FWSM context showing discards

Unanswered Question
Sep 18th, 2009

I am monitoring a number of contexts which are hosted in the same FWSM via Solarwinds Orion. These contexts have an interface on the same VLAN to enable routing between them, and other traffic accross the netework. All these interfaces are showing a high level of "RECIEVE DISCARDS" on the Orion console.

What apears to be happening is that each context is recieveing *ALL* traffic for the VLAN, and then discarding inappropriate packets. This seems to be confirmed by running a capture on the interface.

Is this normal behaviour, or has something been configured incorrectly?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tprendergast Thu, 09/24/2009 - 10:18

Please see: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/contxt_f.html#wp1124172

"How the FWSM Classifies Packets:

Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context to send a packet. The FWSM uses only one global MAC address across all interfaces. A single MAC address is usually not a problem unless multiple contexts want to share an interface. A router cannot direct packets to IP addresses on the same network if all IP addresses resolve to the same MAC address. Moreover, the bridging table of the switch would constantly change as the MAC address moves from one interface to another. The purpose of the security context classifier is to resolve this situation. "

From what I read, this sounds like your problem (and I've dealt with it before in the past). If you read through this and determine it isnt your problem, please clarify further with a diagram so we can assist.

Basically, if you have several contexts that each have a L3 interface in vlan 10 (for example), then at layer2 the switch sees every one of those interfaces having the same exact mac address. This obviously causes confusion, and the errors you'll see.

You need to help the FWSM know which interface is supposed to receive those packets by defining static mappings to each destination address behind this FWSM context. The document does a decent job of explaining how this works.

I found, personally, that I had to re-architect the way I was doing things as this is a VERY messy solution to the problem at hand. You need to basically create a mapping for every destination IP to force it through a certain context over another. Not fun, and not very sustainable from an administrative standpoint.

Hope that helps. Please rate if so!



mark.j.hodge Fri, 09/25/2009 - 00:56

This isn't quite what I am seeing, I'll try and give a synopsis of the situation

I have multiple contexts with an interface on the same VLAN. If I run a capture on this interface on one context, I can see traffic destined for another. If I check the classification table on the FWSM system using “sh np 3 static” I can see the correct context as the destination.

i.e. traffic that is classified for context A can be seen on a capture for context B.

I suspect that the capture whilst configured on an individual context is actually running on the system, and therfore seeing all trafic for the VLAN and that Solarwinds is getting its statistics from the system too. However cannot find any documentation to confirm this.

mark.j.hodge Fri, 09/25/2009 - 06:16

I probably should have read the manual, :-(

Capture Limitations

For a shared VLAN:

All traffic that enters the interface to which the capture is attached (and that matches the capture access list) is captured, including traffic to other contexts on the shared VLAN.

Therefore, if you enable a capture in Context A for a VLAN that is also used by Context B, both Context A and Context B ingress traffic is captured.


This Discussion