Re: error FWSM 6509 !!

nguyenphu · ‎03-04-2007

when I configure FWSM-6509 multicontext.I configured 2 context.diagram:

vlan22--FW1--Vlan12<-->Router<-->Vlan22--FW2--VLan12

Vlan 22 : outside

Vlan 12 : DMZ

but error :

6|Mar 02 2007 19:38:12|106025: Failed to determine security context for packet: vlan12

---> all packet being dropped !

please help me !

Please help me !

Jon Marshall · ‎03-05-2007

Hi

Could you send a diagram of how it looks. I suspect what is happening is that you have 2 contexts using the same vlans. The FWSM has a thing called the classifier that determines which context to send the traffic to.

You can share vlans between contexts but you need to be aware of how the classifier works. What the FWSM is telling you is that it doesn't know which context to send the traffic to.

What are you trying to configure. Do you need both contexts to use the exact same vlans ?

Jon

nguyenphu · ‎03-05-2007

Hi

diagram connection !

how do i can configure to shared vlan ?

what the best solution ?

Jon Marshall · ‎03-05-2007

Hi

It's still a little difficult without more information.

In our datacentre we have a shared outside vlan but then all the DMZ's and inside interfaces are unique per context.

Do you have servers that are on DMZ 12 that both contexts need to access ?. if so why can you not do this with one context only ?

Jon

nguyenphu · ‎03-05-2007

hi Jon !

Vlan 22(DMZ) use ip public so it's use Nat to Internet from Inside1, inside2(inside1 and inside2 difficult IP).In DMZ haven't got server.

We want to vlan 22 (DMZ)is Vlan only use Nat.

Jon Marshall · ‎03-05-2007

Hi

There should be no problem using a shared interface on the outside.

If there are no servers on DMZ then i suggest you remove the DMZ interfaces from both your contexts and test again.

if i have missed the point please let me know.

Jon

nguyenphu · ‎03-05-2007

hi Jon !

first : when i configure 2 context share interface outside have same problem without vlan DMZ.but i use :

static route that ok.I think i control this problem.

When i add share vlan DMZ.Have problem !!

If can't not use share vlan DMZ then i think use 2 vlan DMZ.

nguyen.

Jon Marshall · ‎03-05-2007

Hi

Yes, i should have mentioned that. you will need static routes on your MSFC to point to the relevant subnets.

This is where your problem is. ie lets say you have two contexts

Context 1 : IP address outside 192.168.5.10 255.255.255.0

DMZ subnet 172.16.5.0/24

Context 2 : IP address outside 192.168.5.12 255.255.255.0

DMZ subnet 172.16.5.0/24

If you have this setup it is not possible to do a static route on the MSFC as you would need to point it to both the outside IP addresses.

I would suggest you use different vlans for your DMZ, this would simplify things.

HTH

Jon

nguyenphu · ‎03-05-2007

thanks jon !!

I try it .I thinks I use different vlans It ok.

:)

thx !!

eric.loiseau · ‎04-27-2007

Hello,

how did you resolve your problem, because I have the same.

2 contexts, outside use the same network and vlan, but DMZ use differents vlans and network,

I use static routing.

The problem is when I activate the second outside interface.

The only solution that I have found is to use multiple svi.

One for each outside interface context.

Regards

Jon Marshall · ‎04-28-2007

Hi Eric

Using a shared vlan for the outside interface between contexts does work as we have that setup in our datacentre.

Could you post configs of your two contexts that don't work.

Also could you give details as to how itis not working, ie where are you trying to connect from and where are you trying to connect to.

Lastly could you give version of FWSM software.

Jon

smothuku · ‎03-05-2007

Hi ,

The following info may help you.

Error Message: %FWSM-6-106025: Failed to determine the security context for the

packet:sourceVlan:sourceIP destIP sourcePort destPort protocol

Error Message: %FWSM-6-106026: Failed to determine the security context for the

packet:sourceVlan:sourceIP destIP sourcePort destPort protocol

Explanation:These messages are generated when the security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.

Recommended Action :None required.

HTH

Satish

Jon Marshall · ‎03-05-2007

Hi Satish

Must admit i'm a bit confused with this recommened action. If your FWSM is dropping packets because it can't determine the security context i would say your firewall isn't working. Recommened action None seems a bit couterintuitive to me.

Jon

nguyenphu · ‎05-01-2007

Hi all !!

I tried guide book configure FWSM v3.0(example configure) : same diagram ,same configure but not work ???.Whatever I have resolve different Cisco Book --->it work ok ! :).

regards !

phund

eric.loiseau · ‎02-14-2008

I have the same problem, did you find a solution since may.

It's works until I reload both modules

When I run "sh arp" I have the same mac address. and all my traffic gone to admin context.

Regards