Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

fwsm and how to bypass its session inspections without causing them to drop

Hi all !

i have a question about fwsm and how to bypass its session inspections without causing them to drop .

scenario :

due to number of connections capacity limitations of our FWSM's, we have made a temporary solution utilizing few FWSMs and sharing the load between them using PBR [ tested on Cat6x in hardware ]

its not pretty but it would let us go through the winter

my question here is for firewall guys :

if im LB between the firewalls and like to make an adjustment in the traffic and move a certain range in the PBR from FW1 to FW2 ,

regularly the connection would be tore down and would need to be re-established . this means Downtime .

i would like to find any way i can cause FW2 to allow the "moved" connections to pass and continue on FW2 .

if it involves disabling a feature for x period of time and then re-enabling it  - ok , anything is good .

Thanks

Everyone's tags (3)
1 REPLY
Cisco Employee

fwsm and how to bypass its session inspections without causing t

Hi,

TCP state bypass would take care of TCP during transition, datagram based protocols (expect the ones going through inspection engines) should take care of themselves (provided they are allowed by ACL).

If the two FWSMs are in failover (A/A scenario) check out ASR groups.

Marcin

378
Views
0
Helpful
1
Replies