×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

User Tracking with FWSM

Unanswered Question
Dec 2nd, 2005
User Badges:

In CiscoWorks User Tracking version 3.3 all ports are tracked fine except ports on VLANs that are configured on our FWSM firewall. On those ports only the MAC address shows up, hostname IP address and subnet mask are blank.


Tried making FWSM a seed device, installed updates for CiscoWorks; nothing seems to make a difference.


Anyone ever run into the problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
nhabib Fri, 12/02/2005 - 10:21
User Badges:
  • Red, 2250 points or more

FWSM is not supported by Campus Manager and that leads to this type of behavior.


I believe the reason is that FWSM doesn't support CDP.

alandean Tue, 12/06/2005 - 05:42
User Badges:

Perhaps they should rename the product CiscoNeverWorks

yvasanthk Fri, 12/09/2005 - 05:19
User Badges:

Hi Nadim,


Campus Manager must support this particular case. It is becoming a very common deployment with the FWSM.


One of the typical cases is pointing all desktops to a firewall vlan interface as their default gateway.


In this case, FWSM module has the ARP entries.


FWSM must be supported as a special device and it must be treated as a router. Whenever Campus Manager comes across a 6500 device, it should check if it has an FWSM module. If so, it should read ARP from this module.


User Tracking must move away from traditional approach of just polling the routers or L2L3 switches.


Regards,

Vasanth

amolrajgure Sat, 12/24/2005 - 01:40
User Badges:

I am facing the same problem, only the core 6513 switch vlans are showing all feilds under user tracking by LMS 2.2 , what about the vlans created on FSWM? Its not showing the IPs and other fields. Will it be supported in future or any specific version need to be upgraded?

mmimmi2005 Tue, 04/01/2008 - 03:09
User Badges:

hey


any news on this one? is it still not supported?

I got the same problem.

Joe Clarke Tue, 04/01/2008 - 10:09
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

FWSM support is not planned with Campus Manager since these modules do not support CDP. Without support, UT will not use the FWSM for its ARP entries.


As a workaround, you can use a small Cisco router (e.g. 2500, 1700, etc.) on the same internal interface as the FWSM. This router should have routing disabled, and its ARP timeout turned up to the maximum. It will collect quite a few ARP entries, though it won't be perfect.

mmimmi2005 Wed, 04/02/2008 - 00:36
User Badges:

Hey


thx for this fast and informative reply!

how can I connect this router on the same internal interface as the FWSM? It's a 6500 switch.

So why do you say "it wont be perfect", won't I see all the ARP entries?


Thank you.

Joe Clarke Wed, 04/02/2008 - 09:52
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You would have to put the router on a switch port which is in the inside VLAN. It won't be perfect since the router won't actually be routing. It will just be listening for ARP entries.

mmimmi2005 Fri, 04/04/2008 - 07:49
User Badges:

We tried to put a router into the into the transition vlan of the firewall. Is this what you meant with inside vlan?

because we don't get any arp entries with mac address and IP of end hosts in the different vlans which are routed over the Firewall.


Joe Clarke Fri, 04/04/2008 - 10:58
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Assuming your users are in subnet 10.2.1.0/24 which is VLAN 2, you would need to add the router to a port in VLAN 2. Only then would it have any chance of seeing ARP packets for 10.2.1.0/24. Of course, if you have multiple user VLANs (and you probably do) you would need one router (or one router interface) per VLAN to capture ARP packets.

Actions

This Discussion