Can anyone explain the interaction between CSM, ADSM & the FWSM I'm trying to work out if there are incompatible combinations with various versions.?
It is my understanding that the CSM server makes a connection to port 443 on the FWSM so must be communicating with the installed ASDM version. We have a CSM 3.1.1 server & FWSM 3.1(4) installed, is there a specific ASDM version that should be installed on the FWSM when using CSM or can we just upgrade to the latest - the 6.1(x)F ASDM release notes says it is compatable with FWSM 3.1(4).
One of the reasons I am checking is that we recently had an issue where an ACL entry was not being match correctly and the packets were being discarded by an entry further down the list. Originally the offending entry had the subnet referenced by IP/netmask, we changed the entry in CSM to use an object group for the same subnet and pushed the policy, the ACL then behaved as expected. We then changed the ACL back to IP/netmask in CSM, pushed the policy and it carried on matching correctly.
During these changes the ACL order was identical and it wasn't anything complicated - the mask was a simple /24 subnet being referenced to allow a well known service port. We even have a test FWSM that is configured identically to the live one and the ACL worked fine on that during testing, the rules were copy & pasted from the test FWSM to the live FWSM in CSM.
We are upgrading CSM to 3.3.1 next week so hopefully won't see this issue again.