Cisco Network Security Troubleshooting Handbook

This section examines some of common confusions and questions asked regarding FWSM.

1

Can I run the FWSM, Intrusion Detection System Module-2 (IDSM-2), and VPN Service Module (VPNSM) in the same chassis?

Answer:

Yes, you can run all of these modules in the same chassis if the switch is running in Native IOS mode with versions 12.2(14)SY (Sup2) or 12.2(17a)SX10 (Sup720). There is no version available in hybrid mode to support all the modules in the same chassis.

2

Why am I unable to ping my FWSM on a directly connected interface?

Answer:

By default, each interface denies Internet Control Message Protocol (ICMP) on FWSM. Use the icmp command to allow ping to the interface. This behavior differs from that of the PIX firewall, where ping is allowed by default.

3

I can ping the FWSM interface that is directly connected to my network, but I am unable to ping other interfaces. Is this normal?

Answer:

Yes, this is designed as a built-in security mechanism that also exists on the PIX firewall.

4

Can I configure failover between two FWSMs running different versions of code?

Answer:

No. Failover requires that both FWSMs run the same version of code. A mechanism within the failover feature verifies the peer version and prevents failover if the versions of code are different. For this reason, you must upgrade both FWSMs at the same time.

5

Where can I find information on the error messages I am seeing on my FWSM?

Answer:

The Error Message Decoder can be found at the following location (only available for the registered customers):

http://www.cisco.com/pcgi-bin/Support/Errordecoder/index.cgi

Product documentation on system messages also contains useful information, which can be found in the following location: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/fwsm/fwmsgs.htm

6

Where can I find information on existing bugs for my FWSM?

Answer:

Details on existing bugs can be found in the Bug Toolkit, which is in the following location (only available for the registered user):

http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl

7

Does the FWSM support the IOS Open Shortest Path First (OSPF) auto-cost reference-bandwidth command?

Answer:

No. The FWSM is not aware of the physical ports connected to it. OSPF cost must be configured manually per interface using the ospf cost command.

8

What routing protocols are supported by the FWSM?

Answer:

Open Shortest Path First (OSPF) and Routing Information Protocol (RIP) are the supported routing protocols.

9

Can I terminate VPN connections on my FWSM?

Answer:

VPN functionality is not supported on the FWSM. Termination of VPN connections is the responsibility of the switch and/or VPN Services Module. The 3DES license is provided for management purposes only, such as connecting to a low-security interface via Telnet, Secure Shell (SSH), and Secure HTTP (HTTPS).

10

Are fragmented packets dropped by the FWSM?

Answer:

This depends on the FWSM version. If you are running FWSM 1.1, fragmented packets can not traverse the FWSM by default. You can use the fragment command as shown in the following link to configure this feature:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1029667

However, if you are running FWSM 2.2 and above, fragmented packets are allowed by default on the FWSM as in PIX Firewall (200).

11

How are the Access Control Lists compiled on the FWSM?

Answer:

ACL is created and compiled on the PC complex. The maximum node that can be compiled and downloaded is 128K. It is important to note that this is the number of nodes, not the number of ACL or the number of Access Control Entries (ACEs) for a single ACL. ACL is compiled in the PC complex, and once compilation is completed successfully, it is downloaded to the NP slow processors as binary and in tree format, so that matching against the tree can be performed efficiently. If the compilation fails, it will not be downloaded to the slow NP processor; however, this will not affect the traffic flowing through the FWSM, as there are two tables maintained for old and new compiled trees in the slow NP processor. The slow NP has 20 MB for storing the tree of nodes created by the ACL compilation in the Control Plane (CP).

Категории