I am monitoring a number of contexts which are hosted in the same FWSM via Solarwinds Orion. These contexts have an interface on the same VLAN to enable routing between them, and other traffic accross the netework. All these interfaces are showing a high level of "RECIEVE DISCARDS" on the Orion console.
What apears to be happening is that each context is recieveing *ALL* traffic for the VLAN, and then discarding inappropriate packets. This seems to be confirmed by running a capture on the interface.
Is this normal behaviour, or has something been configured incorrectly?
Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context to send a packet. The FWSM uses only one global MAC address across all interfaces. A single MAC address is usually not a problem unless multiple contexts want to share an interface. A router cannot direct packets to IP addresses on the same network if all IP addresses resolve to the same MAC address. Moreover, the bridging table of the switch would constantly change as the MAC address moves from one interface to another. The purpose of the security context classifier is to resolve this situation. "
From what I read, this sounds like your problem (and I've dealt with it before in the past). If you read through this and determine it isnt your problem, please clarify further with a diagram so we can assist.
Basically, if you have several contexts that each have a L3 interface in vlan 10 (for example), then at layer2 the switch sees every one of those interfaces having the same exact mac address. This obviously causes confusion, and the errors you'll see.
You need to help the FWSM know which interface is supposed to receive those packets by defining static mappings to each destination address behind this FWSM context. The document does a decent job of explaining how this works.
I found, personally, that I had to re-architect the way I was doing things as this is a VERY messy solution to the problem at hand. You need to basically create a mapping for every destination IP to force it through a certain context over another. Not fun, and not very sustainable from an administrative standpoint.
This isn't quite what I am seeing, I'll try and give a synopsis of the situation
I have multiple contexts with an interface on the same VLAN. If I run a capture on this interface on one context, I can see traffic destined for another. If I check the classification table on the FWSM system using âsh np 3 staticâ I can see the correct context as the destination.
i.e. traffic that is classified for context A can be seen on a capture for context B.
I suspect that the capture whilst configured on an individual context is actually running on the system, and therfore seeing all trafic for the VLAN and that Solarwinds is getting its statistics from the system too. However cannot find any documentation to confirm this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :