Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1971
Views
0
Helpful
3
Replies

Cannot see return traffic on a SPAN session

yves.haemmerli
Level 1
Level 1

‎02-01-2012 07:58 AM - edited ‎03-07-2019 04:40 AM

Hi,

On a Catalyst 6500, we configured a SPAN session with VLAN 300 as a source. We configured the session bi-directional ("both" keyword). We connect a sniffer on the SPAN destination port.

Strangely enough, we only see the traffic from the VRF to the firewall, but not the reverse traffic !

What can be the problem ?

Thank you for any help

Yves

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Skjalg Eggen
Level 1
Level 1

‎03-17-2013 06:06 PM

did you figure out this problem?

I'm having similar issues trying to monitor traffic passing through a FWSM with an external IDS.

I'm using VLAN SPAN, same as you, and it appears that I am only able to capture the traffic in the TX direction on the internal port-channel going from the switch to the FWSM. RX direction seems to be allusive to my IDS.

When I try to span the port-channel to my FWSM i get this error

% Monitor Session with FWSM Card doesn't work for egress traffic in Crossbar switching mode

This tells me that egress (RX on my SPAN) will not work.

i guess thats why you dont see the traffic coming from the FWSM to the VRF, since it is not exiting the switch on a interface in VLAN 300. it is routed to another VLAN before it exits.

If you want to see the return traffic, you need to span the VLAN the packets are routed to in your vrf.

the FWSM is proving to be a real challenge. Low throughput for single sessions, little functionality compared to the ASA, monitoring traffic in external boxes, etc. the new ASA-X series seems promising though

0 Helpful

yves.haemmerli
Level 1
Level 1
In response to Skjalg Eggen

‎03-18-2013 07:04 AM

Hi,

Yes, it works now. The trick is that you have to  remove the SPAN session that is automatically created in the switch to  replicate multicast traffic. If you do not use multicasting (the  majority of the cases), you can remove this SPAN session and the SPAN  replication will work.

What yoiu have to do is :

1. Identify the FWSM SPAN session :

Hostname# sh monitor

                  Session 1

                  ---------

                  Type                        : Service Module Session

                  Modules allowed       : 1-9

                  Modules active         : 3

                  BPDUs allowed         : Yes

2. Remove the SPAN Session :

Hostname# no monitor session 1 servicemodule 3

Hope this helps

Yves

0 Helpful

Marian Hercek
Level 1
Level 1
In response to yves.haemmerli

‎07-25-2013 05:16 AM

And I if use multicast (only in internal VLAN)?

There's no argument servicemodule for no monitor command.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card