|
CSCue45879
|
FWSM drops out of order TCP packets with HTTP inspect and normalizer
|
Resolved Caveats in Release 4.1(11)
The following caveats were resolved in Release 4.1(11) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 8 Resolved Caveats in FWSM Release 4.1(11)
Caveat
|
Description
|
CSCsj16497
|
FWSM need to periodically requery TCP syslog hosts that are down
|
CSCua43458
|
FWSM traceback in thread fast_fixup with inspect dcerpc enabled
|
CSCua62648
|
FWSM running 4.1.7 crashes in thread name snp_timer_thread
|
CSCub61725
|
snmp caused memory leak in FWSM
|
CSCuc25948
|
ASDM- ACL hit count stayed 0 with FWSM
|
CSCuc39360
|
FWSM fails to send EIGRP Replies for more than 13 prefixes
|
Resolved Caveats in Release 4.1(10)
The following caveats were resolved in Release 4.1(10) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
•CSCth78926—Adding and removing a host-based route using the route-monitor command causes a page fault
Symptom:
When you specified a host-based route (rather than a network-based route) to monitor alternate path routing, then removed the host-based route, FWSM generated a page fault. When configuring a host-based route for route monitoring, FWSM checked its static route table to verify whether any existing routes matched the IP address and mask of the new route. FWSM maintains a list of matching routes in the route monitor table. When FWSM found only one matching entry in the static route table, it set the next route entry to NULL in the route monitor table.
When you removed a route from monitoring, FWSM checked the route monitor table for matching entries without first validating whether the next route entry existed; therefore, causing FWSM to generate a page fault.
Conditions:
1. Use the route-monitor command to specify a host-based route to monitor.
2. Remove the host-based route.
Resolution:
FWSM validates whether the next route entry exists in the route monitor table before attempting to remove the entry.
•CSCtr94155—FWSM generates system log message FWSM-7-710005 when processing a snmpwalk request from the SNMP server
Symptom:
FWSM generates message FWSM-7-710005 when it receives an SNMP request with an empty payload. Additionally, it also generated message FWSM-7-710005 when it received a valid SNMP query (a request that had a non-zero length).
Conditions:
The SNMP server sends a snmpwalk request to FWSM.
Resolution:
Before generating message FWSM-7-710005, FWSM verifies that the message length of an SNMP query equals zero by initializing the value to in_packet_len.
•CSCtz42093—FWSM crashes with assertion "0" failed: thread "ssh", file "malloc.c", line 3802
Symptom:
FWSM crashed with the following assertion:
assertion "0" failed: thread "ssh", file "malloc.c", line 3802
FWSM crashed with this assertion when you deleted an entry in an access list configured with the route-inject command. FWSM crashed because it was clearing routes for the wrong type of route before it deleted the entry from the access list.
Conditions:
Delete a entry in an access list associated with route injection.
Resolution:
FWSM correctly clears route health injection (RHI) routes associated with the access list entry being deleted.
•CSCtz75570—System log message FWSM-3-211001 did not provide enough information
Symptom:
FWSM only displayed the message "Memory allocation Error" for message FWSM-3-211001. Message FWSM-3-211001 is a generic message that FWSM generates when resources are not available for any service. It is common for FWSM to generate this message for all the application inspection modules.
Conditions:
A malicious host tried to establish SIP connections, such that it triggered a memory resource problem for the corresponding application inspection service.
Resolution:
Message FWSM-3-211001 is enhanced to provide the API name of the corresponding service that is experiencing the memory resource problem:
FWSM-3-21100: Memory allocation Error in module moduel_name.
•CSCto80642—FWSM removed static ARP entries after 60 seconds when the network processor was oversubscribed
Symptom:
FWSM encountered problems when the NP was oversubscribed due to nonexistence IP addresses. Configuring a static ARP entry when the NP was oversubscribed caused FWSM to add the entry to the control plane ARP table and send the request to the NP to update its ARP table; however, FWSM then removed the entry from the ARP table and the running configuration. FWSM removed the entry when the timer expired after 60 seconds as if it was a dynamic entry. This problem affected only the destination host that received the SYN flood.
Conditions:
A static ARP entry is configured when the NP is oversubscribed due to nonexistence IP addresses.
Resolution:
FWSM no longer automatically removes a static ARP entry when the NP is oversubscribed. Instead, when FWSM creates the dynamic entry, then it checks whether the static entry already exists in the ARP table. If the entry exists, FWSM exits from the process.
•CSCua67121—FWSM crashed with the ci/console thread, the console session thread for user input/output
Symptom:
FWSM crashed when sending SIP invite packets at the rate of 35,000 packets per second and simultaneously executing the show sip command to check the SIP sessions. Displaying that many sessions on the console took long enough that the watchdog timer expired and ended the thread, which caused FWSM to crash.
Conditions:
1. Increase the SIP invite timeout to 30 minutes.
2. Send SIP entries at the rate of 350,00 per second.
3. Simultaneously, execute the show sip command.
Resolution:
FWSM checks the watchdog timer setting when displaying the SIP session data and, if it determines that the timer will expire, FWSM suspends the process.
Resolved Caveats in Release 4.1(9)
The caveats listed in Table 9 were resolved in Release 4.1(9) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 9 Resolved Caveats in FWSM Release 4.1(9)
Caveat
|
Description
|
CSCei38791
|
no access-list x ? gives error
|
CSCts02267
|
FWSM - Remove "dns" keyword from CLI for static policy NAT
|
CSCts50980
|
FWSM not forwarding multicast fragments >8792 bytes
|
CSCtz37106
|
IPv6 static route CLI push to fwsm through CSM fails
|
CSCtu29020
|
Traceback in Thread Name ssh
|
CSCtx80666
|
FWSM 4.1.7 crashes while removing contexts
|
CSCtx80776
|
pings are counted for conn-max cumulatively
|
CSCty24997
|
warn the usage while configuring set connection tcp timeout
|
CSCty49940
|
FWSM np completion-unit disabled after deleting context
|
CSCtz01442
|
FWSM parser change: Disallowing DNS Guard with ASR Groups
|
Resolved Caveats in Release 4.1(8)
The caveats listed in Table 10 were resolved in Release 4.1(8) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 10 Resolved Caveats in FWSM Release 4.1(8)
Caveat
|
Description
|
CSCtn27129
|
FWSM crashed in np_cls_download_process when adding Policy NAT ACEs
|
CSCtq39473
|
FWSM crashes under thread name EIGRP-IPv4: PDM
|
CSCtr52678
|
FWSM can not set the MSS value on IPV6 packets
|
CSCtr74381
|
URL Filtering fails if data appended to HTTP GET header
|
CSCts38551
|
Fastpath NP ARP Entries not Timed Out from CP in Transparent Mode
|
CSCts68298
|
FWSM: CLI should reject multicast address for next hop IP
|
CSCtt94371
|
FWSM tcp syslogging creates many connections when server goes down
|
CSCtu02674
|
Enh:DCERPC inspection doesnt support RCI messages for all the scenorio's
|
CSCtw45873
|
Remove asserts in IPv46 API
|
CSCtw56411
|
FWSM software traceback on thread name doorbell_poll
|
Resolved Caveats in Release 4.1(7)
The caveats listed in Table 11 were resolved in Release 4.1(7) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/
Table 11 Resolved Caveats in FWSM Release 4.1(7)
Caveat
|
Description
|
CSCso92808
|
CUPC fails to transmit port 50001 due to reassembly limit of 8192
|
CSCtr38044
|
Memory leak in 0x008881e5
|
CSCtr60971
|
Max DHCP Relay Server allowed is 10;FWSM gives error when adding 10th
|
CSCtr75137
|
FWSM 4.1 memory leak snmp in binsize 576 pc = 0x00ab40f7
|
Resolved Caveats in Release 4.1(6)
The caveats listed in Table 12 were resolved in Release 4.1(6) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 12 Resolved Caveats in FWSM Release 4.1(6)
Caveat
|
Description
|
CSCsk71402
|
fwsm - cannot add static mac-address-table entry
|
CSCtb31446
|
fast path NP Hard assert causes FWSM to pause indefinitely
|
CSCtg02624
|
Traceback with call http_proxy_send_form_page
|
CSCti25015
|
route-monitor: inconsistency of metric after second gateway recovery
|
CSCti93353
|
FWSM dns doctroring might over-write embedded ip addresses it should not
|
CSCtj31001
|
FWSM does not pass Jumbo IPV6 packets
|
CSCtl01291
|
FWSM 3.2 - deny-flow-max stuck when denied is not at 4096
|
CSCtl06095
|
FWSM allowing some tcp non-syn pkts to pass when there is no conn
|
CSCtl76091
|
Issuing commands for mcast displaying the same database crashes FWSM.
|
CSCtl92927
|
crash at 0xb5b9f2 in Thread name ssh
|
CSCtn83135
|
NAT failure for data channel connections in Transparent FW mode
|
CSCto31630
|
EHN:Increase packet size for SNMP response on FWSM
|
CSCto43960
|
FWSM: DCERPC inspection of packet with multiple segments fails
|
CSCto56305
|
FWSM nested traceback in thread name doorbell poll (NP2 PC 0x5ba1)
|
Resolved Caveats in Release 4.1(5)
The following caveats were resolved in Release 4.1(5) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
•CSCtk61424—OpenSSL Ciphersuite Downgrade and J-PAKE Issues
Symptom:
The device may be affected by an OpenSSL vulnerabilities described in CVE-2010-4180 and CVE-2010-4252.
Conditions:
Device configured with any feature that uses SSL.
Workaround:
Not available
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.1/3.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
CVE IDs CVE-2010-4180 and CVE-2010-4252 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
•CSCtl21186—Cmd authorization fails for certain commands on fallback to LOCAL db
Symptom:
Certain commands like 'show running-config', 'show interface' are allowed to be executed by users with lower privilege-level when fallback has occured.
Conditions:
1. Fallback to LOCAL is configured
2. All FWSM commands are assigned their default privilege levels in LOCAL db.
3. Users with lower privilege-level than 15 login into privileged-exec mode and execute 'show running-config' or 'show interface' commands, and some config commands.
Workaround:
none.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.0/5.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE ID CSCtl94142 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
•CSCtl84952—SCCP inspection DoS vulnerability
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. Devices are affected when SCCP inspection is enabled.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-fwsm
Note: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the vulnerability described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110223-fwsm
•CSCtn04571—Breakage in dcerpc inspection code
Symptom:
RCI response is not processed correctly. Enabling dcerpc debugs shows that the signature 'MEOW' is not found.
Conditions:
Processing RCI response.
Workaround:
None.
Resolved Caveats in Release 4.1(4)
The caveats listed in Table 13 were resolved in software Release 4.1(4). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 13 Resolved Caveats in Release 4.1(4)
Caveat ID
|
Descriptions
|
CSCsu64376
|
Standby reloads when 'tcp' added to obj-grp used by ACL having port 0
|
CSCtf84419
|
Multiple policy-nat statements might not match right until ACL recompile
|
CSCth72685
|
FWSM np completion-unit disabled after reboot however in startup config
|
CSCth74635
|
FWSM may crash in thread "fast_fixup" with inspect dcerpc enabled
|
CSCti38339
|
FWSM may reload with traceback in Thread Name: skinny
|
CSCti41683
|
Inspect FTP doesn't work if class for TCP bypass is checked against
|
CSCtj21761
|
term pager command affects all sessions and future sessions
|
CSCtj29249
|
Transparent FWSM doesn't send RST for data with state-bypass configured
|
CSCtj46839
|
RTSP streaming problems through FWSM
|
CSCtj62348
|
FWSM: management-access command orphaned if configured intf is removed
|
CSCtj78005
|
After removing service-policy state-bypass flag not updated in np vlan
|
CSCtk19326
|
FWSM 4.0 may fail to send RST for non-syn TCP segment with no connection
|
CSCtk62630
|
FWSM: Copying optimized ACL to running config results in incomplete ACL
|
Resolved Caveats in Release 4.1(3)
The caveats listed in Table 14 were resolved in software Release 4.1(3). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 14 Resolved Caveats in Release 4.1(3)
Caveat ID
|
Descriptions
|
CSCtc23265
|
Add best effort failover support for TCP proxy
|
CSCtf87102
|
Access-list optimization w/ discontinuous masks does not work correctly
|
CSCtg64606
|
Some Special IPV6 addresses can not be handled by FWSM well
|
CSCtg66395
|
FWSM doesn't NAT Audio stream of SIP connection
|
CSCtg91966
|
Unicast RPF statistics cannot be cleared
|
CSCth10381
|
FWSM: Discrepancy between sh perfmon vs sh service-policy output
|
CSCth48464
|
Secondary Pinhole not opened for SDP two-media connections
|
CSCth49514
|
Regular translation creation failed errors on forcing switchover
|
CSCth51877
|
Reactivatoin-mode depletion does not work correctly on FWSM
|
CSCth52880
|
Http inspection protocol violation when content lenght > 2684000000
|
CSCth64565
|
FWSM 3.2.10 sunrpc-server command doesn't work host IP and network mask
|
CSCth71469
|
Traceback in 'fast_fixup' Thread Due to DCERPC Inspection
|
CSCth86890
|
Snmpwalk on the admin ctx shows only failover ip in ipAdEntAddr table
|
CSCth95284
|
FWSM 4.0.11 might crash at Thread Name: PAT XlateCache
|
Resolved Caveats in Release 4.1(2)
The caveats listed in Table 15 were resolved in software Release 4.1(2). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 15 Resolved Caveats in Release 4.1(2)
Caveat ID
|
Description
|
CSCsf01863
|
Syslog 302013 does not show user field properly
|
CSCtc54126
|
SIP media connections stays at connection table after closed call
|
CSCtd19411
|
cut-through proxy in transparent sends invalid ACK before SYN-ACK
|
CSCtd46324
|
FWSM software reloads on doorbell_poll while deleting a dns session
|
CSCtd72287
|
FWSM: unexpectedly reloads in Thread Name: MGCP
|
CSCtd94681
|
FWSM re-uses some PAT translation ports too frequently
|
CSCte25307
|
Telnet NOOP command sent to FWSM causes next character to be dropped
|
CSCte48165
|
Broken single ip address feature for more than 1 "virtual" protocols use
|
CSCte49110
|
FWSM setting DF bit on reassembled skinny packet
|
CSCte51034
|
FWSM doesnt failover static routes pointing to its own interface
|
CSCte66339
|
policy-map names exceeding 16 characters leak memory upon ACE addition
|
CSCte70411
|
IPv6 object-group does not allow nested objects
|
CSCte85951
|
Memory leak with HTTP inspection and "match" commands in policy-map
|
CSCtf15459
|
FWSM: about 15 seconds continuous traffic drops when active is reloaded
|
CSCtf27583
|
FWSM: May crash in Thread name fast-fixup - due to inspect dcerpc
|
CSCtf31676
|
Secondary Active FWSM Creates a Context Using BIA MAC
|
CSCtf41503
|
FWSM sends a ACK with wrong TCP options.
|
CSCtf49704
|
FWSM software forced reloads in - Thread Name: websns_snd
|
CSCtf51696
|
SQL*Net Inspection Opens Pinholes Based on Non-Redirect Messages
|
CSCtf57135
|
fwsm 3.2 - deny-flow-max stuck when denied is not at 4096
|
CSCtf73798
|
CheckHeaps crash after SSH command
|
CSCtf77950
|
SNMP - Interfaces not recognised by snmpwalk to FWSM
|
CSCtf83964
|
FWSM OSPF neighbors stuck in LOADING state for long time
|
CSCtf92566
|
IPv6 fragment packet dropped with "Invalid udp length"
|
CSCtf94490
|
Unable to query SNMP OID cufwUrlfServerStatus on FWSM
|
CSCtg01772
|
FWSM stops traffic forwarding by changing static route's distance metric
|
CSCtg14948
|
FWSM DHCPrelay intermittent failures
|
CSCtg17279
|
In shared vlan scenario destination NAT might break communication.
|
CSCtg31044
|
client_port field is not rewritten in the RTSP SETUP reply
|
CSCtg35889
|
NP1/2 Lockup on standby FWSM
|
CSCtg60275
|
Configuring conflicting static NAT causes failover fail and sync config
|
Resolved Caveats in Release 4.1(1)
The caveats listed in Table 16 were resolved in software Release 4.1(1). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Table 16 Resolved Caveats in Release 4.1(1)
Caveat ID
|
Description
|
CSCsk12223
|
FWSM unexpectedly reloads on Thread name ssh
|
CSCsx26083
|
ENH: FWSM DCERPC inspection doesn't support 'Remote Create Instance' msg
|
CSCsx79204
|
PPTP GRE connections do not have configured idle timeout set
|
CSCsz81503
|
FWSM Bidir forwarding fails after reload
|
CSCta44620
|
Software Forced reset in fast_fixup with multiple FTP connections
|
CSCta58702
|
FWSM pause indefinitely due to high icmp traffic through 2 mgt sessions
|
CSCta60764
|
Cut-thru-proxy:certificate error after completion of intial authenticati
|
CSCta64836
|
Firewall blade unexpectdly reloads with traffic
|
CSCta64957
|
No new connections on after failover with a particular NAT configuration
|
CSCta68828
|
FWSM forming OSPF adjacency with 5 seconds delay
|
CSCta73803
|
concurrent snmpwalk across many contexts causes loss of 16384 blocks
|
CSCta74788
|
Incorrect xlate replicated to standby for same security interface
|
CSCtb03565
|
FWSM corrupts ICMP time to live exceeded with MPLS TAG
|
CSCtb03929
|
snmp polling of NP data should not exhaust all 16k blocks
|
CSCtb14966
|
SunRPC inspection drops GETPORT reply packet
|
CSCtb18628
|
routing Route-monitor not update the routing table with same metric routes
|
CSCtb18847
|
data-path NP 3 pause indefinitely with established command
|
CSCtb23513
|
Authentication in progress sessions not removed with DACLs
|
CSCtb34170
|
Static PAT causing failure for traffic from inside
|
CSCtb49352
|
FWSM Cert Enrollment doesnt work with SCEP
|
CSCtb49822
|
url-filtering http traffic with segmented GET blocked by url-filtering configuration
|
CSCtb76719
|
Meaning of Flags 's' and 'S' is Reversed in 'show conn detail' Output
|
CSCtb88893
|
Transparent mode FWSM, Active passing braodcast arp from standby
|
CSCtc02363
|
RTSP inspect incorrect IP address translation in URL headers
|
CSCtc12597
|
FWSM software forced reload in Thread Name: ACL Cache during SNMP Poll
|
CSCtc32047
|
FWM sends RST instead of silently drop packets
|
CSCtc36009
|
TCP reset option incorrectly appears in set connection timeout command
|
CSCtc36050
|
capture feature shows ICMP payload modified by firewall when it is not
|
CSCtc36380
|
FWSM corrupts ICMP checksum in ICMP unreachable packets
|
CSCtc36651
|
FTP fails in Active/Active mode when two contexts not active on same FW
|
CSCtc38617
|
TCP Sequence Numbers Randomized for TCP State Bypassed Conns
|
CSCtc40207
|
Standby transparent FWSM might send arp request using active MAC
|
CSCtc68193
|
snmp query for any OID under 1.3.6.1.2.1. causes np xlate query
|
CSCtc71533
|
IPv6 object-group does not allow group-objects
|
CSCtc72148
|
WS-C6506-E-FWM/ High CPU usage
|
CSCtd23101
|
FWSM access-list optimization cause missing lines
|
CSCtd42763
|
logging FWSM: Syslog 111005 does not print when exiting config mode
|
CSCtd60672
|
FWSM fails to compile ACL when custom partition size used with failover
|
CSCtd62290
|
FWSM: TACACS+ CMD Accounting packets have a Caller-ID field of 0.0.0.0
|
CSCtd73676
|
Only one virtual protocol can be configured with the "virtual" command
|
CSCtd78604
|
FWSM: ACLs missing after adding items to object-groups
|
CSCtd86296
|
logging FWSM: Need to extend syslog message %FWSM-2-106024
|
CSCte48563
|
NP3 pauses due to duplicate xlate created for identity traffic
|
Related Documentation
See the following sections for related documentation:
•Hardware Documents
•Software Documents
Hardware Documents
See the following related hardware documentation:
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation and Verification Note
•Catalyst 6500 Series Switch Installation Guide
•Catalyst 6500 Series Switch Module Installation Guide
Software Documents
See the following related software documentation:
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
•Release Notes for Cisco ASDM
•Open Source Software Licenses for FWSM
•Catalyst 6500 Series Cisco IOS Software Configuration Guide
•Catalyst 6500 Series Cisco IOS Command Reference
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2012 Cisco Systems, Inc. All rights reserved.
Feedback
