topic Re: FWSM_Policy-map_removal_error in Network Security

FWSM_Policy-map_removal_error

jordan.jordani1992 — Fri, 21 Feb 2020 15:35:44 GMT

Hi all

I have faced some sort of difficulties in configuration of an old device at my company which is FWSM. The problem is that I had created a testing policy-map called ZZZ, as well as the class-map with the same name (ZZZ). When I was about to remove to related config (class-map, policy-map), I am able to remove the class-map with the '(config)#no class-map ZZZ' command. However, I cannot remove the policy-map with the '(config)# no policy-map ZZZ' which barks an error as I paste in the following:

config)# no policy-map ZZZ

ERROR: policy-map ZZZ is being configured and hence cannot be removed.

it worth to mention that this policy-map is not associated with neither service-policy, nor class-map

FWSM/CONTEXT_A# show running-config class-map
!
class-map inspection_default
match default-inspection-traffic
!

FWSM/CONTEXT_A# show running-config policy-map
!
policy-map ZZZ
policy-map CSM_POLICY_MAP_global_1
class inspection_default
inspect icmp
inspect icmp error
inspect ftp
!

FWSM/CONTEXT_A# show running-config service-policy
service-policy CSM_POLICY_MAP_global_1 global

any idea?

Re: FWSM_Policy-map_removal_error

Bogdan Nita — Wed, 04 Apr 2018 09:51:39 GMT

I've similar issues on the fwsm when a ssh session is stuck in config mode.

Can you try 'show ssh sessions' to see active sessions and then issue 'ssh disconnect' to disconnect the unused sessions ?

HTH

Bogdan

Re: FWSM_Policy-map_removal_error

jordan.jordani1992 — Wed, 04 Apr 2018 10:12:11 GMT

Dear Bogdan
First off, I would like to thanks for your reply.
Following is the output from the FWSM:

FWSM/admin# show ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
1 10.125.21.4 2.0 IN aes256-cbc sha1 SessionStarted SEC_TEAM
OUT aes256-cbc sha1 SessionStarted SEC_TEAM
FWSM/admin#
I believe that there is no stale or orphaned SSH connection.
It also worth mention that I manage the context through the Admin context.

Thanks for your help.

Regards

Re: FWSM_Policy-map_removal_error

Bogdan Nita — Wed, 04 Apr 2018 15:38:42 GMT

Hi @jordan.jordani1992,

Sorry to hear that didn't work.

I have another idea , but it is a little bit far fetched for removing configuration that actually has no impact.

You can try removing the policy map after a reboot or failover.

Re: FWSM_Policy-map_removal_error

jordan.jordani1992 — Sat, 07 Apr 2018 06:27:42 GMT

thanks for your help.