Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1502
Views
0
Helpful
13
Replies

Packet loss on FWSM v3.1(5)

khalid.audhali.ibm
Level 1
Level 1

‎07-18-2008 07:53 AM - edited ‎03-11-2019 06:16 AM

Hi,

I have implemented multiple virtual contexts on an FWSM. I have a network for FW context mgmt connected to a vrf which then connects to another FW context providing connectivity to the rest of the network. Configuration is detailed as follows (without real names/IP addresses for customer confidentiality):-

- FW context FW1 connected to FW_mgmt subnet (10.1.1.0/24)

- FW context FW2 connected to FW_mgmt subnet (10.1.1.0/24)

- FW context FW3 connected to FW_mgmt subnet (10.1.1.0/24)

- FW_mgmt subnet connected to VRF1

- VRF1 connected to FW context FW4

- FW4 Vlan 1 (outside) interface connected to a VRF (VRF2) providing connectivity to the rest of the network

- FW4 Vlan 2 (inside) interface connected to Mgmt subnet (10.1.2.0/24)

- FW4 Vlan 3 (FW_Mgmt) interface connected to VRF1

If I establish a SSH session from a PC on the Mgmt network (10.1.2.0/24) to any of the FW contexts in the FW_mgmt network (10.1.1.0/24), the session establishes and I can log into all the contexts.

Beyond the outside interface of FW4 there is a syslog server and a radius server.

I configured FW1, FW2 and FW3 to use their interfaces on the FW_mgmt network for syslog and radius authentication.

I do not receive any syslog messages or radius authentication requests from FW1, FW2 or FW3.

After setting up a capture on the FW4 interface connected to VRF1 (Vlan3) I do not see any syslog or radius packets being received.

I am currently running FWSM version 3.1(5)

Has anyone experienced such a problem? If so, any advice as to what the solution could be would be greatly appreciated.

Labels:
0 Helpful
13 Replies 13

a.alekseev
Level 7
Level 7

‎07-18-2008 09:40 AM

you are using shared interface. that is the problem.

read about packet classifier

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124172

0 Helpful

khalid.audhali.ibm
Level 1
Level 1
In response to a.alekseev

‎07-22-2008 12:26 AM

Hi,

Yes, I know the FW contexts share the same network interface. However, surely the destination mac address is always going to be that of the VRF and not another FW.

Also, how can this work OK for SSH but not for RADIUS and SYSLOG?

0 Helpful

a.alekseev
Level 7
Level 7
In response to khalid.audhali.ibm

‎07-22-2008 12:38 AM

Could you show the diagram.

0 Helpful

khalid.audhali.ibm
Level 1
Level 1
In response to a.alekseev

‎07-22-2008 02:47 AM

Hi,

Please find attached a diagram depicting the configuration and the problem.

Please note, when I setup a capture on FW4, I see no syslog or RADIUS or SNMP packets inbound from FW1, FW2 or FW3 to the servers in the Network Mgmt network.

I hope this helps explain the issue further.

I understand the problem with the classifier, however, in this case I would expect all Syslog/RADIUS/SNMP packets (from FW1/FW2/FW3) to have the destination IP addresses of the servers in the Network Mgmt network and the destination mac address should be the mac address of VRF1.

Preview file
60 KB
0 Helpful

a.alekseev
Level 7
Level 7
In response to khalid.audhali.ibm

‎07-22-2008 02:52 AM

could you also show the configuration of FW4?

0 Helpful

khalid.audhali.ibm
Level 1
Level 1
In response to a.alekseev

‎07-22-2008 03:45 AM

Here is the config of FW4. I have had to go through it and remove all customer-specific data. So, please use it in correspondence with the diagram I sent before.

Preview file
4 KB
0 Helpful

a.alekseev
Level 7
Level 7
In response to khalid.audhali.ibm

‎07-22-2008 05:38 AM

could you try to remove this line

static (VLAN3,VLAN2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

0 Helpful

khalid.audhali.ibm
Level 1
Level 1
In response to a.alekseev

‎07-22-2008 07:51 AM

If I remove that static entry then I will no longer be able to access the FWs on their mgmt interfaces. At the moment I am managing them using SSH.

0 Helpful

a.alekseev
Level 7
Level 7
In response to khalid.audhali.ibm

‎07-22-2008 07:57 AM

why do you think so?

vlan3 - sec level 60

vlan2 - sec level 100

and you have

static (vlan3,vlan2) ...

0 Helpful

khalid.audhali.ibm
Level 1
Level 1
In response to a.alekseev

‎07-22-2008 08:12 AM

Apologies....I got a little confused as I have to translate the info I gave you to the actual config I have on the device.

I have removed that static and nothing has changed.

0 Helpful

a.alekseev
Level 7
Level 7
In response to khalid.audhali.ibm

‎07-22-2008 10:23 PM

deb icmp trace

and try to ping the VFR1 from RADIUS/Syslog/SNMP server.

do you see any logs?

try to do extended ping from VFR1 to RADIUS/Syslog/SNMP server with a source interface 10.1.1.X.

0 Helpful

khalid.audhali.ibm
Level 1
Level 1
In response to a.alekseev

‎08-02-2008 04:12 AM

Hi,

Sorry about the delay in responding.

I have been able to get the RADIUS, SYSLOG and SNMP to work now. The strange thing is there are no packets seen in the captures I set up on the Vlan1 and Vlan3 interfaces of FW4. I have removed the nat-control line on FW4 aswell so the statics are taken out of the equation.

Everything is working well apart from the switch that is hosting the FWSM and the VRF.

As you can see in the original diagram I sent at the start of this conversation, VRF1 is connected to the FW_Mgmt subnet (Vlan4) aswell as Vlan3.

I have configured the Switch to use the source-interface of Vlan4 for syslog, NTP, RADIUS and SNMP. None of these work, even though syslog, RADIUS and SNMP work for all the other devices in Vlan4.

If I set up a capture on FW4 interfaces Vlan1 and Vlan3, I see no Syslog, NTP, RADIUS or SNMP from the switch (source-interface Vlan4) to Network_Mgmt network.

If I set up a new Vlan interface (Vlan5) and attach it directly to FW4 (while leaving it on the global routing table instead of attaching it to VRF1), I can see syslog packets being received on the Syslog server with the switches Vlan4 IP address. However, I see no NTP, SNMP or RADIUS packets. The strange thing is on the FW4 capture, it shows the source address of the syslog packets being the Vlan4 IP address of the switch (which is correct) however it shows these packets as being received on Vlan5 for some reason!

If I shutdown Vlan5 either on FW4 or on the Switch, no syslog packets are received at all.

It seems the syslog, NTP, RADIUS and SNMP packets are being dropped or even not being transmitted unless there is an interface configured on the switch which is attached to the MSFC and not a VRF.

I hope I have explained the situation as clearly as possible.

0 Helpful

khalid.audhali.ibm
Level 1
Level 1
In response to a.alekseev

‎08-02-2008 04:53 AM

Please find attached the config of FW4.

There are two 6513s each with an FWSM and ACE.

I have set up Vlan5 on both of these switches with the configuration below.

Switch 1:-

interface Vlan5

ip address 192.168.1.51 255.255.255.248

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.49

ip route VRF1

ip radius source-interface vlan4

logging source-interface vlan4

snmp-server trap-source Vlan4

ntp source vlan4

Switch 2:-

interface Vlan5

ip address 192.168.1.52 255.255.255.248

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.49

ip route VRF1

ip radius source-interface vlan4

logging source-interface vlan4

snmp-server trap-source Vlan4

ntp source vlan4

Preview file
4 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card