Unanswered Question
Jun 5th, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on troubleshooting Firewall Service Module. with expert Srinivas Mallu. Srinivas is a senior customer support engineer in High Touch Technical Support (HTTS) within the Technical Assistance Center (TAC). He has a double CCIE in Routing & Switching and Security (CCIE# 8914). Mallu has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, Security on IOS, IPSec, ACS and IDS. He also trains people on his team on security technologies.

Remember to use the rating system to let Srinivas know if you have received an adequate response.

Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 19, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
harinirina Sun, 06/07/2009 - 22:34

Hi Srinivas,

We'd like to know if it is possible to inspect application which is not predefined on FWSM.

We know the port used for initial conversation, dynamic ports are used after session is established.

Could you please give information/exemples on how doing this.

smallu Wed, 06/10/2009 - 16:03

Hi There,

Yes. Its possible to inspect the protocols which are not defined as standard default configuration.

We can accomplish this by the class maps and policy maps, and applying them to the interface or to the global policy.

Here is an example of PPTP inspection;

FWSM(config)#class-map pptp-port

FWSM(config-cmap)#match port tcp eq 1723


FWSM(config)#policy-map pptp_policy

FWSM(config-pmap)#class pptp-port

FWSM(config-pmap-c)#inspect pptp


FWSM(config)#service-policy pptp_policy interface outside

Hope this helps!



omair.siddiqui Mon, 06/08/2009 - 10:05

hi Srinivas;

I have a couple of question:

1 Is Natting supported on bridge mode now

2- How can i pass all taffic of FWSM to IDSM module

3- SImlarly traffic from server will first reach IDSM, would i need to pass this to fWSM, provided that IDSM is in bridging mode.

omair.siddiqui Wed, 06/10/2009 - 22:47

Hi Mallu;

Thanks for your response, i am able to find a document that says that NAT is now supported on transparent mode

Transparent Firewall NAT Support

You can now configure NAT for a transparent firewall. This feature extends the NAT/PAT functionality to transparent mode thereby reducing the need for adding a new NAT/PAT device in the network. This feature is also very useful in cases where multiple virtual routing and forwarding (VRFs) with overlapping addresses are used. NAT per VRF is not supported on the Catalyst 6500 series switches and the Cisco 7600 series routers.

Introducing NAT support for transparent firewalls addresses the NAT per VRF requirement. Transparent mode offers the capability to run routing protocols through the FWSM with minimal configuration.

smallu Thu, 06/11/2009 - 12:49

Thanks for posting this. Very good to know. I knew the feature was being planned for future release, did not know it was already out.


sabuz_banik Mon, 06/08/2009 - 19:37


I got pix-501 with 10 user license, now i want to upgrade it for 50 user.How shall i accompalish this task? please advice me.

harinirina Mon, 06/08/2009 - 23:46

Hi Srinivas,

We also have another question.

We have FWSM installed on a 6500. it never becomes online.

Here the message error:

00:10:20: %C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Module Failed SCP dnld)

The "Online Diag Status" is Unknown.

We caanot use the firewall. Is there a way to solve this problem?

Leo Laohoo Tue, 06/09/2009 - 14:37

Hi Harinirina,

By default, a new FWSM will always disable the power during first insert.

You can enable the module by using the command "power enable module ".

Hope this helps.

smallu Wed, 06/10/2009 - 16:32

Couple of things you can try, before swapping out the hardware.

1) Reseat the module

2) Try seating it in a different slot, maybe the slot its being seated is bad. Could be a Chassis issue

If the above steps fail, replace the hardware. If step 2 works, then you may have to consider replacing the 6500 chassis.

Hope this helps!



harinirina Thu, 06/11/2009 - 07:37


Thanks both for the reply.

We seat the FWSM on other slot, same result.

When seating an IDSM module on the slot where FWSM was seated, it boots.

We tried the command "power enable module", we got "status : Other" and "Online Diag Status:Unkown"

After some minutes, the message "%C6KPWR-SP-4-DISABLED: power to module in slot 3 set off (Module Failed SCP dnld)" appears again, the status is PwrDown and "Online Diag Status:Not Applicable".

On a firewall module, we'd like to know if there's also a notion of "Rommon mode"?

smallu Thu, 06/11/2009 - 13:06

There isn't any ROMMON mode in FWSM. If it does not boot, maybe it had a bad boot flash, which needs to be physically replaced, by pulling the card out of the chassis.

If that does not help, you may have to replace the FWSM card itself.



harinirina Thu, 06/11/2009 - 08:04


We have configured ACL on a FWSM. what we noticed is that when letting an application out, we can't get response unless we let also in the returning traffic.

for example, when create ACL for FTP trafic from inside to outside and apply it on inside interface, we need also to create ACL from outside to inside on outside interface with FTP as port source

access-list 100 extended permit tcp host X.X.X.X host Y.Y.Y.Y eq 20

access-list 100 extended permit tcp host X.X.X.X host Y.Y.Y.Y eq 21

access-list 101 extended permit tcp host Y.Y.Y.Y eq 20 host X.X.X.X

access-list 101 extended permit tcp host Y.Y.Y.Y eq 21 host X.X.X.X

access-group 101 in interface inside

access-group 100 in interface outside

Is it a normal thing or what could be the reason for that?

what's the correct config?

smallu Thu, 06/11/2009 - 13:01

Normally, you don't have to apply another ACL on the outside to let the return traffic through, if the traffic has been permitted by an ACL on the inside.

Do you have FTP inspection turned on? This takes care of opening pin holes for return traffic.

Another thing I noticed in your configuration, is that ACL 101 is applied on the inside, if the FTP is being initiated on the inside, should not destination port be 20, 21 that should be permitted, instead of the source port.

Try that and see if it makes any difference. Do you see the NAT entries for this translation?


harinirina Fri, 06/12/2009 - 03:03


Sorry, it is a mistake. The real config is that ACL 100 is applied on the inside (i changed the name and i made a mistake).

In case FTP inspection is not turned on, could we open FTP session where applying ACL or not?

We use so many non standard ports, do we need to enable application inspection for each port?

We'll enable inspection for FTP and redo the test .

We'll let you know the result.

smallu Fri, 06/12/2009 - 13:43

Yes. You can still permit FTP traffic without the FTP inspection. However, The ACL's to permit the non-standard ports would get complicated, plus you'll need the appropriate static statements to let traffic from outside to inside.

I would recommend using FTP inspection.



harinirina Sun, 06/14/2009 - 01:58


we redo the test.

The network we tried to configure is as follow,

- There's 2 contexts A and B

- we use static btween the 2 contexts, they can ping each other now

- an FTP server is installed in the context A

- an FTP client access this server from context B

on context B, here is the config

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 20

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 21

access-group ACL_test in int inside

class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

on context A, we configured the same ACL but applied on outside interface

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 20

access-list ACL_test permit tcp host B.B.B.B host A.A.A.A eq 21

access-group ACL_test in int outside

class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

The test of FTP access from context B was done from DOS command.

The client was asked to enter username and password. The problem is that we couldn't explore the directory, it is blocked.

When trying to apply "permit ip any any" on the outside interface of context B and on inside interface of context A, FTP

works fine.

What should be modified on the config?

trevora Mon, 06/15/2009 - 02:13

I had a similar problem this weekend with a FWSM running the latest version of software.

When trying to access a web server on a DMZ with a static NAT (dmz,outside). I aded an ACL permitting incomming on the outside ACL for the NAT address but it would not work until I added access on the dmz ACL (also incomming on DMZ int.).

I have not checked yet to see if http is in the dafault inspection.

smallu Tue, 06/16/2009 - 13:54

You may need the ACL on the DMZ, if

* HTTP inspection is not turned on

* If the server responds with another port, and needs ACL to permit another port etc.

I would be interested to know if HTTP inspection was turned on?



smallu Tue, 06/16/2009 - 13:45

The problem here could be the data port is getting blocked somewhere. I would check the ACL's.


harinirina Mon, 06/15/2009 - 01:48


when we redo the test, we've noticed that the problem was the ACL on context where FTP server is installed (context A) but not ACL on the context where FTP client is installed (context B).

On context B


access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp-data

access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp

access-group ACL_test in interface inside

On context A


access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp-data

access-list ACL_test extended permit tcp B.B.B.B A.A.A.A eq ftp

access-group ACL_test in interface outside

access-list ACL_test-in extended permit tcp A.A.A.A eq ftp-data B.B.B.B

access-list ACL_test-in extended permit tcp A.A.A.A eq ftp B.B.B.B

access-group ACL_test-in in interface inside

we had to configure ACL from A to B where source ports are 20 and 21 when "service-policy global_policy global" was not configured, we've forgotten to put this line.

when configuring "service-policy global_policy global", FTP works well even without "access-group ACL_test-in in interface inside" on context A.

Now, we need to permit specific application which use its own port (non-standard) and above of this, we only know the initial port it uses for initiating session.

when session is initiated, the application uses dynamic ports.

what is your advice about configuring ACL for this application?

smallu Tue, 06/16/2009 - 13:48

I see that you fixed the initial problem with the data ports. Thats awesome!

Yes, you can configure ACL for this application or for that matter any application, as long as you know the ports, and what to tweak on the ACL's

(source ports etc).

Hope this helps!


harinirina Wed, 06/17/2009 - 22:40


Yes, the initial problem was fixed, thanks indeed for your help.

So, for application which use dynamic port, configuring ACL with destination port used for initiating communication is enough or do we need somthing else?

rhutchison Tue, 06/09/2009 - 07:06

I have been trying to troubleshoot a failover "issue" with two different FWSM's in two different Catalyst 6500 switches. FWSM's are running 3.1(6). When I show failover I get:

sh failover

Failover On

Last Failover at: 05:34:33 utc Feb 27 2009

This context: Active

Active time: 8848444 (sec)

Interface inside ( Normal

Interface outside ( Normal

Peer context: Standby Ready

Active time: 0 (sec)

Interface inside ( Normal

Interface outside ( Normal (Waiting)

Stateful Failover Logical Update Statistics

Status: Configured.

Stateful Obj xmit xerr rcv rerr

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 1125 0 0 0

Xlate_Timeout 0 0 0 0

What does Normal (Waiting) mean?

francisco_1 Tue, 06/09/2009 - 07:32

it means that failover on the active unit has not started to monitor the network interface outside. Failover does not start to monitor the network interfaces until it has heard the second "hello" packet from the standby unit on that interface.

make sure outside vlan is allowed on trunk port between your 6500's.

smallu Wed, 06/10/2009 - 16:48

Could very well be a possibility. Thanks for your response francisco!


smallu Wed, 06/10/2009 - 16:40

Hi There,

It means that the particular interface has encountered a communication failure on the standby unit, as this interface on the active unit did not receive any Hello messages, for the duration of the timeout period, which is normally 30 secs. The interface will be waiting state until the failure is corrected.

In summary, check these steps to narrow down the failover problems:

Check the network cables connected to the interface in the waiting/failed state and, if it is possible, replace them.

If there is a switch connected between the two units, verify that the networks connected to the interface in the waiting/failed state function correctly.

Check the switch port connected to the interface in the waiting/failed state and, if it is possible, use the another FE port on the switch..

Check that you have enabled port fast and disabled both trunking and channeling on the switch ports that are connected to the interface.

Hope this helps!



smallu Wed, 06/10/2009 - 16:46

Sorry, I have setup an alert mechanism, which did not work. I am back now.

AlfonsasStonis Wed, 06/10/2009 - 21:16

Very slow connection!

Hi. The problem is that Cisco PIX firewall slows down HTTP connection to the level when it becomes unusable. We have the following configuration:

Web browser (on Windows machine) -> PIX firewall -> JBoss server (on Linux machine). If firewall HTTP inspection is turned on connection becomes very slow (about 60 times slower). We can not find the reason why.

Any help?

We are using:

Cisco PIX Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(3)

Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "flash:/pix722.bin"

Config file at boot was "startup-config"

AXE-INTERNAL-FIREWALL up 72 days 16 hours

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

The problem is happening with all browser. We are using JBoss 4.

Frank Vo Wed, 06/10/2009 - 22:36

If enabled, try disabling your inspect http. Typically for deep inspection of java code etc.

AlfonsasStonis Wed, 06/10/2009 - 22:44

Thanks for replay. Turning off inspect http helps. Unfortunately it is not useful in our case. The problem is that our clients that uses PIX and connect to this server have huge performance problems. We can not tell to our clients that they need to turn off inspect http for their firewalls. Maybe it is possible to find the reason why it becomes so slow.

Frank Vo Wed, 06/10/2009 - 22:52

Apologies, I should have been more clear. As a HTTP session is still technically a TCP session, it does still get the stateful inspection treatment. However the inspect http tells the pix to do deep packet inspection such as checking java code which can be processor intensive. Which may or may not be the cause of your performance issue.

AlfonsasStonis Wed, 06/10/2009 - 23:02

Thanks. I understand this. The problem is that firewalls are at client sides. We are hosting public web server, so it is very hard to explain for every customer that they need to turn HTTP inspection off on their servers. There are no Java applets and in many cases not even Java Script in web pages. However, it is still very slow.

Do you know any reason what can cause HTTP inspection to become very slow (some pages are very small, just text, still takes more that a minute).

Farrukh Haroon Thu, 06/11/2009 - 02:17

Do you see any interface errors on the switch port connecting the web server?

Have you checked the web-server from behind the firewall to rule out its not a web-server/L2 Issue?

Also you may do a asp-drop capture to see if any packets are being dropped, or at least do 'clear asp drop' and then 'show asp drop' to see if its related to inspection/tcp normalization.

Also look at the following:



Jacob Samuel Sun, 06/14/2009 - 06:39

Hi Srinivas,

I need your kind input on configuring FWSM in Transparent mode. I have installed one in Routing mode, but this time i would like to do it in Transparent mode. I read some doucment but not getting clear Idea. Could you please help me on this plz?

Also how it is if i have aroudn 20 vlan on the network need to configure as different DMZ in FWSM, how would be the performance? is it advisable ? can i do the same?



smallu Tue, 06/16/2009 - 13:41


Check out the following sample config for transparent firewall mode;

You should be fine with 20 VLANS. It also depends on the throughput and the amount of traffic you have through these VLANs. If you had no problems with routed mode, you should be fine with transparent mode as well.

Hope this helps!



smallu Thu, 06/11/2009 - 13:23

Hi There,

Are you doing any URL filtering, as there are some known issues with 7.2.2 code with URL filtering which can cause such a problem. There are also some known issues, with packet ordering, packets not being sent out on the egress interface as being received on the ingress.

Do you have any sniffer traces. Thats the best way to tell if we are hitting any known issue, or if its something the client or the server is doing. Its hard to tell without much information.

I would recommend opening a TAC service request to troubleshoot this further.

Hope this helps!



patrick.cresta Thu, 06/11/2009 - 06:18


MY RVS4000 with multiple VLAN and 'SIP Application Layer Gateway' enabled

crashes after the first intent of opening a VOIP phone line.

are there any firmware releases planed for this device?

thank you in advance

smallu Thu, 06/11/2009 - 12:45

Hi Patrick,

This forum is for the FWSM product.

This is a good question for the Linksys support team. You have to open a service request with TAC, to get an answer to this question. Although, its a cisco security product, a separate team within TAC handles the support side of it.

Hope this helps!



omair.siddiqui Thu, 06/11/2009 - 22:14

HI Mallu;

Can i use FWSM to do some deep inspection and application layer inspection like IDSM, I understand it might not be as comprehensive but is it possible?

manmeetshergill Sun, 06/14/2009 - 23:28


What will be the configurations needed to perform a intra-chassis active-active failover between 2 FWSMs, apart from creating failover vlans on switch and adding them in failover group.

is there any other config on fo vlans other then ipaddress ?


This Discussion