Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

ASK THE EXPERTS - FIREWALL SERVICES MODULE

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot FWSM with Cisco expert Srinivas Mallu.  Srinivas is a senior customer support engineer in High Touch Technical Support (HTTS) within the Technical Assistance Center (TAC). He has a double CCIE in Routing & Switching and Security (CCIE# 8914). Mallu has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, Security on IOS, IPSec, ACS and IDS. He also trains people on his team on security technologies.

Remember to use the rating system to let Srinivas know if you have received an adequate response.

Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 4, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

26 REPLIES
New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi Srini,

There is a need to upgrade FWSM s/w image ver 3.1(1) to 4.1 Currently, we ve 2 security contexts apart from admin security context on the module and the module is in failover mode with both mods running same 3.1(1) s/w image ver.

I'm aware that we can upgrade the mod software using TFTP server. But there are 2 images Application and Maintenance s/w. Now the qnts are:

a). To upgrade the current s/w image of the module, should be we use App s/w or Maint s/w ?

b). TFTP server should be reachable from admin security or the other 2 security contexts ? Bcoz, we only have other 2 security contexts reachable to the

     TFTP server and not from the admin contxt.

Thanks:)

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi There,

Good question by the way!

a) To upgrade the s/w image of the module, you need to be using the application software, not the maintenance software. Keep in mind, based on the Application software version, there is a baseline requirement for the Maintenance software version. If you are on the latest maintenance s/w version, no need to worry, it supports all images, if the maintenance software is at 2.x code, maybe you need to upgrade. However, since you started out with 3.x code, you should be ok.

b) Since the FWSM is configured for a multi context mode, to do the upgrades, you need to be the system context, not in any of the otherb contexts. Copy the image to the flash from the tftp server and reboot to take effect.

Here is a good URL from cisco.com, that goes over different ways to upgrade;

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/upgrade/guide/fwsm31up.html#wp2090792

Hope this helps!

Thanks,

Srinivas. 

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Thanks for the reply srini and sorry about being late.

As i mentioned TFTP srv is not reachable from system context but only from other 2 contxts. In this case, i cannot ping from system contxt to TFTP srv..right then how i wll copy image from TFTP to flash ( of 6500, right ? ).

kashi

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi There,

Sorry, if I confused you, as we are talking about maintenance s/w and application s/w.

Let me restate it. To upgrade the maintenance s/w, you have to be in system context *only*.

To upgrade the application software, you need to have connectivity from the admin context, which means you can tftp the image from the tftp server from the admin context into the flash, and reload to have the new image take effect.

Hope this clarifies things!

Srinivas.

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi Srini,

Yes, i want to upgrade application image.

Admin contxt is not configured and therefore has no interfaces unlike other 2 security contexts.  Becoz of this obviously, a TFTP server cannot be reached from the admin contxt.

1) How do i make admin conxt reachable to TFTP server ?

2) And one more thing - is application upgrade from 3.1(1) to 4.0 supported on 6509E that's running 12.2(18)SXF7 IOS image or 12.2(33) image is

required ?

3) Does 4.0 support dynamic routing protocols (OSPF,EIGRP etc) in multi contxt mode ?

Thanks:)

Kashi

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

kashi,

1) To make admin context reachable to the tftp server, you need to configure it first, just like how you have to confgure any other security context.

Here is a good document on this;

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml#con

Admin context is just like any other context. Your goal is to download the image on the flash. You should be able to do this from any other context thats already configured as well, which has access to the tftp server

2) You should be ok with 12.2(18)SXF to upgrade to FWSM 4.0. However, please note that some of the features, such as VSS will not be available with this IOS version. You need to be on 12.2(33)SXI to take advantage of these features on FWSM 4.0

3) FWSM 4.0 supports Dynamic Routing protocols in Single context mode. FWSM 4.0 introduced support for EIGRP in Single context mode. Support Dynamic routing protocols in Multiple context mode is still not available.

Hope this helps!

Best regards,

Srinivas.

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi,

I have a pair of FWSM modules running in  failover configuration, with each FWSM hosted in a separate Catalyst  6509E chassis.

Traffic between the primary host chassis  and the active FWSM is trunked on a point to point VLAN (/29), with OSPF  routing between the host chassis and the FWSM.

I am  encountering a problem where, if the primary chassis fails, although the FWSM modules will successfully failover from primary to secondary, when the primary chassis fails I lose the routing for the point to point VLAN connecting the FWSM to the secondary chassis (routed on the primary chassis). Hence external connectivity to the FWSM module is lost.

I have tried using HSRP to redundantly route the point to point VLAN on both chassis but with no success - how can I get round this issue?

Thanks

Alan

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Alan,

This seems to be a design issue.

In this particular case, not just the FWSM, even the switch chassis should be configured in sort of a redundant mode. There should be no dependency on the Active Switch chassis when the Secondary/Standby Switch chassis takes over.

Please review the following document on cisco.com, it has good insights;

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1142744

This is not a simple answer, if you require further assistance, in terms of how to setup your network to allow for the same, please open a TAc case, the Account Team should be able to help you design this for you.

Thanks,

Srinivas.

Hall of Fame Super Blue

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

smallu wrote:

Alan,

This seems to be a design issue.

In this particular case, not just the FWSM, even the switch chassis should be configured in sort of a redundant mode. There should be no dependency on the Active Switch chassis when the Secondary/Standby Switch chassis takes over.

Please review the following document on cisco.com, it has good insights;

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1142744

This is not a simple answer, if you require further assistance, in terms of how to setup your network to allow for the same, please open a TAc case, the Account Team should be able to help you design this for you.

Thanks,

Srinivas.

Srinivas

Just a quick follow up to this. Is it still the case that in active/standby mode if you are running a dynamic routing protocol between the MSFC and the FWSM that the standby FWSM does not establish a peering and hence does not build a routing table. So if the active FWSM fails then the standby has to establish a peering and build a routing table before it can begin forwarding traffic ?

If this is the case does Cisco have any plans to allow the standby firewall to build it's own routing table while still in standby mode so that when a failover occurs it can begin forwarding almost immediately ?

Jon

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Jon,

Yes. This is correct. It is still the case. When active FWSM fails then the standby has to establish a peering and build a routing table before it can begin forwarding traffic.

I do not know about any plans to allow the standby firewall to build it's own routing table. I will have to consult the Development Team to get the latest on this. Let me get back with you on this.

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Jon,

I got a confirmation from the development team, that we do not have any plans to add this support on FWSM at this time.

If this is a feature that your business needs, and is very critical, I would recommend that you open a TAC case, and probably get a consultation from the account team on possible workarounds to your specific needs.

Hope this helps!

Thanks,

Srinivas.

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi Sriniva,

Why is there no packet tracer command on the FWSM? Is this something to do with the way the FWSM processes packets?

Are there any plans to implement it in the future?

Thanks

Sean

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Sean,

We do have a packet capture functionality in the FWSM. Refer to the below documentation on this;

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/troubl_f.html#wp1042806

However, there are some packet capture limitations as outlined in the above document. I have to admit, the packet capture functionality in FWSM, is not like the ASA/PIX. The packet captures in ASA/PIX are true captures of all the packets hitting the firewall.

In FWSM, it works differently. Apart from the above limitations, FWSM captures only packets that it actually processes. Which means a packet could be entering the FWSM module, and if for some reason the FWSM discards it, maybe because the buffer is full or what nots, it'll not be captured by the packet trace. This is how its been designed, and I don't forsee any plans to change this functionality at this time.

For extensive captures, of all packets, entering and leaving the FWSM, I would recommend ELAM captures on the switch ports.

Hope this helps!

Thanks,

Srinivas. 

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Thanks Srinivas for the info.

However my query was about the packet-tracer command that is available on the PIX/ASAs and not packet capture.

Packet tracer is handy for testing your ACLs.

Thanks

Sean

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Sean,

Sorry I misunderstood your question. You are correct, we don't have the packet tracer functionality like in the PIX/ASA, as FWSM is implemented entirely in the hardware. I don't think we even have plans to implement this in the future, to date. If this functionality is critical to your business, you can open a TAC case and have them open an enhancement request with the BU. However, I must tell you, the changes involved are huge, and its upto the BU to honor this request.

Hope this helps!

Thanks,

Srinivas.

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Thanks Srinivas

New Member

Software version question

Hi,

I want to upgrade a pair of FWSMs acting in an active-standby arrangement from v3.2 to v4.0.  The 6513 chassis are running 12.2(33)SXH code, which I don't want to have to upgrade aswell at this time.  From what I can gather, 12.2(33)SXH will support the v4.0 code in the FWSM with the following limitations:

     1.  Route-Health injection (RHI) will not be supported (requires 12.2SXI)

     2.  VSS will not be supported (requires 12.2SXI)

     3.  Trusted Flow Acceleration (TFA) will not be supported (requires 12.2SXI)

Can someone please confirm this as correct and/or add any further limitations/caveats that they know of. 

Many thanks.

Cisco Employee

Re: Software version question

Hi,

I want to upgrade a pair of FWSMs acting in an active-standby arrangement from v3.2 to v4.0.  The 6513 chassis are running 12.2(33)SXH code, which I don't want to have to upgrade aswell at this time.  From what I can gather, 12.2(33)SXH will support the v4.0 code in the FWSM with the following limitations:

     1.  Route-Health injection (RHI) will not be supported (requires 12.2SXI)

     2.  VSS will not be supported (requires 12.2SXI)

     3.  Trusted Flow Acceleration (TFA) will not be supported (requires 12.2SXI)

Can someone please confirm this as correct and/or add any further limitations/caveats that they know of. 

Many thanks.

You are correct on all the above.

I hope it helps.

PK

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi,

How can I improve more Throughput on FWSM?

Today I know that FWSM have a 4G of Throughput.

I know that we can use more than 1 module and we will improving more Throughput on chassi but

in this case a need to separate my traffic between that modules.

thanks

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Daniel,

If you are using more than 1 FWSM module on the CAT6K chassis, you can increase the throughput that many fold. Upto 4 FWSM modules are supported in the same chassis. So, the throughput of the combined modules will be 4 times that of a single module.

Are you looking for any stats and numbers? or need help with configuration?

Best regards,

Srinivas.

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Srinivas,

Here's a question that's been asked on our Facebook page. Could you please anwer it? Thanks!

I have tried using HSRP to redundantly  route the point to point VLAN on both chassis but with no success - how  can I get round this issue?
New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi Pratibha,

This is a question similar to the one thats been asked earlier on this thread. The real question is whether the standby FWSM will maintain a routing table of its own, as thats whats needed to be able to redundantly route the point to point VLAN.

This is not possible at this time.

Hope this helps!

Thanks,

Srinivas.

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi Srinivas,

    I have a question regarding TCP Out-Of-Order issue being observed when the traffic egress out from FWSM which runs on version 4.0(6). Will this actually impact the TCP throughput performance as I have noticed a lot of packet is not come in correct order when receive at the end point and sometime I see some number of DUPLICATE ACK sent from the client the server where client and server both connected to same FWSM and same chassis but different context only. I am suspecting the TCP Out-Of-Order issue has caused some of my applications to perform slower compare to before I migrated all to FWSM.

    I have come to know that "no sysopt connection tcp sack-permitted" and "SYSOPT NP COMPLETION-UNIT" are able to resolve the issue I describe above. Is this true? Can you help to explain why this two commands can resolve it and which one is better, or I can implement both to achieve the maximum result?

Thanks,

Ping

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Hi Ping,

This is correct. The commands you mentioned do help improve the throughput performance. Below is an explanation.

1) The FWSM does not support the Selective-ACK option (type 5). If the Selective-ACK option is enabled in a connection where sequence number randomization is enabled (the default), then you might see poor performance because the FWSM does not properly adjust the sequence numbers present inside the Selective-ACK option according to the randomized sequence. For example, the data sender unnecessarily retransmits segments that have been correctly received.

To prevent the receipt of packets with the Selective-ACK option, the no sysopt connection tcp sack-permitted command disables the Selective-ACK negotiation during the handshake by clearing the Selective-ACK-Permitted option. The FWSM will replace the Selective-ACK-Permitted option with no operation (NOP) option, without changing the total length of the packet. Using the no form of this command prevents unnecessary retransmissions, and prevents you from having to disable Initial Sequence Number (ISN) randomization.

2) On the other hand, sysopt np completion-unit command(Global mode), ensures that packets are forwarded out in the same order they were received in the ingress queues of the NPs. Somethings to know about this command;

When you enable this command in the admin context, it is enabled for the whole device. You cannot configure this command separately for each context.

Because of design constraints:

This command only works for packets forwarded by the accelerated path. Packets that require inspection, for example, go through the session management path or the control path, and are not affected by this command.

This command does not guarantee that the order of multicast packets are maintained in routed mode

This command does not guarantee the order of fragmented packets or packets to be fragmented by the FWSM because of its MTU.

Hope this helps!

Thanks,

Srinivas.

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Srini,

I've got an interesting situation.

I have a single internet connection at this site, with 3 external subnet IPs advertised out via BGP. Let's call those subnets 1.0.0.0/24, 2.0.0.0/24, and 3.0.0.0/24.

The edge router has an interface 1.0.0.1, and a static route for 2.0.0.0/24 and 3.0.0.0/24 pointing to the 1.0.0.2 (an interface on the FWSM). The FWSM has a default route to 1.0.0.1 (which is vlan101).

I've setup the interfaces 2.0.0.1(vlan201) and 3.0.0.1(vlan301) on the FWSM, and put static translations in each pointing to an internal subnet 10.10.10.0/24 (vlan1010):

static (vlan1010,vlan201) 2.0.0.10 10.10.10.10 netmask 255.255.255.255

If I have a system in vlan201 (example, 2.0.0.20), it can connect to the 2.0.0.10 static translation and reach the host fine. If I try to connect to 2.0.0.10 from the internet, I do not succeed. From the internet, I can connect to 2.0.0.20 with no problem. I have checked all the ACLs and see the permit entries incrementing appropriately, proving that the packet makes it to vlan201.

Is there a reason the FWSM will not pass the packet from the internet through the translation, but will do so for the host directly within vlan201?

This is probably semi-confusing due to the obfuscation of IPs, but I hope you get the point.

Quick Reference:

vlan101 - 1.0.0.0/24 (external)

vlan201 - 2.0.0.0/24 (external)

vlan301 - 3.0.0.0/24 (external)

vlan1010 - 10.10.10.0/24 (internal)

Thanks!

New Member

Re: ASK THE EXPERTS - FIREWALL SERVICES MODULE

Tim,

FWSM does not treat traffic originating from the internet any differently than the traffic originating from the external VLAN, in this case Vlan201. From what you are saying, you already verified, that the packets originating from the internet are hitting Vlan201 and also hitting the FWSM external interface, where the static translation is configured. This is important.

Having verified the above here are some things that can go wrong, given the fact that you are not able to ping from my experience;

* Does the internal host know how to route packets back to the FWSM internal interface, when the source is an address on the internet?

* Have you checked all the routing, to make sure its properly configured

* Have you run icmp debugs on the host on the inside, to see if the packets are making it there?

* The inbuilt packet capture functionality of the FWSM helps in this case, to find out if the FWSM is actually processing the packet. Filter it on ICMP to see where the packet is getting dropped.

We need more troubleshooting to determine what could be going wrong. The above steps will give you something to run with.

Hope this helps!

Thanks,

Srinivas. 

1388
Views
15
Helpful
26
Replies
CreatePlease to create content