ACE and FWSM Problem

Unanswered Question
Aug 27th, 2008

I have a Catalyst 6500 with an ACE and Firewall Service Module (FWSM) installed. See Diagram.

The server sits in VLAN 10 which is configured in both ACE and FWSM. The server load balancing is configured in DSR mode (Direct Server Return) which means that the request from the client goes through the VIP configured in the ACE but the server's default gateway point to the FWSM. The purpose is to avoid high volume return traffic from the server through the ACE. The client sits in VLAN 14. I am able to ping the VIP address. By pinging VIP I mean load balancing ICMP (not "loadbalance vip icmp-reply"). However SSL or SSH to the VIP does not work. I suspect this may be an issue with the FWSM but not sure. Any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (3 ratings)
Loading.
robertson.michael Thu, 08/28/2008 - 08:13

Hi Anik,

Since the FWSM is a stateful firewall, it will drop this return traffic from the Server to the Client because it never saw the initial connection. This is also referred to as asymmetric routing.

In the example of SSH to the Server, the Client will send the initial SYN to the VIP to open up the TCP connection. The Server will receive this SYN through the ACE module and reply with a SYN-ACK back to the Client. However, the Server is sending this to the FWSM, rather than back through the ACE. Since the FWSM never saw the initial SYN and built a subsequent TCP connection, the FWSM will drop this SYN-ACK and the connection cannot be established. If you observe syslogs at level 6 during a time when you are trying to establish this connection, you will see message 106015 indicating that the packets are being dropped because no existing connection exists.

The problem you are running into here is that the firewall only sees half of the traffic for the connection, thus it cannot effectively firewall the connection and so the traffic is dropped. Typically, you would want to resolve this so that the FWSM can see and firewall all traffic. A common way to do this is with the following topology:

[Client]---vlan10---[FWSM]---vlan11---[ACE]---vlan12---[Server]

With this topology, the FWSM and the ACE module are in-line with each other. So, packets will pass through both devices and the FWSM will see both sides of the connection.

If this is not possible for you, you can enable a feature called TCP State Bypass. When this is enabled, the FWSM will not enforce stateful checks on matching TCP sessions. In other words, the FWSM will not care that it never saw the initial SYN of the SSH session and simply allow the SYN-ACK to pass through and arrive at your client. Enabling this for SSH sessions between the Client and Server might look something like this:

!An ACL to match interesting traffic

access-list bypass permit tcp host eq 22 host

!A class-map to match this ACL

class-map bypass-class

match access-list bypass

!Tie the class-map to a policy-map

policy-map bypass-policy

class bypass-class

set connection advanced-options tcp-state-bypass

!Enable the policy-map with a service-policy

service-policy bypass-policy

However, keep in mind that this will disable all stateful checks for traffic matching the bypass ACL.

Here is a link to the TCP State Bypass documentation as well:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/protct_f.html#wp1059879

Hope that helps.

-Mike

amazumde Thu, 08/28/2008 - 08:58

WOW ! The tcp state bypass solved my problem. Changing the topplogy wasn't an option however.

Thanks a ton.

amazumde Sun, 08/31/2008 - 15:46

Mike,

Any idea how to make the bypass policy work on an ASA? The commands do not seem to be applicable on an ASA.

- Anik

Actions

This Discussion