UDP does not seem to reach the firewall

Answered Question
Aug 7th, 2008

This problem is also wireless and router/switch related, but it appears an issue between FWSM and MSFC.


I have lightweight access-points (LAPs) on a subnet behind a redundant routed firewall context on an FWSM in a 6509. This context has a DHCP relay configured.


The outside of the firewall is connected to the router (MSFC) through an interface vlan.


On that same chassis, a PIX525 is connected. Behind that PIX is the WLC and the DHCP-server.


When the LAP powers on, it does an DHCP request. The context relays it to the DHCP server, and the response is sent to the LAP. In that response is the IP-address of the WLC, which is on the same subnet as the DHCP server.


Next step is a join request to the controller (udp to WLC on port 12223).


When I use the capture facility on the firewall, I see the packet entering the inside interface, and leaving the outside on the FWSM. I do not see any responses.


Next I do the same on the PIX outside: there I see the requests to the WLC, but also the responses FROM the WLC. I do not see those responses on the OUTSIDE of the context of the FWSM!


I use the following ACL for capturing data:


access-list lwapp permit ip any host 192.168.43.10

access-list lwapp permit ip host 192.168.43.10 any


capture wlc access-list lwapp interface outside


Where 192.168.43.10 is the IP-address of the WLC


show capture wlc detail

gives me the packets i need to see.


On the inside of the context this gives me only join requests

On the outside of the context this gives me only the join requests

On the outside of the PIX this gives me bot the join request and the join response


The router does not have any ACL on both interfaces.


Next step is to put an ACL on the router interfaces:


access-list 100 permit ip host 192.168.43.10 192.168.37.32 0.0.0.31 log

access-list 100 permit ip 192.168.37.32 0.0.0.31 host 192.168.43.10 log

access-list 100 permit ip any any


this access-list is put both in- and outgoing on the interface towards the PIX. I see both counters incrementing, and with 'show logging' I see both join request and join responses.


When I place this access-list on the interface towards the FWSM, I see the same.


My conclusion is therefore: the packets are leaving the interface towards the FWSM, but they do not arrive on the outside of the FW-context.


HOWEVER: I can access switches with SSH in the same subnet (they have their management IP in that same subnet).


From the WLC, I can ping the LAPs (there are 2 in that subnet at the moment).


Because the join response is not received, the LAPs are continuously rebooting (being reachable during 20-30 seconds), but during this interval, I can ping them from the WLC.


On the firewalls all needed protocols are allowed through.


Can anyone shed some light on this?


TIA,


Marcel

Correct Answer by robertson.michael about 8 years 6 months ago

Hi Marcel,


So, the connections are working correct? The problem is only that you are not seeing the packets on the outside interface of the FWSM?


If this assumption is correct, there are a couple of possible explanations:


1. What version of code is your FWSM running? Captures on some versions of FWSM are unreliable, so the traffic may be flowing correctly but the captures simply do not show it. A SPAN session configured on your supervisor for your outside VLAN would be much more reliable.


2. Do you have multiple SVIs configured? If so, it is possible for traffic to be routed directly to the MSFC and bypass the FWSM if your routing/gateways are misconfigured. See here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/switch_f.html#wp1176033


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
robertson.michael Thu, 08/07/2008 - 17:35

Hi Marcel,


So, the connections are working correct? The problem is only that you are not seeing the packets on the outside interface of the FWSM?


If this assumption is correct, there are a couple of possible explanations:


1. What version of code is your FWSM running? Captures on some versions of FWSM are unreliable, so the traffic may be flowing correctly but the captures simply do not show it. A SPAN session configured on your supervisor for your outside VLAN would be much more reliable.


2. Do you have multiple SVIs configured? If so, it is possible for traffic to be routed directly to the MSFC and bypass the FWSM if your routing/gateways are misconfigured. See here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/switch_f.html#wp1176033


-Mike

mvandorp Thu, 08/07/2008 - 23:56

I found the issue, while sniffing the traffic on the LAP VLAN.


It appears the WLC is discovered using the management IP-address (43.10 in my case), but the join response is coming from the AP-manager IP address (43.25). That second address was blocked by the firewall, and once allowed, all worked like a charm.


It appears the capture option of the FWSM is not as reliable as a sniffer on a SPAN port (thank you, Mike! I'll give you the credits :*))


Marcel

Actions

This Discussion