Showing results for 
Search instead for 
Did you mean: 

troubling FWSM issue



We have an FWSM running 3.1.3 in routed mode, single context. It has been running fine (as far as we can tell) since July06.

It runs in a 6509 with Sup32/CatOS 8.5.3

The MSFC is not being used and has not been configured.

The FWSM routes traffic between 3 vlans:

interface Vlan400

nameif external

security-level 0

ip address X.Y.45.245


interface Vlan480

description Systems Vlan

nameif systems

security-level 50

ip address X.Y.16.120


interface Vlan481

description Users Vlan

nameif users

security-level 40

ip address X.Y.16.240


The issue: traffic going from vlan481 to vlan480 shows up on interface vlan400. I can see it with a sniffer, and also gets denies in syslog.

Jan 23 00:54:18 hostname %FWSM-4-106023: Deny udp src external:X.Y.16.144/2422 dst systems:X.Y.16.108/389 by access-

group "external_access_in" [0x0, 0x0]

Note that the denied traffic came from user vlan (481), went out the external interface, was sent back to the FWSM by our gateway, and is denied as it tries to re-enter the FWSM to be routed to the server vlan (480)

I don't understand why such traffic would be routed out to the external interface.

This doesn't make sense to me. Why would the traffic be routed out to the external interface in the first place.

What's even more troubling, is that the issue never surfaced before 2 days ago. I went through the log files for the last month and couldn't find any such Deny.

The FW configuration didn't change in the last 2 weeks.

Just to add some information that might be relevant, we are not using translation in this setup. However I had to setup some static because the hosts on the external interface use a /16 subnet mask.

from the FWSM config:

nat (systems) 0 access-list systems_nat0_outbound

static (systems,external) X.Y.16.0 X.Y.16.0 netmask

static (users,external) X.Y.16.128 X.Y.16.128 netmask

access-group external_access_in in interface external

access-group systems_access_in in interface systems

access-group users_access_in in interface users

route external X.Y.45.240 1

Has anyone ever seen/heard similar issue and could point me in the right direction.

Thank you,

2 Replies 2