i encountered a problem concerning our FWSM. It's configured as a multiple context routed Firewall. There is a context A inside (security level 95), a context B inside (not yet configured) and an admin context. The next hop outside is our 6500 and behind that is my PC "Out". After doing all configuration work, i tried to ping from outside an PC "A" in context A, but that didn't work, although all routes and ACLs were set correctly. After some time, i tried to ping from that PC "A" in context A the PC "Out" on the outside interface, which worked perfectly. After that, i were able to ping from PC "Out" to PC "A". So there is a strange lock-up of the FWSM, when no connections are made or when you initially configure your FWSM. You first have to make a connection from inside to the outside, and from THEN ON, you can connect from the outside to the inside. This behaviour is reproducible, especially when there is no traffic happening (e.g. over night). In the next morning, that stange self-locking happened again: i first had to make a connection (doesn't matter if ping, ssh, etc.) from inside PC "A" to the outside somewhere in order to make a connection from the outside to the inside.
Can anyone explain that behaviour or confirm its existence?
I have not seen the conditions you are experiencing. It sounds like an xlate issue. We've see where new rules do not work until we clear xlate and clear conn. This is a known and understandable condition.
Also, look at your xlate timer. Ours is set to 3 hours, and your's may be longer. The command is: timeout xlate 3:00:00.
As a possible second issue, your routing may be responsible. One you make a connection to the outside, you may create a dynamic route (it would depend upon your internal routing protocol). Traffic begins to flow and as long as it continues, the route remains. Once the route times out, you have to repeat the process. As you are using the FWSM in multiple contexts, you cannot use it in routed mode. All your routes through the FWSM must be statically assigned.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :