Bug in FWSM-module software v4.x?!

Ulrik Rosen — Mon, 11 Mar 2019 23:40:09 GMT

Hi, ive seen some strange behavior in multiple context configuration in FWSM module in a 6509-E chassis when using Security Manager to deploy configs.

Software version in FWSM is 4.1(7), and the 6509-E has IOS 12.2(33)SXJ2

When deploying a config (changed inspect protocols) from CSM (tested both version 3.3.1 and 4.2) to a context it will fail with authentication error

and the aaa/tacacs+ config is erased/modifed !!(eg. aaa server....)

"Buggy" config as follows (relevant parts...):

---------------------------------------

interface Vlan1043

description Net_Aggr_Link_Elev only for Management

nameif Rve_Link_Net_Aggr_Elev

security-level 100

ip address 10.100.255.193 255.255.255.240

management-only

aaa-server XYZ protocol tacacs+

aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.24

timeout 5

key xxxxxxxx

aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.16

timeout 5

key xxxxxxxx

---------------------------------------

No commands in the deploy (seen in CSM) that affects the aaa config is visible, only the poilcy-map/inspect commands as expected

After deployment from the CSM, the aaa config is changed(!) and the key is missing from running config!! (see below)

---------------------------------------

interface Vlan1043

description Net_Aggr_Link_Elev only for Management

nameif Rve_Link_Net_Aggr_Elev

security-level 100

ip address 10.100.255.193 255.255.255.240

management-only

aaa-server XYZ protocol tacacs+

aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.24

timeout 5

aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.16

---------------------------------------

Ive checked the syntax for the interface/nameif command to see if the name was too long but the max length is 48 char so this seem to be OK.

But the syntax for the aaa-server command does not describe any limitations to the inteface name.(suspicious...hm!)

So i decided to change the nameif for the above interface to a shorter name (from 22 char to 4 char) as ive seen some similar problem in other areas with too long character strings.

So i changed the interface nameif string in context running config, rediscovered (live device) the context back into CSM and then made some changes for deployment in the CSM.

And this time it worked, this was clearly the problem. The interface namif string must be short, probable less than 16 characters

Working config as follows:

---------------------------------------

interface Vlan1043

description Net_Aggr_Link_Elev only for Management

nameif Mgmt

security-level 100

ip address 10.100.255.193 255.255.255.240

management-only

aaa-server XYZ protocol tacacs+

aaa-server XYZ (Mgmt) host 172.23.16.24

timeout 5

key xxxxxxxx

aaa-server XYZ (Mgmt) host 172.23.16.16

timeout 5

key xxxxxxxx

---------------------------------------

Anyone who has seen this behavior??

Regards

Bug in FWSM-module software v4.x?!

Ramraj Sivagnanam Sivajanam — Sun, 19 Aug 2012 17:26:38 GMT

I was always under the impression the nameif characters can be as long as 48. I guess I learnt something new today 🙂

topic Bug in FWSM-module software v4.x?! in Network Security

Bug in FWSM-module software v4.x?!

Bug in FWSM-module software v4.x?!