Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
5
Replies

Inconsistent Behavior in FWSM Rules

brobson
Level 1
Level 1

‎11-24-2009 10:53 AM - edited ‎03-11-2019 09:42 AM

We have had two incidents with firewall rules recently.  First, we had an access rule that was not working.  On a whim, we moved it to the top of the list.  It began working.  We moved it back down to the bottom of the list.  It continued to work.

Today, a rule that had been working stopped working the way intended.  There is a rule that allows my workstation to talk to a server on ports 2001 and 2002.  Today, the FWSM would allow communication via port 2001 but denied communication via port 2002.

Has anyone else experienced similar behavior on their FWSM?  We are running version 4.0(4).  Thanks!

Labels:
0 Helpful
5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-24-2009 11:33 AM

There are no known similar ACL issue in FWSM 4.0.4.

Maybe it was that there was a conn established after moving the rule down and it continues to work until the conn timed out.

Can you check what the logs say for the 2002 port traffic?

These should tell us id the rule is denied by the ACL and on what rule.

PK

0 Helpful

brobson
Level 1
Level 1
In response to Panos Kampanakis

‎11-25-2009 08:46 AM

Re: moving the rule up in the access list.  It makes sense that, once the connection was established, it continued to work after we moved it back down in the list.  But why did we have to move it up to get it to work in the first place?

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee

‎11-24-2009 02:36 PM

Are there any explicit deny lines in this acl? Pls. grep for all the denies and see if any of which would have denied the flow when this acl was placed in the bottom.

sh access-l blah | i deny

Like PK says when you moved it to the top it worked and continued to work even after you moved it back down until it timed out after which it fails again.

Logs are your best friend.

Enable logging

conf t

loggin on

loggin buffered 7

sh logg | i x.x.x.x where x.x.x.x is the IP address of the host that is getting denied.

0 Helpful

brobson
Level 1
Level 1
In response to Kureli Sankar

‎11-25-2009 08:54 AM

Re: moving the rule up in the access-list.  There is only one explicit deny at the end of the list.  The new rule was added above the explicit deny.

I'm more concerned about the second issue.  We had a rule that was working for over a week when the firewall suddenly starting denying some of the traffic specified by the rule.  The rule said, allow any workstation to access server X on ports 2001, 2002 and 2500.  On Monday the firewall continued to allow traffic on ports 2001 and 2500 but started explicitely denying traffic on port 2002. 

The rule is in the middle of the access-list.  The only deny is at the end of the list.  No changes had been made to the access list.  The only way I could get it to work was to separate this into three separate rules, one for each port.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to brobson

‎11-25-2009 09:38 AM

That does sound strange.  To further address this issue we need to see the output of

sh access-list

when the flow fails as well as the logs denying the flow indicating acl blocked.

Pls. enable logging and see what it says when the flow breaks.  I have not heard of acls going missing after a week of being there and the fact that you have to use 3 lines for each port instead of object group.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card