FWSM Explicit deny strange behavior

phmazzoni · ‎01-11-2011

Hello,

I am having problems with a FWSM with multiple contexts implementation.

One of the contexts has a inside interface that must have a EXPLICIT deny ip any any.

The problem is:

When I put the ACE with the explicit deny at the end of the ACL all the traffic EXPLICIT permitted before it stops working.

If I remove the explicit deny, letting the IMPLICIT deny work, everything runs fine.

I am running the 4.0(4) code.

Any ideas?

Thanks in advance,

Pedro Mazzoni

Panos Kampanakis · ‎01-11-2011

Pedro,

Are you using ACL optimization?

PK

phmazzoni · ‎01-11-2011

No PK, I am not using ACL optimization.

Thanks,
Pedro

phmazzoni · ‎01-11-2011

Sorry for the wrong answer PK, but I am using it.
I didn't know that this is enable by default.

Panos Kampanakis · ‎01-11-2011

No worries.

Let us know if this is answered.

PK

phmazzoni · ‎01-11-2011

PK, do you think that this might be the problem?

If yes, how can ACL optimization cause it?

Thanks

Kureli Sankar · ‎01-11-2011

Fix is in 4.0.9 or above.

Or disable acl optimization.

http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm

Click on the All new releases will be available "here"

The latest in the 4.0 train is 4.0.13
ASDM is asdm-62(1)f.bin

-KS