Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Packet loss on FWSM v3.1(5)

Hi,

I have implemented multiple virtual contexts on an FWSM. I have a network for FW context mgmt connected to a vrf which then connects to another FW context providing connectivity to the rest of the network. Configuration is detailed as follows (without real names/IP addresses for customer confidentiality):-

- FW context FW1 connected to FW_mgmt subnet (10.1.1.0/24)

- FW context FW2 connected to FW_mgmt subnet (10.1.1.0/24)

- FW context FW3 connected to FW_mgmt subnet (10.1.1.0/24)

- FW_mgmt subnet connected to VRF1

- VRF1 connected to FW context FW4

- FW4 Vlan 1 (outside) interface connected to a VRF (VRF2) providing connectivity to the rest of the network

- FW4 Vlan 2 (inside) interface connected to Mgmt subnet (10.1.2.0/24)

- FW4 Vlan 3 (FW_Mgmt) interface connected to VRF1

If I establish a SSH session from a PC on the Mgmt network (10.1.2.0/24) to any of the FW contexts in the FW_mgmt network (10.1.1.0/24), the session establishes and I can log into all the contexts.

Beyond the outside interface of FW4 there is a syslog server and a radius server.

I configured FW1, FW2 and FW3 to use their interfaces on the FW_mgmt network for syslog and radius authentication.

I do not receive any syslog messages or radius authentication requests from FW1, FW2 or FW3.

After setting up a capture on the FW4 interface connected to VRF1 (Vlan3) I do not see any syslog or radius packets being received.

I am currently running FWSM version 3.1(5)

Has anyone experienced such a problem? If so, any advice as to what the solution could be would be greatly appreciated.

13 REPLIES

Re: Packet loss on FWSM v3.1(5)

you are using shared interface. that is the problem.

read about packet classifier

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/contxt_f.html#wp1124172

Community Member

Re: Packet loss on FWSM v3.1(5)

Hi,

Yes, I know the FW contexts share the same network interface. However, surely the destination mac address is always going to be that of the VRF and not another FW.

Also, how can this work OK for SSH but not for RADIUS and SYSLOG?

Re: Packet loss on FWSM v3.1(5)

Could you show the diagram.

Community Member

Re: Packet loss on FWSM v3.1(5)

Hi,

Please find attached a diagram depicting the configuration and the problem.

Please note, when I setup a capture on FW4, I see no syslog or RADIUS or SNMP packets inbound from FW1, FW2 or FW3 to the servers in the Network Mgmt network.

I hope this helps explain the issue further.

I understand the problem with the classifier, however, in this case I would expect all Syslog/RADIUS/SNMP packets (from FW1/FW2/FW3) to have the destination IP addresses of the servers in the Network Mgmt network and the destination mac address should be the mac address of VRF1.

Re: Packet loss on FWSM v3.1(5)

could you also show the configuration of FW4?

Community Member

Re: Packet loss on FWSM v3.1(5)

Here is the config of FW4. I have had to go through it and remove all customer-specific data. So, please use it in correspondence with the diagram I sent before.

Re: Packet loss on FWSM v3.1(5)

could you try to remove this line

static (VLAN3,VLAN2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

Community Member

Re: Packet loss on FWSM v3.1(5)

If I remove that static entry then I will no longer be able to access the FWs on their mgmt interfaces. At the moment I am managing them using SSH.

Re: Packet loss on FWSM v3.1(5)

why do you think so?

vlan3 - sec level 60

vlan2 - sec level 100

and you have

static (vlan3,vlan2) ...

Community Member

Re: Packet loss on FWSM v3.1(5)

Apologies....I got a little confused as I have to translate the info I gave you to the actual config I have on the device.

I have removed that static and nothing has changed.

Re: Packet loss on FWSM v3.1(5)

deb icmp trace

and try to ping the VFR1 from RADIUS/Syslog/SNMP server.

do you see any logs?

try to do extended ping from VFR1 to RADIUS/Syslog/SNMP server with a source interface 10.1.1.X.

Community Member

Re: Packet loss on FWSM v3.1(5)

Hi,

Sorry about the delay in responding.

I have been able to get the RADIUS, SYSLOG and SNMP to work now. The strange thing is there are no packets seen in the captures I set up on the Vlan1 and Vlan3 interfaces of FW4. I have removed the nat-control line on FW4 aswell so the statics are taken out of the equation.

Everything is working well apart from the switch that is hosting the FWSM and the VRF.

As you can see in the original diagram I sent at the start of this conversation, VRF1 is connected to the FW_Mgmt subnet (Vlan4) aswell as Vlan3.

I have configured the Switch to use the source-interface of Vlan4 for syslog, NTP, RADIUS and SNMP. None of these work, even though syslog, RADIUS and SNMP work for all the other devices in Vlan4.

If I set up a capture on FW4 interfaces Vlan1 and Vlan3, I see no Syslog, NTP, RADIUS or SNMP from the switch (source-interface Vlan4) to Network_Mgmt network.

If I set up a new Vlan interface (Vlan5) and attach it directly to FW4 (while leaving it on the global routing table instead of attaching it to VRF1), I can see syslog packets being received on the Syslog server with the switches Vlan4 IP address. However, I see no NTP, SNMP or RADIUS packets. The strange thing is on the FW4 capture, it shows the source address of the syslog packets being the Vlan4 IP address of the switch (which is correct) however it shows these packets as being received on Vlan5 for some reason!

If I shutdown Vlan5 either on FW4 or on the Switch, no syslog packets are received at all.

It seems the syslog, NTP, RADIUS and SNMP packets are being dropped or even not being transmitted unless there is an interface configured on the switch which is attached to the MSFC and not a VRF.

I hope I have explained the situation as clearly as possible.

Community Member

Re: Packet loss on FWSM v3.1(5)

Please find attached the config of FW4.

There are two 6513s each with an FWSM and ACE.

I have set up Vlan5 on both of these switches with the configuration below.

Switch 1:-

interface Vlan5

ip address 192.168.1.51 255.255.255.248

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.49

ip route VRF1

ip radius source-interface vlan4

logging source-interface vlan4

snmp-server trap-source Vlan4

ntp source vlan4

Switch 2:-

interface Vlan5

ip address 192.168.1.52 255.255.255.248

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.49

ip route VRF1

ip radius source-interface vlan4

logging source-interface vlan4

snmp-server trap-source Vlan4

ntp source vlan4

439
Views
0
Helpful
13
Replies
CreatePlease to create content