Solved: Access-rules actives but not working

francisco del cura ferreira · ‎02-09-2010

Hi all:

We are facing a problem with our FWSM. There are some rules that is configured (and enabled) what it seems not working properly.

Yesterday, I received complaints from the users they dont reach servers at 1521 port. I confirm the rule that allows that traffic is correct and enabled so I launched 2 captures, one on input interface (I can see the traffic) and other one in the output interface (no traffic there), I get very surprised.

The next step was to enabled the log on the policy (through ASDM). One minute after of it the customer tells me the issue is fixed and asking me what did I do, I didn't do nothing!!, only enables the log on the policy!.

The customer, and me, are worried about this, this is the second time it happens and I dont have an logic explanation about the FWSM behaviour. The version is 4.0(7) and ASDM is 6.1(5)F.

Someone has an idea about what's going on?.

Thanks a lot,

Francisco

Kureli Sankar · ‎02-09-2010

Do you have access-list optimization enabled?

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/a1.html#wp1622153

-KS

View solution in original post

Kureli Sankar · ‎02-10-2010

That is correct. sh tech is just for backup.

Your acl count is not high at all.

You can disable optimization now.

You can check the limitation here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359

for both single and multiple context.

-KS

View solution in original post

Kureli Sankar · ‎02-09-2010

I am just as surprised as you are .

You are saying adding the "log" key word in the end make the acl work but before that all packets were dropped by the firewall and were not egressing.

Do you do manually commit or auto commit for ACLs? Was this ACL always there and working? or it never did work?

-KS

francisco del cura ferreira · ‎02-09-2010

Yes KS, the 2 times it happened it was fixed by enabling the log in the policy, only with that. It seems like if the ACL is in an inactive status until you do a change on it, very strange. Once I enable the log, I could see the packets on the output interface with the capture.

Both of access-lists already have hits previously at this issue.

The commit is manual, every time I do any change on FWSM I press the Apply button on ASDM.

Kureli Sankar · ‎02-09-2010

Do you have access-list optimization enabled?

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/a1.html#wp1622153

-KS

francisco del cura ferreira · ‎02-09-2010

Many thanks for the link KS!!!!, I think it could be the problem, very grateful

francisco del cura ferreira · ‎02-09-2010

One question. I wanna disabled the optimization on the FWSM but I don't know if it will affect to all access-lists configured until now cause I've read that with optimization enabled the fw has a copy optimized from every access-list. Will that copy will be erased when I disable the optimization?, the access-lists will become inactive if it's disabled?.

If I uncheck the checkbox of optimization, the appliance suggests me there is a backup from the optimized access-lists, how can I do it?, it seems only can be copied to the running config, not to a TFTP/FTP server.

Thanks

Kureli Sankar · ‎02-09-2010

No No. The optimized acl will take less space so, if by disabling that your acl spaces taken grows and if your partition runs out of space you will be in trouble. So, just issue a sh tech and take the output to a text file.

sh access-l | i elements

make sure you do not have huge number of elements.

sh np 3 acl count ---> is another good command

Once done you can disable acl optimization.

-KS

francisco del cura ferreira · ‎02-10-2010

The most high elements I have are 17000, is that cipher high?.

I did the show tech (I don't understand the output of the sh np 3 acl count <0-11>) and I don't know why after the sho tech I can disable the optimization . May I have to do a copy optimized-running-config running-config before disabling it?.