Strange "Self-Locking" behaviour of the FWSM

Unanswered Question
Aug 21st, 2008


i encountered a problem concerning our FWSM. It's configured as a multiple context routed Firewall. There is a context A inside (security level 95), a context B inside (not yet configured) and an admin context. The next hop outside is our 6500 and behind that is my PC "Out". After doing all configuration work, i tried to ping from outside an PC "A" in context A, but that didn't work, although all routes and ACLs were set correctly. After some time, i tried to ping from that PC "A" in context A the PC "Out" on the outside interface, which worked perfectly. After that, i were able to ping from PC "Out" to PC "A". So there is a strange lock-up of the FWSM, when no connections are made or when you initially configure your FWSM. You first have to make a connection from inside to the outside, and from THEN ON, you can connect from the outside to the inside. This behaviour is reproducible, especially when there is no traffic happening (e.g. over night). In the next morning, that stange self-locking happened again: i first had to make a connection (doesn't matter if ping, ssh, etc.) from inside PC "A" to the outside somewhere in order to make a connection from the outside to the inside.

Can anyone explain that behaviour or confirm its existence?

Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jphilope@cswg.com_2 Thu, 08/21/2008 - 05:07

Guten Tag aus Amerika,

I have not seen the conditions you are experiencing. It sounds like an xlate issue. We've see where new rules do not work until we clear xlate and clear conn. This is a known and understandable condition.

Also, look at your xlate timer. Ours is set to 3 hours, and your's may be longer. The command is: timeout xlate 3:00:00.

As a possible second issue, your routing may be responsible. One you make a connection to the outside, you may create a dynamic route (it would depend upon your internal routing protocol). Traffic begins to flow and as long as it continues, the route remains. Once the route times out, you have to repeat the process. As you are using the FWSM in multiple contexts, you cannot use it in routed mode. All your routes through the FWSM must be statically assigned.

Hope this helps.


Marwan ALshawi Thu, 08/21/2008 - 05:11

do u have ur inspections rules enabled properly?

also do u have ur nating if u have nat and ACLs configured properly?

for ur information

with FWSM all traffic is denoed by default even fron higher security level to lower unles u permit it by an ACL no tlike ASA


This Discussion