07-18-2008 07:53 AM - edited 03-11-2019 06:16 AM
Hi,
I have implemented multiple virtual contexts on an FWSM. I have a network for FW context mgmt connected to a vrf which then connects to another FW context providing connectivity to the rest of the network. Configuration is detailed as follows (without real names/IP addresses for customer confidentiality):-
- FW context FW1 connected to FW_mgmt subnet (10.1.1.0/24)
- FW context FW2 connected to FW_mgmt subnet (10.1.1.0/24)
- FW context FW3 connected to FW_mgmt subnet (10.1.1.0/24)
- FW_mgmt subnet connected to VRF1
- VRF1 connected to FW context FW4
- FW4 Vlan 1 (outside) interface connected to a VRF (VRF2) providing connectivity to the rest of the network
- FW4 Vlan 2 (inside) interface connected to Mgmt subnet (10.1.2.0/24)
- FW4 Vlan 3 (FW_Mgmt) interface connected to VRF1
If I establish a SSH session from a PC on the Mgmt network (10.1.2.0/24) to any of the FW contexts in the FW_mgmt network (10.1.1.0/24), the session establishes and I can log into all the contexts.
Beyond the outside interface of FW4 there is a syslog server and a radius server.
I configured FW1, FW2 and FW3 to use their interfaces on the FW_mgmt network for syslog and radius authentication.
I do not receive any syslog messages or radius authentication requests from FW1, FW2 or FW3.
After setting up a capture on the FW4 interface connected to VRF1 (Vlan3) I do not see any syslog or radius packets being received.
I am currently running FWSM version 3.1(5)
Has anyone experienced such a problem? If so, any advice as to what the solution could be would be greatly appreciated.
07-18-2008 09:40 AM
you are using shared interface. that is the problem.
read about packet classifier
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124172
07-22-2008 12:26 AM
Hi,
Yes, I know the FW contexts share the same network interface. However, surely the destination mac address is always going to be that of the VRF and not another FW.
Also, how can this work OK for SSH but not for RADIUS and SYSLOG?
07-22-2008 12:38 AM
Could you show the diagram.
07-22-2008 02:47 AM
Hi,
Please find attached a diagram depicting the configuration and the problem.
Please note, when I setup a capture on FW4, I see no syslog or RADIUS or SNMP packets inbound from FW1, FW2 or FW3 to the servers in the Network Mgmt network.
I hope this helps explain the issue further.
I understand the problem with the classifier, however, in this case I would expect all Syslog/RADIUS/SNMP packets (from FW1/FW2/FW3) to have the destination IP addresses of the servers in the Network Mgmt network and the destination mac address should be the mac address of VRF1.
07-22-2008 02:52 AM
could you also show the configuration of FW4?
07-22-2008 03:45 AM
07-22-2008 05:38 AM
could you try to remove this line
static (VLAN3,VLAN2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
07-22-2008 07:51 AM
If I remove that static entry then I will no longer be able to access the FWs on their mgmt interfaces. At the moment I am managing them using SSH.
07-22-2008 07:57 AM
why do you think so?
vlan3 - sec level 60
vlan2 - sec level 100
and you have
static (vlan3,vlan2) ...
07-22-2008 08:12 AM
Apologies....I got a little confused as I have to translate the info I gave you to the actual config I have on the device.
I have removed that static and nothing has changed.
07-22-2008 10:23 PM
deb icmp trace
and try to ping the VFR1 from RADIUS/Syslog/SNMP server.
do you see any logs?
try to do extended ping from VFR1 to RADIUS/Syslog/SNMP server with a source interface 10.1.1.X.
08-02-2008 04:12 AM
Hi,
Sorry about the delay in responding.
I have been able to get the RADIUS, SYSLOG and SNMP to work now. The strange thing is there are no packets seen in the captures I set up on the Vlan1 and Vlan3 interfaces of FW4. I have removed the nat-control line on FW4 aswell so the statics are taken out of the equation.
Everything is working well apart from the switch that is hosting the FWSM and the VRF.
As you can see in the original diagram I sent at the start of this conversation, VRF1 is connected to the FW_Mgmt subnet (Vlan4) aswell as Vlan3.
I have configured the Switch to use the source-interface of Vlan4 for syslog, NTP, RADIUS and SNMP. None of these work, even though syslog, RADIUS and SNMP work for all the other devices in Vlan4.
If I set up a capture on FW4 interfaces Vlan1 and Vlan3, I see no Syslog, NTP, RADIUS or SNMP from the switch (source-interface Vlan4) to Network_Mgmt network.
If I set up a new Vlan interface (Vlan5) and attach it directly to FW4 (while leaving it on the global routing table instead of attaching it to VRF1), I can see syslog packets being received on the Syslog server with the switches Vlan4 IP address. However, I see no NTP, SNMP or RADIUS packets. The strange thing is on the FW4 capture, it shows the source address of the syslog packets being the Vlan4 IP address of the switch (which is correct) however it shows these packets as being received on Vlan5 for some reason!
If I shutdown Vlan5 either on FW4 or on the Switch, no syslog packets are received at all.
It seems the syslog, NTP, RADIUS and SNMP packets are being dropped or even not being transmitted unless there is an interface configured on the switch which is attached to the MSFC and not a VRF.
I hope I have explained the situation as clearly as possible.
08-02-2008 04:53 AM
Please find attached the config of FW4.
There are two 6513s each with an FWSM and ACE.
I have set up Vlan5 on both of these switches with the configuration below.
Switch 1:-
interface Vlan5
ip address 192.168.1.51 255.255.255.248
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.49
ip route VRF1
ip radius source-interface vlan4
logging source-interface vlan4
snmp-server trap-source Vlan4
ntp source vlan4
Switch 2:-
interface Vlan5
ip address 192.168.1.52 255.255.255.248
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.49
ip route VRF1
ip radius source-interface vlan4
logging source-interface vlan4
snmp-server trap-source Vlan4
ntp source vlan4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide