I have an FWSM in routed mode with 31 contexts and appear to be hitting a limit with VLAN interfaces (I've counted up and have around 115). If I add an interface to a context then name it with "nameif" the context stops passing traffic, removing with "no nameif" starts the context passing traffic again. Note it does not matter what the name is, the interface doesn't need to have an ip address assigned and this happens even with the interface shut down. Whichever context I try this on exhibits the same symptoms which leads me to suspect its a resouce limit of some kind. Has anyone seen this behaviour before or know of any limitation that can be causing this ? I don't seem to be anywhere near any of the published resource limits for the FWSM.
Can you issue the "show version" command in the System Context and show us what the Vlan interface limitations is?
Do you have any Vlan interfaces that are shared between some or maybe all the contexts? If I remember right, if you use a single Vlan interface and allocate it to let say all the 31 Contexts it will be counted to take 31 Vlan interfaces even though you have only configured one actual Vlan interface on the System Context side.
We ran into Vlan interface limitation once but we were actually hitting the maximum Vlan interface limit of 1000
Only other similiar situation I have run into with FWSM is that because of some bug, sometimes when you add an Vlan interface it wont pass any traffic. But looking at what you wrote it seemed to me like nothing worked in the said context.
Could you also provide the software level of your FWSM?
I'm not sure if any of this is of any help but thought I'd mention what I have personally seen with the FWSM
Thanks for reply - can't copy output direct, but we are running 3.1(21) with a license for 50 contexts and Max Interfaces is 1000, so nowhere near limit.
We have 31 "inside" interfaces to match the 31 contexts but these are not shared and use the MSFC for routing. We also have 29 interfaces across the 31 contexts which are shared but only for remote management of each context, and do not participate in passing any other traffic. The remainder of the interfaces are spread around the contexts for various DMZs. I did include each shared interfaces in the total of approx 115, so VLAN wise we only have approx 86 Vlans.
What I did notice was that when you execute the "nameif" command, you get a response back "Access Rules Download Complete: Memory Utilization: x%" same as when configuring an ACE, even though no rules have yet been associated with the interface.
To clarify what happens, once the "nameif" has been configured, any traffic appears to be black holed - running a capture shows the packets but they go nowhere, the hit counts on rules don't get incremented, and if I clear xlates these never get re-established. Did check log in admin context and no messages. All service gets restored as soon as remove the "nameif" from the interface.