cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
866
Views
0
Helpful
4
Replies

FWSM add host into object-group issue

Rojer-bkk
Level 1
Level 1

Hi,

I used FWSM on 6500 with software 3.1(3)

When i add hosts or services into exising object-group, firewall don't perform process on exisiting ACL involve that object-group.

I have to remove ACL and re-insert once to activate. I tested on 10 times found issue 7-8 times. I'm sure this is bug or not but i found some bug may be related.

CSCtd78604
FWSM: ACLs missing after adding items to object-groups
Symptom:
If adding additional network-objects to object-groups fails with the following error, "access-list" lines may be missing from the config afterwards:

CSCse60868
Modifying an ACL with an object-group could cause ACL corruption

Thanks

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

FWSM version 3.1.3 is quite an old version of code.

Can you please check if ACL count has hit the hardware limit? Please share the output of "show np 3 acl stats" from the FWSM.

In any case, it does seem to match bugID CSCtd78604, but it might be a good idea to open a TAC case to further investigate the issue, OR/ I would recommend upgrading the FWSM to at least the latest version of 3.2.x.

Hi Jennifer,

Thanks for your advised. Here is output from internal-server context

sh np 3 acl stats
----------------------------
    ACL Tree Statistics    
----------------------------
Rule count        :    496
Bit nodes (PSCB's):    464
Leaf nodes        :    465
Total nodes       :    929 (max  28356)
Leaf chains       :     42
Total stored rules:    496
Max rules in leaf :      3
Node depth        :     12
----------------------------

Here is output from admin context

sh np 3 acl stats
----------------------------
    ACL Tree Statistics    
----------------------------
Rule count        :     45
Bit nodes (PSCB's):     40
Leaf nodes        :     41
Total nodes       :     81 (max  28356)
Leaf chains       :     14
Total stored rules:     55
Max rules in leaf :      3
Node depth        :      9
----------------------------

That seems to be just fine.

It seems to be that you are hitting one or both the bugs that you mentioned earlier. Please upgrade the FWSM to at least the latest version of 3.2.x.

The one that you found CSCse60868 is ONE reason why you should upgrade.

This one jumbles the acl and puts the implicit deny on the top of the acl thereby denying all permit traffic.

There was a PSIRT on this one that you can read here: http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml

FWSM code download link:


http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm

Click on the All new releases will be available "here"

The latest in the 3.1.x train 3.1.(19)
The latest in the 4.0 train is 4.0.13
The latest in the 3.2 train is 3.2.(19)
The latest in the 4.1 train is 4.1(3)
ASDM is asdm-62(1)f.bin

-KS

Review Cisco Networking for a $25 gift card