urgent! vlan in FWSM can't connect to outside

mylove142 · ‎01-31-2007

Hi all,

I use FWSM in Catalyst 6513. Today, I have an error:

1) Vlans that FWSM manages can't connect to outside(for example: connect to Internet). Other Vlans can connect normally.

2) When I reload FWSM, the above events happen again after 3 - 5 minute.

If you know, please answer me early because my company needs to connect to outside.

mark-logsdon · ‎01-31-2007

It's hard to tell from your configs. But are you configuring the vlans on the 6513? Also, remember that of the FWSM denies all traffic in and out, you have to create a rule to allow outbound traffic from each of your vlans behind the FW. Hope this helps.

mylove142 · ‎01-31-2007

Thank you for your answer. But You can provide information to overcome the above problem. If you need more information, please ask me, I will provide.

Jon Marshall · ‎02-01-2007

Hi

Can you provide the config from th switch(es) which is relevant to the FWSM and the config from one of your DMZ's that access to the internet is not working for.

Also is the FWSM in

1) routed or transparent

2) multiple or single context

Has any change been made on the switch(es) or FWSM recently ?

Jon

mylove142 · ‎02-01-2007

Hi,

I send the file "show tech-support" in FWSM, you can look at the file and see the configuration .

I don't change anything in FWSM or Switch recently. I have many vlans such as billing, security, voice but all of vlans can't connect to internet.

Jon Marshall · ‎02-01-2007

Hi

Had at a look at config from bottom of sh tech-support. Where are the access-lists, did you miss them out when sending the file ?

Jon

mylove142 · ‎02-01-2007

I don't send them because access-list is no problem. Sometimes vlan that FWSM can't connect to outside, I don't change any access-list, after a short time, I can connect to outside. I think that FWSM has a error.

Before FWSM has an error, I connect to outside normally based on the same access-list.

Jon Marshall · ‎02-01-2007

Hi

Your failover is not currently working according to the show tech-support.

Can you check that you have allocated the same vlans to the FWSM on both switches ?

ie the firewall vlan-group "number" "vlans"

the vlans need to be the same on both switches.

Jon

mylove142 · ‎02-03-2007

I think that is OK. One week ago, both FWSM act normally but in recently days, FWSM1 can't act. When FWSM1 actives, Catalyst 6513 is suspended and some vlans that FWSM1 manages can't connect to outside. So, I must stop FWSM1.

Jon Marshall · ‎02-03-2007

Hi

Your failover happened on Jan 31 when your problems started. Unless you deliberately failed it over this seems more than coincidence.

Did you check the "firewall vlan-group x vlan list" statements on both your switches ?.

If you have assigned a vlan to the FWSM on one switch but not the other it will all be fine until it fails over then you will have problems.

I think you need to fix failover and then see if you are still having the same problems.

HTH

Jon

mylove142 · ‎02-03-2007

Thank Jon but I think that the configuration of both firewall is OK means that both firewalls has the same configuration. The problems happened on Jan30, and I stop Firewall 1 on Jan31.