01-23-2007 06:32 PM - edited 03-11-2019 02:24 AM
Hi,
We have an FWSM running 3.1.3 in routed mode, single context. It has been running fine (as far as we can tell) since July06.
It runs in a 6509 with Sup32/CatOS 8.5.3
The MSFC is not being used and has not been configured.
The FWSM routes traffic between 3 vlans:
interface Vlan400
nameif external
security-level 0
ip address X.Y.45.245 255.255.255.0
!
interface Vlan480
description Systems Vlan
nameif systems
security-level 50
ip address X.Y.16.120 255.255.255.128
!
interface Vlan481
description Users Vlan
nameif users
security-level 40
ip address X.Y.16.240 255.255.255.128
!
The issue: traffic going from vlan481 to vlan480 shows up on interface vlan400. I can see it with a sniffer, and also gets denies in syslog.
Jan 23 00:54:18 hostname %FWSM-4-106023: Deny udp src external:X.Y.16.144/2422 dst systems:X.Y.16.108/389 by access-
group "external_access_in" [0x0, 0x0]
Note that the denied traffic came from user vlan (481), went out the external interface, was sent back to the FWSM by our gateway, and is denied as it tries to re-enter the FWSM to be routed to the server vlan (480)
I don't understand why such traffic would be routed out to the external interface.
This doesn't make sense to me. Why would the traffic be routed out to the external interface in the first place.
What's even more troubling, is that the issue never surfaced before 2 days ago. I went through the log files for the last month and couldn't find any such Deny.
The FW configuration didn't change in the last 2 weeks.
Just to add some information that might be relevant, we are not using translation in this setup. However I had to setup some static because the hosts on the external interface use a /16 subnet mask.
from the FWSM config:
nat (systems) 0 access-list systems_nat0_outbound
static (systems,external) X.Y.16.0 X.Y.16.0 netmask 255.255.255.128
static (users,external) X.Y.16.128 X.Y.16.128 netmask 255.255.255.128
access-group external_access_in in interface external
access-group systems_access_in in interface systems
access-group users_access_in in interface users
route external 0.0.0.0 0.0.0.0 X.Y.45.240 1
Has anyone ever seen/heard similar issue and could point me in the right direction.
Thank you,
01-28-2007 05:47 AM
Hi,
Just an idea - what is the routing table of your FWSM. Is the server residing on a directly connected network? My FWSM loses routes from time to time.
01-28-2007 05:54 PM
Thanks for the input. I thought about this, routing is the first thing I checked.
All systems involved are directly connected. No dynamic routing involved.
I opened a case with TAC, they are still looking into it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide