error FWSM 6509 !!

Unanswered Question
Mar 4th, 2007

when I configure FWSM-6509 multicontext.I configured 2 context.diagram:

vlan22--FW1--Vlan12<-->Router<-->Vlan22--FW2--VLan12

Vlan 22 : outside

Vlan 12 : DMZ

but error :

6|Mar 02 2007 19:38:12|106025: Failed to determine security context for packet: vlan12

---> all packet being dropped !

please help me !

Please help me !

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 03/05/2007 - 00:16

Hi

Could you send a diagram of how it looks. I suspect what is happening is that you have 2 contexts using the same vlans. The FWSM has a thing called the classifier that determines which context to send the traffic to.

You can share vlans between contexts but you need to be aware of how the classifier works. What the FWSM is telling you is that it doesn't know which context to send the traffic to.

What are you trying to configure. Do you need both contexts to use the exact same vlans ?

Jon

Jon Marshall Mon, 03/05/2007 - 01:21

Hi

It's still a little difficult without more information.

In our datacentre we have a shared outside vlan but then all the DMZ's and inside interfaces are unique per context.

Do you have servers that are on DMZ 12 that both contexts need to access ?. if so why can you not do this with one context only ?

Jon

nguyenphu Mon, 03/05/2007 - 01:36

hi Jon !

Vlan 22(DMZ) use ip public so it's use Nat to Internet from Inside1, inside2(inside1 and inside2 difficult IP).In DMZ haven't got server.

We want to vlan 22 (DMZ)is Vlan only use Nat.

Jon Marshall Mon, 03/05/2007 - 02:03

Hi

There should be no problem using a shared interface on the outside.

If there are no servers on DMZ then i suggest you remove the DMZ interfaces from both your contexts and test again.

if i have missed the point please let me know.

Jon

nguyenphu Mon, 03/05/2007 - 02:17

hi Jon !

first : when i configure 2 context share interface outside have same problem without vlan DMZ.but i use :

static route that ok.I think i control this problem.

When i add share vlan DMZ.Have problem !!

If can't not use share vlan DMZ then i think use 2 vlan DMZ.

nguyen.

Jon Marshall Mon, 03/05/2007 - 02:24

Hi

Yes, i should have mentioned that. you will need static routes on your MSFC to point to the relevant subnets.

This is where your problem is. ie lets say you have two contexts

Context 1 : IP address outside 192.168.5.10 255.255.255.0

DMZ subnet 172.16.5.0/24

Context 2 : IP address outside 192.168.5.12 255.255.255.0

DMZ subnet 172.16.5.0/24

If you have this setup it is not possible to do a static route on the MSFC as you would need to point it to both the outside IP addresses.

I would suggest you use different vlans for your DMZ, this would simplify things.

HTH

Jon

nguyenphu Mon, 03/05/2007 - 02:32

thanks jon !!

I try it .I thinks I use different vlans It ok.

:)

thx !!

eric.loiseau Fri, 04/27/2007 - 11:30

Hello,

how did you resolve your problem, because I have the same.

2 contexts, outside use the same network and vlan, but DMZ use differents vlans and network,

I use static routing.

The problem is when I activate the second outside interface.

The only solution that I have found is to use multiple svi.

One for each outside interface context.

Regards

Jon Marshall Sat, 04/28/2007 - 23:33

Hi Eric

Using a shared vlan for the outside interface between contexts does work as we have that setup in our datacentre.

Could you post configs of your two contexts that don't work.

Also could you give details as to how itis not working, ie where are you trying to connect from and where are you trying to connect to.

Lastly could you give version of FWSM software.

Jon

smothuku Mon, 03/05/2007 - 01:23

Hi ,

The following info may help you.

Error Message: %FWSM-6-106025: Failed to determine the security context for the

packet:sourceVlan:sourceIP destIP sourcePort destPort protocol

Error Message: %FWSM-6-106026: Failed to determine the security context for the

packet:sourceVlan:sourceIP destIP sourcePort destPort protocol

Explanation:These messages are generated when the security context of the packet in multiple context mode cannot be determined. Both messages can be generated for IP packets being dropped in either router and transparent mode.

Recommended Action :None required.

HTH

Satish

Jon Marshall Mon, 03/05/2007 - 01:35

Hi Satish

Must admit i'm a bit confused with this recommened action. If your FWSM is dropping packets because it can't determine the security context i would say your firewall isn't working. Recommened action None seems a bit couterintuitive to me.

Jon

nguyenphu Tue, 05/01/2007 - 19:31

Hi all !!

I tried guide book configure FWSM v3.0(example configure) : same diagram ,same configure but not work ???.Whatever I have resolve different Cisco Book --->it work ok ! :).

regards !

phund

eric.loiseau Thu, 02/14/2008 - 08:42

I have the same problem, did you find a solution since may.

It's works until I reload both modules

When I run "sh arp" I have the same mac address. and all my traffic gone to admin context.

Regards

Actions

This Discussion