fwsm and how to bypass its session inspections without causing them to drop

Unanswered Question
Oct 3rd, 2011

Hi all !

i have a question about fwsm and how to bypass its session inspections without causing them to drop .

scenario :

due to number of connections capacity limitations of our FWSM's, we have made a temporary solution utilizing few FWSMs and sharing the load between them using PBR [ tested on Cat6x in hardware ]

its not pretty but it would let us go through the winter

my question here is for firewall guys :

if im LB between the firewalls and like to make an adjustment in the traffic and move a certain range in the PBR from FW1 to FW2 ,

regularly the connection would be tore down and would need to be re-established . this means Downtime .

i would like to find any way i can cause FW2 to allow the "moved" connections to pass and continue on FW2 .

if it involves disabling a feature for x period of time and then re-enabling it  - ok , anything is good .


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Marcin Latosiewicz Mon, 10/03/2011 - 10:03


TCP state bypass would take care of TCP during transition, datagram based protocols (expect the ones going through inspection engines) should take care of themselves (provided they are allowed by ACL).

If the two FWSMs are in failover (A/A scenario) check out ASR groups.



Login or Register to take actions

This Discussion

Posted October 3, 2011 at 8:04 AM
Replies:1 Avg. Rating:
Views:371 Votes:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446