This document contains frequently asked questions (FAQs) about the Catalyst 6500 Series Firewall Services Module (FWSM).
Note: Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Q. What is the minimum version of code that I need to run in order to support my FWSM, Intrusion Detection System Module 2 (IDSM2), and VPN Service Module (VPNSM)?
A. The appropriate version of code depends on the type of Supervisor Module in your 6500 or 7600 chassis, as well as the type of software you run (CatOS [Hybrid] or Cisco IOS [Native]). See this table for specific code versions for your module and Multilayer Switch Feature Card (MSFC).
Sup1 (with MSFC) Sup2 (with MSFC) Sup720 Module Cisco IOS CatOS Cisco IOS CatOS Cisco IOS CatOS FWSM 12.1(13)E 7.5(1) 12.1(13)E 7.5(1) 12.2(14)SX1 8.2(1) IDSM2 Not Supported 7.6(1) 12.1(19)E 7.6(1) 12.2(14)SX1 8.2(1) VPNSM Not Supported Not Supported 12.2(14)SY Not Supported 12.2(17a)SX10 Not Supported *
* There are plans to introduce support.
Note: Refer to Comparison of the Cisco Catalyst and Cisco IOS Operating Systems for the Cisco Catalyst 6500 Series Switch for information about the differences between CatOS (Hybrid) and Cisco IOS (Native).
Q. Can I run the FWSM, Intrusion Detection System Module 2 (IDSM2), and VPN Service Module (VPNSM) in the same chassis?
A. Yes, you can run these modules in the same chassis if the switch runs integrated Cisco IOS software with a minimum version of Cisco IOS Software Release 12.2(14)SY (Sup2) or 12.2(17a)SX10 (Sup720). Currently, there is no CatOS version that can support these service modules in the same 6500 or 7600 chassis.
A. Configuration and management options include these.
Option Version Description Management Center for Firewalls Versions 1.1.1 and later* This is a web-based interface for configuring and managing multiple firewalls.
Note: Support for service groups within object grouping is limited. Service groups are successfully parsed, but flatten immediately. This affects commands with icmp-type, protocol, and service keywords. This limitation applies to versions 1.3 and earlier.
Monitoring Center for Security Versions 1.2 and later* This is a web-based interface for monitoring Cisco security devices. The software centralizes syslog management from multiple Cisco security devices with flexible reporting and alerting options. Monitoring Center for Performance Versions 2.0 and later* This is a web-based interface for monitoring and troubleshooting the health and performance of services that contribute to network security. Simple Network Management Protocol (SNMP) is the underlying protocol used. PDM Version 2.1 This is a web-based interface for configuring, managing, and monitoring a single firewall. PIX Device Manager (PDM) must be installed locally on the PIX Firewall. Telnet N/A Telnet provides remote command-line interface (CLI) access to a firewall.
Note: In order to allow Telnet access to the lowest security interface (commonly known as the outside interface), you need to Configure IPsec for Management.
Secure Shell (SSH) N/A SSH provides secure remote CLI access to a firewall. SNMP N/A SNMP provides a method of monitoring the FWSM.
Note: SNMP is read-only on the FWSM.
Syslog N/A Syslog provides a method of monitoring the FWSM.
* This software is part of the CiscoWorks VPN/Security Management Solution (VMS) bundle. This software provides an integrated approach to managing Cisco security devices via a browser-based interface for Enterprise networks.
A. SVI stands for Switched Virtual Interface. It represents a logical Layer 3 interface on a switch. For CatOS versions earlier than 7.6(1) and Cisco IOS Software Releases earlier than 12.2(14)SY, only one SVI is allowed as part of the firewall VLANs. In other words, only one Layer 3 interface can be configured between the FWSM and Multilayer Switch Feature Card (MSFC). An attempt to configure multiple SVIs produces a command-line interface (CLI) error message.
For CatOS versions 7.6(1) and later and Cisco IOS Software Releases 12.2(14)SY and later, the FWSM supports multiple SVIs. By default, only one SVI is supported. Use one of these commands to enable support for multiple SVIs on your switch.
For CatOS, type set firewall multiple-vlan-interfaces enable .
For Cisco IOS, type firewall multiple-vlan-interfaces .
If you configure your switch for the FWSM VLANs and receive an error message which indicates that you have more than one SVI, look at your switch and/or MSFC configuration to ensure that only one Layer 3 interface (or VLAN interface) exists as part of the firewall VLANs.
Note: Only use one SVI. This allows you to avoid a complicated configuration that involves policy routing.
A. FWSM version 1.1 supports 100 VLANs and FWSM version 2.1 supports 250 VLANs.
A. Since the FWSM automatically compiles access lists into hardware after 10 seconds of inactivity at the CLI, there is no need for turbo access lists. FWSM version 2.1 offers the additional functionality of being able to nominate when the access lists are compiled.
Q. Does the FWSM support the IOS Open Shortest Path First (OSPF) auto-cost reference-bandwidth command?
A. No. The FWSM is not aware of the physical ports connected to it. OSPF cost must be configured manually for each interface with the ospf cost command.
Q. Can I run Open Shortest Path First (OSPF) protocol in a topology where two different interfaces of the FWSM connect to the same network?
A. Yes. This functionality is supported in versions 2.1 and later.
A. Open Shortest Path First (OSPF) and Routing Information Protocol (RIP) are the supported routing protocols. For more information on FWSM, refer to the documentation available on the Cisco Catalyst 6500 Series Firewall Services Module page.
Q. Is Multicast (Internet Group Management Protocol [IGMP] v2 and Stub Multicast Routing) supported on the FWSM?
A. Yes. This functionality is supported in FWSM versions 2.1 and later. If you run version 1.1, you can use generic routing encapsulation (GRE) tunnelling as a workaround.
A. Yes. Websense is supported in versions 1.1 and later, with additional support for N2H2 added in version 2.1.
A. By default, fragmented packets cannot traverse the FWSM. You can use the fragment command to configure this feature. This behavior differs from that of the PIX Firewall. Common protocols that use fragmented packets are Open Shortest Path First (OSPF) and Network File System (NFS).
A. VPN functionality is not supported on the FWSM. Termination of VPN connections is the responsibility of the switch and/or VPN Services Module. The 3DES license is provided for management purposes only, such as connecting to a low-security interface via Telnet, Secure Shell (SSH), and Secure HTTP (HTTPS).
Q. Is authentication, authorization, and accounting (AAA) for RADIUS or TACACS+ supported on the FWSM?
A. AAA is supported for both FWSM management and traffic passing through the FWSM. Refer to the Firewall Services Module documentation for additional details.
The FWSM offers similar functionality to that of the PIX Firewall, with the exceptions of downloadable access lists and VPNs. With this in mind, you can use these PIX Firewall documents as guides for FWSM configuration.
A. Refer to these documents for information on password recovery.
A. Yes, FWSM can support jumbo frames.
Q. How does the FWSM respond when it receives a packet with its source address as a loop back address ?
A. It treats the packet as invalid and drops the packet. By default, FWSM drops the packets with an invalid source address such as a loop back address, broadcast address and destination host address. A log message as shown in this example is generated.%FWSM-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
A. Support of PVLAN begins in software version 3.1. If you run a software version earlier than 3.1, the only possible workaround is to connect the promiscuous port of the PVLAN using the crossover cable to a regular access port, and then make the VLAN of that access port firewalled.
A. This feature is supported only in software version 3.1 and later.
A. Yes, you can limit the connections with the help of Modular Policy Framework. Complete these steps in order to limit the number of connections:
- Create a class map in order to match the traffic.
- Place the class map to a policy map and use connection limiting in the policy map.
- Apply the policy map using service policy.
Refer to Configuring Connection Limits and Timeouts for more information and detailed steps.
A. Yes. FWSM does not support 232.x.x.x subnet as a group name, as it has been already reserved for Security Services Module (SSM).
A. No. Unlike a router, the FWSM does not allow directed broadcast through its interfaces. A more similar workaround is to use the built-in dhcp-relay feature to forward broadcasts from one interface to another.
Q. Can the HTTP Inspection engine detect non-HTTP traffic or non-standard traffic in an HTTP session?
A. Yes. The Application Firewall with Advanced HTTP Inspection can detect and control these traffic. Refer to Application Inspection Engine Overview for more information.
A. In FWSM, TCP Normalization only applies to traffic that hits the TCP complex. Normal data plane (fast path) traffic is not affected. This differs from the ASA in that all ASA traffic is subjected to the normalizer.
On the FWSM, if the normalizer is disabled the module falls back to 2.3 behavior. But, if you disable the control-point tcp-normalizer, this prevents strict TCP checks, such as the detection of out-of-sequence segments and monitoring TCP options, on the TCP packets received on the Control Plane for Layer 7 inspection in the FWSM, and are not performed. Thus, it is advisable not to disable it. FWSM does not allow tuning in default tcp-map parameters.
A. Due to the inability to pass some connection specific information from NPs to control plane, the TCP normalizer possibly does not function properly all the time in the FWSM. Additionally, unique tcp-maps associated with connections cannot be identified. Thus, the FWSM relies on the default tcp-map which possibly do not work correctly for all connections. Because of these limitations, there is a need to enable/disable TCP normalizer in the control plane for traffic going through the firewall. FWSM does not allow tuning in default tcp-map parameters.
A. The maximum number of entries is 5000 entries.
A. Packets can be captured in FWSM. The use of CLI as Packet Capture is not supported in ASDM and the capture command is not supported in ASDM. Refer to Ignored and View-Only Commands for more information. Refer to Capturing Packets for more information on the configuration of the Packet Capturing in FWSM. Refer to ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example for more information on a packet capture configuration example.
A. Refer to FWSM and ASDM Release Compatibility for more information about FWSM and ASDM release compatibility.
Q. I have a license for an FWSM that runs in multiple context mode. Can I obtain a license for a spare FWSM in the event of a hardware failure?
A. You can obtain a license for the spare FWSM. However, you need to place an order for the spare FWSM license as you would a regular license. In the event of a hardware failure, contact Cisco Technical Support to verify the failure and to obtain a license for the spare FWSM. Refer to Cisco Firewall Module Software Release 2.2(1) for licensing information.
A. FWSM does not support multiple shared interfaces, but instead you can have one VLAN across multiple contexts. Refer to Sharing Resources and Interfaces Between Contexts for more information.
A. Use the nameif command if you want to add vlan 200 to the configuration. The security level should be between 0 and 100. The complete command syntax is nameif vlan200 <interface name> <security level>.
A. You can place 1000 VLANs behind the FWSM using the Single Context, Routed mode.
A. By default, each interface denies Internet Control Message Protocol (ICMP). Use the icmp command to allow this traffic to the interface. This behavior differs from that of the PIX.
Note: When ICMP to the interface is denied by the icmp command, you still see the correct MAC address in the Address Resolution Protocol (ARP) table. If you do not see the MAC address, see the next question.
Q. I am unable to ping my FWSM on a directly connected interface, and I do not see an Address Resolution Protocol (ARP) entry for the interface. I am running CatOS (or hybrid) software on my switch. What should I do?
A. Configuring the interfaces within the FWSM configuration (with the nameif command) or on the Multilayer Switch Feature Card (MSFC) [ with the interface vlan command] before they are configured on the switch (on the Supervisor Module in CatOS) may make the interfaces appear as if they are not responding at all, with no ARP entry or Internet Control Message Protocol (ICMP) response.
If you configured an interface on the FWSM or MSFC that belongs to the firewall VLANs before you configured the switch, remove the FWSM or MSFC entry, reload the module, then re-add the entry.
A. Network Address Translation (NAT) must be configured using the nat 0 , nat/global , or static command for traffic to pass through the FWSM from a higher security interface (the inside interface) to a lower security interface (outside interface).
You must also use the access-list command to implement access lists that permit traffic to flow through the FWSM. By default, access lists deny all traffic on all interfaces (deny ip any any). This behavior differs from the default configuration of the PIX, which allows traffic from higher to lower security and denies traffic from lower to higher security. Configure an access list with permit ip any any and apply it to the high-security interface(s) to get the FWSM to behave like the PIX.
Q. I can ping the FWSM interface that is directly connected to my network, but I am unable to ping other interfaces. Is this normal?
A. Yes. This is a built-in security mechanism that also exists on the PIX Firewall.
A. No. Failover requires that both FWSMs run the same version of code. A mechanism within the failover feature verifies the peer version and prevents failover if the versions of code are different. For this reason, you must upgrade both FWSMs at the same time.
A. Yes. But the FWSMs must be connected by Layer 2 on all interfaces. In other words, all interfaces must be able to exchange Layer 2 broadcast packets [Address Resolution Protocol (ARP), and so forth] with each other. Failover protocol packets cannot be routed at Layer 3.
A. Ensure that your configuration meets these requirements for successful failover.
Both FWSMs must run the same version of code.
Both FWSMs must have the same number of VLANs.
A Layer 2 connection must exist between all VLANs on the FWSMs. If the FWSMs exist in different chassis with a trunk configured between them, verify that all VLANs exist and are allowed on the trunk.
Q. Can I configure failover for three or more units of FWSM, which are spread over different switch chassis?
A. No. Failover setup is supported only for a pair of FWSM, for example, 2 units. These two units can be in a same switch or two separate switches. If you install the secondary FWSM in the same switch as the primary FWSM, you protect against module-level failure. In order to protect against module-level failure and as well as switch-level failure, you can install the secondary FWSM in a separate switch. FWSM does not coordinate failover directly with the switch, but it works harmoniously with the switch failover operation. Refer to Intra- and Inter-Chassis Module Placement for more information.
Q. The FWSM has a label that states, "Do not remove card while status light is green or disk corruption may occur." What does this mean?
A. The firewall module should be removed only after you disable power using one of these methods. (There is no preference for a particular method.)
Use the command-line interface (CLI) of the switch and issue one of these commands.
Press the shutdown button on the blade.
Physically power down the chassis.
You can remove the module safely when the status light is not green.
A. Refer to this checklist to troubleshoot an FWSM with a status of faulty/other.
Ensure that you run a supported version of code on your switch.
Ensure that the FWSM can co-exist with the other blades located in the same chassis. Refer to the Catalyst 6500 Release Notes and/or Software Advisor ( registered customers only) for more information.
If you run CatOS/Hybrid code on your switch, reset the configuration for the slot occupied by the FWSM module. Use these commands in order to do this.
Type set module power down mod to power down the FWSM.
Type clear config mod to clear the configuration of the switch associated with that slot and to power up the module.
Refer to this documentation for more information.
If you continue to experience problems, contact Cisco Technical Support for further troubleshooting.
A. Release Notes for the FWSM can be found under the Catalyst 6500 Series Release Notes. For more information, refer to the documentation available on the Cisco Catalyst 6500 Series Firewall Services Module page.
A. The Error Message Decoder ( registered customers only) provides details on many FWSM error messages. Product documentation on system messages also contains useful information. If you require further assistance, contact Cisco Technical Support.
A. The PIX and FWSM are based on similar code. However, there are two fundamental differences. The PIX (offers support) provides VPN and IDS functionality. The FWSM does not provide VPN and IDS functionality because these features are offered in other line cards. Refer to the Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module Data Sheet for more information on the Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module. Refer to the Catalyst 6500 IPsec VPN Services Module Product Data Sheet for more information on the Catalyst 6500 IPsec VPN Services Module.
Refer to this documentation for minor differences between the PIX and FWSM:
Q. I could not issue multiple access-group commands on the FWSM per interface. FWSM seems to only take one access group per interface. Why?
A. When you issue these commands in FWSM, only the last access-group command appears:access-group allow_icmp in interface outside access-group allow_caltech in interface outside
This is because FWSM allows only one access-list per interface per direction.
A. Xlate entries store this information:
Source Interface—This is the interface that the packet is received, for example, outside.
Source IP Address—This is the source IP address of the packet.
Translated IP Address—In the case of no NAT statements, translated IP address and the source IP address are the same.
Destination Interface—The interface that the packet leaves based on the routing table lookup of the destination IP address of the packet.
A. Use the show perfmon command in order to capture information about the performance of the FWSM.FWSM#show perfmon FWSM#show console-output Context: my_context PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s WebSns Req 0/s 0/s TCP Fixup 0/s 0/s TCP Intercept 0/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s
The column Current shows the statistics in the current interval, where as the last column Average shows the cumulative average since the last time statistics was cleared. It is shown as /s because it is the rate, rather than an absolute value.
The statistics shown in command output are updated at an interval of 120 seconds by default. The interval can be changed with the perfmon interval command.FWSM#perfmon interval 20
It means that the rate of the statistics reported in the Current column are calculated every 20 seconds. In addition, whenever you enter the show perfmon command, the rates are calculated with the statistics at that point of time.
The FWSM does not include a serial console port, but some messages are only displayed on a console port, which includes output from the show perfmon and perfmon commands. Use the show output-console command in order to view the console buffer, which includes the show perfmon command output.
A. The span session is required on the FWSM because of a hardware limitation of an ASIC for traffic replication. FWSM needs an ASIC for packet replication and the span session passes the packets to switch for that using the span session. Traffic affected by this command is Distributed EtherChannel, Multicast and GRE. It is recommended to have the span session configured and not to remove it.
If for some reason you need to remove it, make sure that you do not have replicated nature traffic, for example, Distributed EtherChannel, that can be affected by the Field Notice: FN - 61935 - Catalyst 6500 Series and 7600 Series Service Module Incompatibility With Distributed EtherChannel and Packet Re-Circulation.
A. Memory allocated for ACLs in FWSM is limited. Refer to Specifications - Rule Limits for more information on FWSM resource allocation.
When the memory allocated for ACLs in a context is exceeded, you may receive any of these error messages:
- ERROR: Unable to add, access-list config limit reached
- ERROR: Unable to add Policy Rules
- Unable to add a hole to Policy Rule
Some access lists use more memory than others. It depends on the type of access list, and the actual limit the system can support is less than the maximum. The mapping between the rules and the memory allocation is not a one-to-one mapping. It actually depends on the rule and how it gets programmed in hardware.
You have two options for the optimization of the ACE memory usage:
Summarize and simplify your ACE entries—this can be done if you complete these recommended practices:
Use contiguous hosts addresses whenever possible. Aggregate host statements in ACEs/object-groups into networks.
Use any instead of networks, and networks instead of hosts when possible.
Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded. An example is to group together individual port statements into a range.
Re-partition the memory allocated for ACE on each partition. This requires the reboot of the FWSM module.
The FWSM basically partitions the memory allocated for ACE into 12 partitions, and allocates corresponding memory for each. This is done automatically. From version 2.3(2) and later, you can use the resource manager to re-allocate the memory, which depends on the number of contexts you have.
Issue the show context count command in order to check how many contexts you have. You can then verify this with the configuration. Then find the number of partitions that use the show resource acl-partition command. If you have more partitions than your defined context, then you can match the number of partitions to the number of context with the resource acl-partition number-of-partitions command.
You need to save the configuration and reboot the FWSM after this. The previous command gives you more memory for the ACE, whether this is enough or not again depends on the ACE that you add to the context.
Caution: One drawback of the previous remapping is that if you want to add another context, then you have to reallocate the memory mapping again. This causes less memory available to each context and can break current ACE definitions. The memory on the FWSM allocated to is a finite amount and it carves it out accordingly on a predetermined manner or through manual resource allocation as mentioned previously.
From version 4.0 onwards, FWSM has introduced a feature called "ACL optimization" which efficiently utilizes the memory resources for storing multiple ACL entries. This deals with a built-in algorithm that automatically aggregates the ACL entries wherever possible without missing the efficacy of any one ACL entry. This algorithm joins together contiguous subnets referred to in different ACL entries into a single statement, and detects overlaps in port ranges. This feature is enabled by using a command and, after the optimization is performed, the complete ACL configuration looks differently from the previous (original) ACL configuration. This orderly ACL configuration could be retained after verification and the optimization could be disabled to save the CPU computational overloading. For more information on this feature, refer to the Access List Group Optimization section which describes the functionality of ACL optimization along with its configuration details.
Version 4.0 also introduced another feature called "Increasaed Access List Capacity". With this feature, users now have the capacity to store 130,000 ACL entries in single-context mode and 150,000 entries in multicontext mode. For more information on this feature, refer to the "Increased Access List Capacity" section in the Cisco Firewall Services Module Software Version 4.0 bulletin.
Q. Why does the capture command when applied to the FWSM stops and does not capture traffic as soon as another capture command is applied on the interface?
A. When you configure capture 'z' on the same interface where capture 'x' is already applied, then capture 'z' supercedes capture 'x'. The active capture is the last one attached to the particular interface.
The only exception is when the access-list on the capture 'x' overlaps with the access-list of the capture 'z'. If that is the case, then both captures continue to capture the traffic where the access-lists overlap.
A. Reload the FWSM module in order to resolve this error.
A. You can configure FWSM to use TCP intercept to defend against certain types of SYN floods. Refer to FWSM TCP intercept and SYN cookies explained for more information.
A. Yes. You can see performance issues when sending IPv6 traffic, as the packet needs to be processed by the CPU. Because of the differences in handling the IPv4 traffic and IPv6 traffic by the CPU, IPv6 packet processing will cause certain performance issues with the FWSM.
A. You need to disable the proxyarp feature on the specified interface with this command:"sysopt noproxyarp <interface>"
For more information on the proxyarp feature, refer to the FWSM Command Reference Guide.
A. In order to resolve this problem, disable inspection for H323 and H225:policy-map global_policy class inspection_default no inspect h323 h225 no inspect h323 ras
A. In order to resolve this problem, use the xlate-bypass command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:hostname(config)#xlate-bypass
Refer to Configuring Xlate Bypass for more information on how to the configuration of xlate-bypass.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.