cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
858
Views
0
Helpful
2
Replies

troubling FWSM issue

fauresr
Level 1
Level 1

Hi,

We have an FWSM running 3.1.3 in routed mode, single context. It has been running fine (as far as we can tell) since July06.

It runs in a 6509 with Sup32/CatOS 8.5.3

The MSFC is not being used and has not been configured.

The FWSM routes traffic between 3 vlans:

interface Vlan400

nameif external

security-level 0

ip address X.Y.45.245 255.255.255.0

!

interface Vlan480

description Systems Vlan

nameif systems

security-level 50

ip address X.Y.16.120 255.255.255.128

!

interface Vlan481

description Users Vlan

nameif users

security-level 40

ip address X.Y.16.240 255.255.255.128

!

The issue: traffic going from vlan481 to vlan480 shows up on interface vlan400. I can see it with a sniffer, and also gets denies in syslog.

Jan 23 00:54:18 hostname %FWSM-4-106023: Deny udp src external:X.Y.16.144/2422 dst systems:X.Y.16.108/389 by access-

group "external_access_in" [0x0, 0x0]

Note that the denied traffic came from user vlan (481), went out the external interface, was sent back to the FWSM by our gateway, and is denied as it tries to re-enter the FWSM to be routed to the server vlan (480)

I don't understand why such traffic would be routed out to the external interface.

This doesn't make sense to me. Why would the traffic be routed out to the external interface in the first place.

What's even more troubling, is that the issue never surfaced before 2 days ago. I went through the log files for the last month and couldn't find any such Deny.

The FW configuration didn't change in the last 2 weeks.

Just to add some information that might be relevant, we are not using translation in this setup. However I had to setup some static because the hosts on the external interface use a /16 subnet mask.

from the FWSM config:

nat (systems) 0 access-list systems_nat0_outbound

static (systems,external) X.Y.16.0 X.Y.16.0 netmask 255.255.255.128

static (users,external) X.Y.16.128 X.Y.16.128 netmask 255.255.255.128

access-group external_access_in in interface external

access-group systems_access_in in interface systems

access-group users_access_in in interface users

route external 0.0.0.0 0.0.0.0 X.Y.45.240 1

Has anyone ever seen/heard similar issue and could point me in the right direction.

Thank you,

2 Replies 2

lganeva
Level 1
Level 1

Hi,

Just an idea - what is the routing table of your FWSM. Is the server residing on a directly connected network? My FWSM loses routes from time to time.

Thanks for the input. I thought about this, routing is the first thing I checked.

All systems involved are directly connected. No dynamic routing involved.

I opened a case with TAC, they are still looking into it.

Review Cisco Networking for a $25 gift card