Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM 3.2(4), who's running what version survey

I am intersted who's running what version of FWSM to get a better picture as to what version people are using and especially if somebody is using 3.2(4).

I plan to upgrade to 3.2(4) in a few days.

Today we are running:

FWSM 3.1(1) (Active/Standby interchassis)

ASDM 5.2(3)F

New Member

Re: FWSM 3.2(4), who's running what version survey

We recently implemented several FWSMs, we started one pair on 3.2.3 and have ran into serious throughput issues. TAC believes we are hitting bug from CSCsl10667. The recent release of 3.2.4 was supposed to fix this but after an upgrade last night we are still having problems. This bug was first discovered in 3.2.2

Our second pair is running 2.3.5 because of the older IOS that we run. We have no throughput problems and few problems.

I do not know your reasoning for upgrading but in our case, I have seriously thought about downgrading from 3.2 and may still if we are unable to resolve our problems.

Just a word of caution.


New Member

Re: FWSM 3.2(4), who's running what version survey

Hi Tony

Thank you very much. In another post I was being made aware of the fact that the tcp-out-of-order bug is still not in the 3.2.4.

Does the performance generally degrade or is it only when you have a certain level of traffic. Or only a certain kind of traffic.

One thing that bothers me is that the bug CSCsl10667 is in the buglist as fixed but the software is not released and I havent' read anything about it in the release notes not open nor resolved caveat.

I wanted to upgrade to circumvent the possibilty of the ace corruption and the https vulnerabilty and also because I want to profit from the new asdm and udp/tcp object groups etc.

Maybe I upgrade from 3.1(1) to 3.1(8).



New Member

Re: FWSM 3.2(4), who's running what version survey

We are still running 2.3.5 on our FWSM. What things should i consider before upgrading to 3.1.8 or 3.2.4? Does the IOS of the host 6509 chassis have to be a certain version? Does the hardware rev of the module have to be a minimum level?

New Member

Re: FWSM 3.2(4), who's running what version survey

As far as I know the hardware is always the same. So no hardware revision changes or requirements.

IOS must be at a certain level, the requirements are the same for 3.1(x) and 3.2(x):

12.2(18)SXF and higher, Sup 720, 32

12.2(18)SXF2 and higher, Sup 2, 720, 32

As for 3.1.8 or 3.2.4 my few cents are so far:

Safe Harbor release not yet for 3.2(x) but for 3.1(4). But then you should run 3.1(8) and in between there were new bugs introduced and some were solved.

If you look at the open caveats you'll find a lot more in 3.1(8) than in 3.2(4) and some are disturbing me:

CSCsk01370, CSCsk12223,CSCsk80400,CSCsl47376,CSCsl33529,CSCsl10122,CSCsl49746

But again I don't fully understand the all the problems but in 3.2(x) I did not mark that many as problematic.

Most of my wished for features are in 3.1(x), 3.2.(x) adds some nice things like:

MS-RPC, Waas interop, aaa state replication, transparent fw nat support, nat bypass does not create sessions, connection timeouts for non-tcp traffic on a per-flow basis, bgp stub support. But none of the features of 3.2(x) are a must for us.

I found out that there is a problem with 3.2(x) and a few tcp-out-of order bugs which causes major performance issues but I don't really understand the problem or know when it affects a system (all the time or only under special circumstances) and it is fixed but not in 3.2(4) which is released. But you only get that information through the people here in the forum or if you open up a case.

Also nice is that I can use the new ASDM 5.2(3)F with FWSM 3.1(x) and that is a much improved management interface than 5.0(3)F.

Since I run 3.1(1) and according to the documentation I cannot do a zero downtime upgrade from 3.1(1) to anywhere and since we need to upgrade because of certain vulnerabilites I am still unsure and checking if I should go all the way up to 3.2(4) and risk being hit by the tcp-out-of-order bug or wait for 3.2(5). I have not made my mind up yet but I favor 3.2(4).

That's why I wanted to know what people are running and what are there experiences, and maybe ask for help later.

It would be nice to hear what you are going to implement. Also it would be nice to hear how many contexts you're running and how heavy the FWSM is used ressource wise.