Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Access-rules actives but not working

Hi all:

We are facing a problem with our FWSM. There are some rules that is configured (and enabled) what it seems not working properly.

Yesterday, I received complaints from the users they dont reach servers at 1521 port. I confirm the rule that allows that traffic is correct and enabled so I launched 2 captures, one on input interface (I can see the traffic) and other one in the output interface (no traffic there), I get very surprised.

The next step was to enabled the log on the policy (through ASDM). One minute after of it the customer tells me the issue is fixed and asking me what did I do, I didn't do nothing!!, only enables the log on the policy!.

The customer, and me, are worried about this, this is the second time it happens and I dont have an logic explanation about the FWSM behaviour. The version is 4.0(7) and ASDM is 6.1(5)F.

Someone has an idea about what's going on?.

Thanks a lot,

Francisco

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Access-rules actives but not working

Cisco Employee

Re: Access-rules actives but not working

That is correct. sh tech is just for backup.

Your acl count is not high  at all.

You can disable optimization now.

You can check the limitation here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359

for both single and multiple context.

-KS

9 REPLIES
Cisco Employee

Re: Access-rules actives but not working

I am just as surprised as you are .

You are saying adding the "log" key word in the end make the acl work but before that all packets were dropped by the firewall and were not egressing.

Do you do manually commit or auto commit for ACLs? Was this ACL always there and working? or it never did work?

-KS

Re: Access-rules actives but not working

Yes KS, the 2 times it happened it was fixed by enabling the log in the policy, only with that. It seems like if the ACL is in an inactive status until you do a change on it, very strange. Once I enable the log, I could see the packets on the output interface with the capture.

Both of access-lists already have hits previously at this issue.

The commit is manual, every time I do any change on FWSM I press the Apply button on ASDM.

Cisco Employee

Re: Access-rules actives but not working

Re: Access-rules actives but not working

Many thanks for the link KS!!!!, I think it could be the problem, very grateful

Re: Access-rules actives but not working

One question. I wanna disabled the optimization on the FWSM but I don't know if it will affect to all access-lists configured until now cause I've read that with optimization enabled the fw has a copy optimized from every access-list. Will that copy will be erased when I disable the optimization?, the access-lists will become inactive if it's disabled?.

If I uncheck the checkbox of optimization, the appliance suggests me there is a backup from the optimized access-lists, how can I do it?, it seems only can be copied to the running config, not to a TFTP/FTP server.

Thanks

Cisco Employee

Re: Access-rules actives but not working

No No. The optimized acl will take less space so, if by disabling that your acl spaces taken grows and if your partition runs out of space you will be in trouble.  So, just issue a sh tech and take the output to a text file.

sh access-l | i elements

make sure you do not have huge number of elements.

sh np 3 acl count ---> is another good command

Once done you can disable acl optimization.

-KS

Re: Access-rules actives but not working

The most high elements I have are 17000, is that cipher high?.

I did the show tech (I don't understand the output of the sh np 3 acl count <0-11>) and I don't know why after the sho tech I can disable the optimization . May I have to do a copy optimized-running-config running-config before disabling it?.

Thanks

Cisco Employee

Re: Access-rules actives but not working

That is correct. sh tech is just for backup.

Your acl count is not high  at all.

You can disable optimization now.

You can check the limitation here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359

for both single and multiple context.

-KS

Re: Access-rules actives but not working

Many thanks again for your help KS

358
Views
0
Helpful
9
Replies
CreatePlease to create content