|
|
Table Of Contents
Firewall Module and PIX Differences
Open Caveats in Release 1.1(3)
Resolved Caveats in Release 1.1(3)
Open Caveats in Release 1.1(2)
Resolved Caveats in Release 1.1(2)
Open Caveats in Release 1.1(1)
Resolved Caveats in Release 1.1(1)
Cisco IOS Software Documentation Set
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Release Notes for Catalyst 6500 Series and
Cisco 7600 Series Firewall Services Module Software Release 1.1
Current Release: 1.1(3)—September 11, 2003
Previous Releases: 1.1(2), 1.1(1)This publication describes the features, modifications, and caveats for the Catalyst 6500 series and Cisco 7600 series Firewall Services Module (FWSM) software release 1.1(3) running Cisco IOS Release12.1(13)E or higher and Catalystoperating system software release 7.5 or later.
Note
For detailed installation and configuration procedures for the FWSM, refer to the Catalyst 6500 and Cisco 7600 Series Firewall Services Module Installation and Configuration Note at http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/index.htm
Note
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/index.htm
Note
Contents
•
•
•
•
System Requirements
This section describes the system requirements for the Catalyst 6500 series and Cisco 7600 series Firewall Services Module software release1.1(3).
Memory Requirements
The Catalyst 6500 Series and Cisco 7600 series Firewall Services Module memory is not configurable.
Hardware Supported
Before you can use the Catalyst 6500 series and Cisco 7600 series Firewall Services Module, you must have a Supervisor Engine 1a (Catalystoperating system only) and an MSFC2, or a Supervisor Engine 2 (Catalystoperating system and Cisco IOS) and an MSFC2, and any module with ports to connect server and client networks.
Software Compatibility
Table1 lists the FWSM software versions supported by Catalyst operating system software and CiscoIOS software.
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
•
•
The stateful, connection-oriented ASA creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. You can control all inbound and outbound traffic by applying security policies to each connection table entry.
•
•
•
•
–
–
When the Firewall Services Module software is the platform, PDM will display modified screens for features not supported by the module. To use the PDM to configure the module, refer to the Cisco PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
•
•
•
•
•
•
Firewall Module and PIX Differences
The FWSM is a separate implementation from the PIX and has these differences:
•
•
•
•
•
The FWSM behavior has been changed. Overlapping or redundant static address translation entries are no longer accepted. An error is generated and the overlapping or redundant static address is not added to the configuration.
Workaround : None.
•
The FWSM tears down all the connections from or to the shunned IP address, even if specific connection parameters have been specified in the applied shun command. This behavior is different from that of PIX. In the FWSM implementation, when the shun is applied with full connection parameters (source IP, destination IP, source port, destination port and protocol), all connections from or to the source IP address are torn down.
Workaround : None.
•
An attempt to assign an access list to the nat (interface) 0 access-list command that contains protocol or port numbers fails and generates an error message. The behavior for the nat (interface) 0 access-list command differs from that of PIX. For the FWSM, the access list being configured with the nat 0 access-list command cannot contain protocol or port numbers. Only access lists that have no rules with protocols or port numbers will be accepted as part of the nat (interface) 0 access-lis t command.
•
•
The FWSM does not report the most used connection count. This value is also not reported by the SNMP agent Firewall MIB. The show connection count command displays only the current number of connections and not the most used connections.
Workaround : None.
•
The clear nameif command is not supported and displays an error message.
Workaround : Use the no nameif command. (See caveat CSCdx14699·).
•
You cannot change the interface name once it is assigned using a nameif command. Trying to change the name of the interface using the nameif command results in an error message.
Workaround : Delete the old interface using the no nameif command, and assign it with a new name. All configuration parameters tied to that interface are lost when you run the no nameif command. (See caveat CSCdx14768·).
New and Changed Information
•
•
•
•
Note
To create multiple VLAN interfaces on the switch, use these commands:
For Cisco IOS:
firewall multiple-vlan-interfacesno firewall multiple-vlan-interfacesFor the Catalyst operating system:
set firewall multiple-vlan-interfaces {enable |disable }•
•
The command-line interface in the FWSM contains changes that add new functionality to manually trigger ACL compiling.
Workaround : None.
•
Error Message Syslog:440520 - ILS <msg_id> from <interface>:<ip/port> to <interface>:<ip/port> has wrong embedded addressExplanation The ILS message source IP does not match the IP address embedded in the payload. This means that the client is more likely behind another NAT device that does not recognize ILS. The message is allowed through the firewall.
Recommended Action This is a warning informational message. No action is required.
Limitations and Restrictions
The following apply:
•
–
–
–
•
A patch will be released for PIX MC to address this issue. The patch version will be PIX MC 1.1(1). With the patch, the PIX MC will not generate the two additional static commands if the device operating system is FWSM Release 1.1(1) or FWSM Release 1.1(2).
•
Caveats
These sections describe the following release caveats:
•
•
•
•
•
•
Open Caveats in Release 1.1(3)
This section describes known limitations that exist in the FWSM software release 1.1(3).
•
During failover interface testing when the shutdown command is sent manually, testing continues, and the interface state is reported as "unknown." The interface status should be reported as "Link Down," and the test should not be performed on the interfaces.
Workaround : None.
•
The no routerid ip add routing command does not remove the router identification under OSPF because the routerid syntax is incorrect.
Workaround : Use the no router-id syntax.
•
When the message digest key is configured it cannot be removed using the no ospf message-digest-key key md5 cisco command because the syntax is incorrect.
Workaround : Use the no ip ospf message-digest-key keyid command syntax.
•
No video can be seen using IP TV. The UDP packets seem to be dropped when access-lists are applied to allow only the needed traffic to flow through the FWSM.
Workaround : None.
•
The NFS mount takes a long time to succeed or fails because the NFS client is on a lower security interface relative to the NFS server.
Workaround : Configure the NFS client on a higher security interface relative to the NFS server.
•
When making calls using gateways to the SIP (SMDS Interface Protocol) proxy, UDP and TCP proxy calls fail to set up, or there is no voice path.
Workaround : Do not use gateways with the SIP proxy.
•
The FWSM does not reply to the Address Resolution Protocol (ARP) if ARP is sourced from a non-connected network.
Workaround : Add a specific route or static ARPs on the MSFC.
•
The PIX Device Manager (PDM) performance monitor graphs display only zero values except for the performance monitor intervals. This condition occurs because the performance monitor interval and the PDM poll interval are set to different values.
Workaround : Configure the PDM poll and performance monitor interval to the same value.
•
When the interface IP address is modified, the interface static entry continues working with the old IP address but not with the new IP address.
Workaround : Remove and reconfigure the interface static line after the interface IP address has been changed.
•
When running in a failover configuration, the FWSM does not replicate connections at the second failover because the state of the connection is lost. This condition applies only to those connections that remain alive through both failovers. Both the FTP and RSH connections consist of a control and data channel that are linked. All other connections are considered as control channel only. Connections are being replicated for one of the following reasons:
a.
b.
c.
Workaround : None.
•
When overlapping static statements are specified, the static entries cannot be removed from the configuration.
Workaround : Avoid using overlapping network addresses in different static statements, or change the order of the static statements in the configuration.
•
The maximum idle time that can be configured for a connection is 18 hours and 12 minutes. If a timeout is configured for a time that is greater than 18 hours and 12 minutes, the timeout wraps around and has a value of 18 hours and 12 minutes.
Workaround : Configure a maximum idle time value lower than 18 hours and 12 minutes.
•
The show conn command displays connections with the idle timeout larger than the timeout configured.
Workaround : None.
•
When configuring the OSPF processes and the SVI interfaces on both the MFSC and the FWSM to perform MD5 authentication, the OSPF process in the FWSM becomes stuck in the loading state and cannot reach the full state. The output of the show ip ospf neighbor command displays this information:
Neighbor ID Pri State Dead Time Address Interfacex.x.x.x 1 LOADING/DR 0:00:33 y.y.y.y outsideThis syslog message displays:
409005: Invalid length 1504 in OSPF packet from y.y.y.y (ID x.x.x.x), outsideThis situation occurs when the LS update packets from the MFSC are fragmented and both of the OSPF neighbors are configured to perform MD5 authentication.
Workaround : Do not use MD5 authenticating. Use clear text authentication, or do not configure authentication. Cisco IOS releases that do not fragment LS updates do not cause this problem on the FWSM.
•
If a protocol is not associated to the AAA server group when using the aaa-server tag protocol tacacs/radius command, any new server group is always considered as the TACACS server.
If a radius server is specified with the aaa-server tag [(if_name)] host ip_address [key] [timeout seconds] command and the tag used is not associated with the radius protocol, AAA authentication, authorization, or accounting fail because the firewall assumes that the AAA server is a TACACS server and attempts to make requests to port 49 on the specified server.
Workaround : Always create a server group by associating it with the required protocol before assigning servers to that group, as in this example:
FWSM(config)# sh aaaFWSM(config)# sh aaa-aaa-server radius-authport 1812aaa-server radius-acctport 1813aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localFWSM(config)# aaa- TEST_RADIUS (dmz) host 10.6.0.3 ciscoradius time 2FWSM(config)# sh aaa-aaa-server radius-authport 1812aaa-server radius-acctport 1813aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localaaa-server TEST_RADIUS protocol tacacs+aaa-server TEST_RADIUS (dmz) host 10.6.0.3 ciscoradius timeout 2 [ACTIVE]FWSM(config)#•
If SIP messages are split across multiple TCP segments, the FWSM does not take any action (such as NAT or connection pre-allocation) on them.
Workaround : Do not use Network Address Translation (NAT) or Port Address Translation (PAT) and disable the fixup SIP using the no fixup protocol sip 5060 command.
•
Outbound TFTP requests fail if PAT is using an interface IP address that is configured on the FWSM. The TFTP file download works correctly with other PAT IP addresses.
Workaround : None.
•
If the FWSM is started up with the configuration having an interface in the shut down state, error messages appear on the console during startup.
Workaround : None.
Resolved Caveats in Release 1.1(3)
This section describes the resolved caveats in FWSM software release 1.1(3).
•
When failover is configured, using a write standby command resets the configurations on the secondary FWSM.
Workaround : None.
•
With some configuration and with fragmented ICMP, HTTP, FTP traffic, and RTSP, the network processors lose their ingress buffers, causing both FWSMs to become active or causing the secondary FWSM to report as failed.
Workaround : None.
•
When using show run and write mem commands from two simultaneous sessions into the FWSM, and when the show run command completes first, the write mem command fails in cfglck.c line 76 upon completion.
Workaround : Perform CLI commands from only one session at a time.
•
The FWSM in a stateful failover configuration may not replicate TCP connections correctly. This behavior shows up in configurations where the NAT 0 ACL is used.
Workaround : Use NAT 0 or statics.
•
When two FWSMs are used with stateful failover, unnecessary failovers can occur, caused by the garbage collection thread on the standby module. When a translate (xlate) process ages to one hour, the standby FWSM constantly queries the process to verify if the process is still in use or if the process can be torn down. During this time, the failover hello messages are dropped, resulting in a failover.
Workaround : Disable stateful failover.
•
Stateful synchronization does not operate correctly after switchover. When there is a switchover due to a short communication failure between the active and the standby FWSM, the logical unit (LU) flag is not set correctly on the network processors (NPs) after the switchover, which stops the stateful synchronization from the active FWSM to the standby FWSM.
Workaround : Remove the stateful link configuration, and add it back on the active FWSM with the no failover link stateful and failover link stateful commands.
•
If there is an ACL with an access-list entry using object-groups, and it expands to a large number of ACL lines (up to 10,000-12,000), then when this configuration is synchronized through failover, some commands that follow after the ACE might be missing on the standby FWSM after the synchronization.
Workaround : Do not use ACE with object groups that expand to a large number (up to 10,000-12,000).
•
The FWSM fails when performing two write terminal or show running commands in concurrently running sessions that are on the same FWSM with pager enabled.
Workaround : Change the number of pager lines in the configuration to a different value, or disable the pager completely.
•
When there is an overflow with randomization that causes large file transfers to fail intermittently, this situation indicates that the sequence number has not been calculated correctly.
Workaround : Disable randomization on related address translation.
•
Changing the object group entry does not allow the access list to properly compile.
Workaround : Remove and reapply the ACL.
•
If the timeout reauthentication (uauth) absolute session is disabled (value 00:00:00), and inactivity is enabled (any value greater than 00:00:00), the FWSM still times out every uauth session immediately after the authentication.
Workaround : Increase the absolute timeout to the maximum value to minimize the effect of reauthenticating frequently.
•
The first interface shuts down without an IP address and packets from the processor complex (PC) are dropped when fixup-enabled traffic fails.
Workaround : Configure the IP address on the first interface.
•
If AAA authentication and HTTP fixups are both enabled, the original URL requested by the client is modified by the FWSM, making the URL unreachable after the user has successfully been authenticated.
Workaround : Disable HTTP fixup.
•
A no nameif command on the FWSM for any nameif statement resets the fragment size from the configured value to the default of 1.
Workaround : Reconfigure the fragment size on the interfaces.
•
When performing the show running command from multiple sessions into the same FWSM module, upon completion of the second command, the FWSM reboots.
Workaround : Avoid performing commands from multiple simultaneous sessions into the same FWSM module.
•
Connections to a server are interrupted during a standby reboot, causing the following conditions:
–
Hosts that see the ARP request go out from the standby FWSM (with the active IP addresses) update their ARP table and associate the standby module MAC addresses with the active IP addresses. This condition results in packet loss because the clients that update their ARP table will now forward packets to the standby FWSM, which drops the packets.
–
The MAC-to-Port mapping in the CAM table on the Catalyst 6500 switch (or the Catalyst 7600 router) is incorrectly populated. The switch forwards packets destined to the active FWSMs MAC address to the primary FWSM (in standby mode), and the packets are dropped.
Workaround : None.
•
Static or connected routes from non-OSPF interfaces cannot be redistributed The FWSM supports the OSPF routing protocol and allows at most two-OSPF processes to run at one time. The FWSM allows redistribution only between OSPF domains. In FWSM release 1.1(1), there is no support to redistribute RIP or static routes into the OSPF domain (or the reverse).
Workaround : There is no workaround for re-distribution between the RIP and OSPF domains. To redistribute static routes into the OSPF domain, one OSPF process must be started on the OSPF interfaces, which then allow the associated routes to redistribute into the existing OSPF domain.
Open Caveats in Release 1.1(2)
This section describes known limitations that exist in the FWSM software release 1.1(2).
•
Configuring a NAT rule on interface number 32 may fail.
Workaround : Configure a dummy interface as the interface number 32.
•
After upgrading the image from 1.1(2) to 1.1(2), the FWSM may fail to boot up.
Workaround : Upgrade the FWSM application partition (AP) image from the maintenance partition (MP).
•
If you run commands like show ip ospf simultaneously from multiple sessions, this action could cause the FWSM to malfunction.
Workaround : Do not run the same commands from multiple sessions.
•
If a SSH session is disconnected because of a session timeout, the FWSM may still show the session with IP address 0.0.0.0 as connected.
Workaround : None.
•
Syslog ID 109003 does not specify the IP addresses correctly for command authorization.
Workaround : None
•
During authentication of traffic, the following message may be printed on the console:
uauth_procline:null uap->proxyWorkaround : None
•
The following auth-prompt command help message is incorrect:
Usage:[no | clear] auth-prompt [prompt | accept | reject] "<prompt text>"The help message should not contain quotation marks and should appear as:
Usage:[no | clear] auth-prompt [prompt | accept | reject] <prompt text>Workaround : Do not use quotation marks (" ") when specifying the prompt text.
•
If an access-list specified in a route-map is removed, then the next configured access-list is added into the route-map.
Workaround : Remove the errant ACL and reapply the correct ACL.
•
Matching by route-source or next hop in route-maps does not work on the FWSM
Workaround : Do not configure route-sources or next hops in route-maps.
•
If an area range is specified with the range being a subnet of a connected route, then that connected route fails. Hosts located on the failed interface are not reachable unless there is another more specific route available.
Workaround : Specify an area range which is not a subnet of connected interface.
•
For AAA authenticated HTTP connections on the FWSM, the module changes the CRLF to LF, even if the client sends a CRLF. However, the FWSM behavior is still compliant with RFC1945.
Workaround : None
•
When an ACL is configured with a source port specified for a match rule in AAA, the source port is ignored.
Workaround : Do not use a source port in the AAA configuration.
•
After an FTP connection is closed, the FIN+ACK packet is dropped.
Workaround : None.
•
If a logging host command is configured on the standby module and is saved on the compact flash memory, any existing connections on the active module to the configured logging server get interrupted during a standby reboot.
Workaround : Do not have a logging host command saved on the standby module's compact flash memory.
•
Although adjacency is in the full state, the FWSM OSPF database goes out of synchronization for an LSA, which may result in a missing route.
Workaround : Issuing a clear ip ospf process_id process command rectifies the problem.
•
Sometimes a nameif , no nameif , nameif , ip address command sequence causes the connected route entry for the interface to be lost. The IP address of the interface is set correctly.
Workaround : Reissue the ip address command with the same parameters.
•
The ip address command is case sensitive. You must use case-insensitive names for interfaces.
Workaround : None.
•
The Windows 2000 FTP server connection is dropped after a switchover. This problem occurs because the Windows 2000 FTP server closes the connection after a few unsuccessful retries. As a result, the FTP data connection is dropped.
Workaround : None.
•
OSPF may not transition from the EXCHANGE to the FULL state.
Workaround : Reset the OSPF process by issuing the clear ip ospf pid process command.
•
Packets belonging to authentication traffic that requires fragmentation may not be fragmented.
Workaround : None.
•
When using the clear xlate command, connections are cleared but those required to be accounted for (as specified in the aaa account ... command) do not generate the corresponding STOP record.
Workaround : None
Resolved Caveats in Release 1.1(2)
This section describes caveats that have been resolved in FWSM software release 1.1(2).
•
The return TFTP connection from the client on the inside of the firewall to the server on the outside of the firewall fails when an FWSM is in the path.
Workaround : None.
•
The FWSM does not release the console after you send a show access-list command.
Workaround : None.
•
The interface configuration synchronization times out too soon.
Workaround : None.
•
When configuring ACLs for UDP with a port number specified, the display is incorrect. When a port number is not specified, the display is correct. The configuration is synchronized to the standby module the first time. After a switchover, the configuration does not synchronize to the new active module. This problem is not seen while configuring an ACL for permitting TCP.
Workaround : None.
•
The wr mem command requires several minutes to complete.
Workaround : None.
•
If an OSPF redistribution access list has been configured, after clearing all access lists you may not able to configure any new access lists.
Workaround : Reboot the module.
•
An internal stack error may occur, and the secondary module may continue to reboot when the traffic through the module includes HTTP, FTP, UDP with fragmentation, and UDP with protocol 85 and protocol 170.
Workaround : None.
•
A memory allocation error occurs with HTTP, FTP, UDP, fragmentation UDP, protocol 85, and protocol 170 traffic flowing through the module.
Workaround : None.
•
When removing named interfaces (nameifs ) from the active console, the parse_thread_helper reports "NO valid ifc found for vlan <vlan id>" causes a "Disabling failover" message due to the number of interfaces that are not consistent on the active and standby modules.
Workaround : None.
•
During an AAA authorization configuration attempt, after removing the aaa authentication enable console NT_tacacs command and attempting to continue configuration after a Telnet login, the FWSM enters debugging mode.
Workaround : None.
•
Failover occurs when reconfiguring the failover LAN primary module.
Workaround : To recover modules from the failure, use the no failover command on both modules. Configure one module as the primary to active module, activate failover on the secondary module, and then reload the secondary module. Avoid the failure with the no failover command running on both modules. Reconfigure the modules as primary and secondary modules. First enable the primary failover module, then the secondary module, which will get the configuration synchronization from the primary module.
•
Buffers that are 1550 bytes long are lost, and errors are displayed on the console.
Workaround : None.
•
When configuring AAA on connections through the FWSM on VLANs higher than 255, AAA does not work. Any time the source interface of the traffic that is to be authenticated is higher than 255, the username and password prompts do not appear, and the connection is closed.
Workaround : None.
•
With HTTP and UDP traffic, the FWSM fails in scp_check_resp_packet while downloading VLANs from the switch.
Workaround : None.
•
During the configuration with an existing DHCPD address pool, an internal error occurred when a new DHCPD address pool was assigned.
Workaround : None.
•
A user can access the FWSM through a Telnet connection without authentication.
Workaround : None.
•
When using the LOCAL username database as an authentication function for SSH sessions to the FWSM console, the authentication fails.
Workaround : None.
•
The FWSM debug process begins when you access the console, leave the username field blank, and type in any password using the SSH client application.
Workaround : None.
•
When an SSH session is made to FWSM, the 109005 or 109006 syslog messages that are displayed are incorrect.
Workaround : None.
•
The FWSM is unable to reach hosts defined with the static command because of overlapping addresses.
Workaround : None.
•
When one IP address is used when both NAT and PAT are defined with the static command, the FWSM generates the "LU allocate xlate failed" syslog message on the standby module after the failover switchover completes.
Workaround : None.
•
The FWSM fails with HTTP, FTP fragmentation, UDP, TCP, protocol 85, and protocol 170 traffic flowing through the module.
Workaround : None.
•
The minimum transmission unit (MTU) number is taken as an as signed number. Traffic is dropped when setting for the MTU greater than 32767 bytes.
Workaround : None.
•
Due to an internal error, the FWSM fails in the Block.c location during test.
Workaround : None.
•
The crypto command-line interface is not intuitive and does not give all options, as other commands do.
Workaround : None.
•
If a total of 1024 ICMP, SSH, or Telnet commands have been configured since the last time the module booted (even though the current number of commands are much less), you will not be able to add anymore rules without rebooting the module.
Workaround : None.
•
An error occurs when the shut and no shut commands are used on the logical unit interface in the network processor during FTP traffic.
Workaround : None.
•
The service command is not supported.
Workaround : None.
•
Established connections do not relearn the MAC address if the MAC address changes.
Workaround : None.
•
When receiving a link state advertisement (LSA) with a large number of links into the router LSA, OSPF on the FWSM stops loading.
Workaround : None.
•
The FWSM accepts a 32-bit integer for an area when using the router ospf command, but it displays the integer as a 31-bit integer when using the show router ospf command.
Workaround : None.
•
Both the primary and secondary module fail during the failover process due to an internal error.
Workaround : None.
•
The show local command applied to an active FWSM displays connections as 0/0 when there are 220 connections configured.
Workaround : None.
•
With PIX Device Manager (PDM) running, a secondary module can enter the debug process at the "print_metric_history" location after issuing the no failover active and no failover commands on the active primary module.
Workaround : None.
•
A new product object ID was added for the FWSM.
Workaround : None.
•
Command-line interface lines longer than 200 characters cause the module to fail.
Workaround : None.
•
When running a clear config all command on the standby module, the active module reboots.
Workaround : None.
•
OSPF can be configured from the enable mode. OSPF should only be configured from the configuration submode like other FWSM commands, for example, the nameif command.
Workaround : None.
•
If you use the static command with an embryonic limit, and the client (lower security) interface used in the command has a VLAN that is numerically greater than 255, connections that are intercepted will not mature.
Workaround : When configuring an embryonic limit with the static command, make sure that the client (lower security) interface VLAN is numerically less than or equal to 255.
•
The syslog 201002 shows the wrong value for the number of embryonic connection counts and total connection counts.
Workaround : None.
•
Specifying set or match statements for route maps with multiple sequence numbers does not work.
Workaround : Do not configure route maps with multiple sequence numbers. Use only one sequence number, and specify multiple set or match statements for that sequence.
•
Configuring AAA "exclude" rules does not exempt the intended hosts or networks as it should.
Workaround : Configure the "exclude" rules before the "include" rules as follows:
a.
b.
c.
d.
e.
•
Configuration in the FWSM for AAA user policy protocols can be done in two different ways:
–
aaa authentication include telnet inside 10.6.25.0 255.255.255.0 10.8.89.40 255.255.255.255 TACACS+–
access-list aaa permit tcp any anyaaa authentication match aaa inside TACACS+Only one of these two methods can be used without mixing the two types of rules. When switching from one format to another, the command-line interface parser complains in some cases that the system does not support hybrid mode, although no AAA rule is configured at that time.
Workaround : Use the clear aaa command, and configure the AAA rules again.
•
When the security level associated to two already defined interfaces is modified from the original values, any configuration that uses those security levels is not automatically updated. For example, the static command assumes inbound or outbound traffic based on the security levels for that port. If the security levels are reversed using the nameif command, these security levels are not automatically fixed. Such configuration causes problems in the FWSM.
Workaround : If the security level for a nameif command has to be modified, use a no nameif command for that interface first, followed by the nameif command with the new security level.
•
After clearing the ARP table on the FWSM, any HTTP connection that arrives at the FWSM and needs authentication will not receive the username and password prompt for 30 seconds. The same situation occurs if there is no ARP entry in the FWSM for the host that requires authentication. The behavior is corrected after approximately 30 seconds, and the HTTP connections are then authenticated.
Workaround : None.
•
When an address translation is created for AAA traffic, under certain conditions the translations do not get timed out when all connections are torn down, even after the timeout period has expired. Eventually these translations are removed, but the collection process may take a number of hours.
Workaround : Use the clear xlate command to clear that translation.
•
A Telnet session from either the route processor or an external host to the FWSM fails when AAA traffic is present.
Workaround : Use the secure shell (SSH) to connect to the firewall, or reduce the amount of AAA traffic until you complete the Telnet session.
•
When nameif or no nameif commands are issued continuously during configuration synchronization between two FWSM modules, a reboot may occur when one of the FWSM modules is on standby.
Workaround : Wait for the configuration synchronization to complete and then issue the nameif or no nameif commands.
•
For UDP connections on port 111, the module is applying the TCP timeout instead of the UDP connection timeout.
Workaround : None.
•
When sending traffic (AAA or HTTP authentication) and then disabling the HTTP fixup, the module experiences an internal error.
Workaround : None.
•
Certain sequences of events (like switchovers under heavy stress, disabling and enabling logical update link continuously) can result in stateful (connection) information not getting replicated from the active to the standby module.
Workaround : Disable failover on the standby module, and then reenable it.
•
Some syslog messages are not rate-limited, even after you have configured rate limiting for the syslog level to which the syslog belongs.
Workaround : Configure the rate limit for the specific syslog ID using the message option.
•
When there are ambiguous NAT commands issued, the error message "LU allocate xlate failed" is seen on the standby module. This error message is displayed only when the wr standby command is specified.
The following example shows a NAT configuration that could trigger this action:
nat (inside) 11 40.10.1.1 255.255.255.255 0 0nat (inside) 11 40.10.1.0 255.255.255.0 0 0where 40.10.1.1 is overlapped in both of the NAT configurations.
Workaround : None.
•
Outgoing OSPF router link state advertisements (LSA) are restricted to a length of 1300 bytes. For most deployments this is not a problem, but in some cases the router LSA being generated for an area exceeds this limit.
Workaround : To reduce the size of the LSA, do the following:
–
–
–
•
When configuring console authentication (a subset of AAA), and the authentication command is issued with the wrong syntax after the mandated location for the console keyword, the authentication is internally translated to a wrong command. Later attempts to remove that command fail.
For example, the following syntax is correct:
FWSM(config)# aaa authentication http console TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+The following syntax is incorrect:
FWSM(config)# aaa authentication http inbound 0.0.0.0 0.0.0.0 TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+FWSM(config)# no aaa authentication http console TACACS+FWSM(config)# show aaaaaa authentication http console TACACS+FWSM(config)#Workaround : Enter the command that was first issued, preceded by the no keyword, or use clear aaa authentication or the clear aaa commands to clear the related AAA configuration.
•
Whenever application inspection "fixup" for FTP is enabled and an FTP session is terminated from the client, the FWSM always generates the syslog message number 106015.
Workaround : None.
•
When OSPF is configured in the FWSM to have a virtual link and a not-so-stubby-area (NSSA) in the same routing process, upon removal of the virtual link the type 4 LSAs may be applied to the NSSA. The application of type 4 LSAs to the NSSA results in warnings being displayed in other routers connected to the FWSM in the NSSA. This caveat is not known to have any other adverse affect on functionality.
Workaround : None.
•
When configuring together AAA authentication and "fixup" for the HTTP protocol, the fixup is not applied to the first user connection (the connection that is prompted for a username password).
Workaround : Use the virtual HTTP feature.
To use the virtual HTTP feature on the FWSM, you must do the following:
–
–
–
•
Incorrect behavior occurs for the high availability (HA) switchover.
Workaround : None.
•
The timeout command does not get replicated to the standby module if a partial command is issued, for example: time conn 5 .
Workaround : Use the full form of the command instead. For example: timeout conn 5 .
•
The no mtu interface_name mtu_value command does not reset the interface MTU to the default value, which is 1500 bytes.
Workaround : Use the mtu interface_name 1500 command to set the interface MTU to the default value of 1500 bytes.
•
Configuring the command authorization database with the aaa authentication match acl_name rules configured generates an error. Using PDM to configure the command authorization and AAA authentication results in the same error.
Workaround : If the configuration is being done through FWSM command-line interface, configure the AAA authentication rules instead of the match access-list syntax as follows:
aaa authentication include tcp iside 123.45.67.0 255.255.255.0 group_tag
If you are using the PDM application for configuration, use the previous rule type and configure the AAA rule through the PDM command-line interface window.
•
A failure on an active module does not show failover with 50 percent failed interrupts in the show fail command display.
Workaround : None.
•
If the username is configured on the system, the following message gets printed on the standby module during wr standby command action:
Username exists. Only privilege level can be updated for existing usernames. Username addition failed.Workaround : Issue a clear username command on the standby module before issuing a wr standby command on the active module.
•
Connections get synchronized in standby mode, even if the logical unit (LU) interface is in shutdown.
Workaround : None.
•
In the FWSM, the moduleIpAddress command returns the incorrect value.
Workaround : None.
•
When OSPF and failover are configured on the module, the following message is displayed on the standby firewall when the network...area command for OSPF is abbreviated:
"FO unreplicable:cmd=ne"Workaround : Enter the network ... area command again without abbreviation.
•
Configuring the NAT 0 ACL and regular NAT in the same interface is not supported in this release. Such a configuration causes packets on the interface to use the wrong translation.
Workaround: None.
•
During a TFTP download of the image, when a configuration synchronization takes place, the download does not complete successfully.
Workaround: None.
•
Single-session performance problems should not affect behavior on the modules.
Workaround : None.
•
Extra spaces for connected routes display in the console output.
Workaround: None.
•
Issuing the ca generate rsa key size command on the active module sometimes causes switchover to the standby module. The RSA key generation algorithm (started by the ca generate rsa key size command) may converge correctly. A convergence delay happens if the size is set to 1024 bytes or 2048 bytes. If the failover poll time is set to a small value (for example:3 seconds), a switchover may occur because the active module is busy generating the key and not responding during a poll, causing the standby to take over.
Workaround : Disable failover on the active module and the standby module before generating the key to avoid switchover. Failover can be reenabled once the key generation operation is complete.
•
New connections through the FWSM are not allowed, but existing connections continue to go through. When a TCP syslog server is unreachable, the module prevents new connections. However, once the connectivity with the TCP syslog server is re-established, new connections still do not pass.
Workaround : Run the no logging on command to allow the new connections through the FWSM to resume. Remove the configuration for the failed syslog server, and re-enable the logging.
•
The FWSM does not support the inside interface as the default interface for the URL server. The inside interface is an optional firewall interface in the FWSM.
Workaround : Define the interface when entering the url-server statement.
Open Caveats in Release 1.1(1)
This section describes known limitations that exist in the FWSM software release 1.1(1).
•
If an access-list specified in a route-map is removed then the next configured access-list is added into the route-map.
Workaround : Remove the errant ACL and reapply correct ACL.
•
Matching by route-source or next hop in route-maps does not work on FWSM.
Workaround : None.
•
If an area range is specified, with the range being a subnet of a connected route, then the route for the connected route is missed. If there is no other more specific route for hosts on that interface, the hosts are not reachable
Workaround : Specify an area range which is not a subnet of the connected interface.
•
When ACL is configured with a source port specified for the match rule in AAA, AAA does not check the source port field.
Workaround : None.
