i have been facing strange issue on FWSM (6509 switch). we have created a vlan inteface for server farm on fwsm and its stop responding automatically and we need to give shut/ no shut command under that interface to back into normal .
View 11 RepliesWe have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level. All VLAN Gateways are configured in context level.
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During migration of devices from one Dc to a new DC we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
During the activity ( Primary switch movement )We powered off the Primary switch and mean time before shifting into new Data center We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
Later we had moved Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE and primary device was not responding and devices went off network and immediatly we removed the VSL link and brought up primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original VLAN ip 10.200.112.1 has become 10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.
I have attached a pdf of an example of a FWSM configuration with shared interfaces. Now what I dont get is (please refer to the link) url...Is there any difference between the natting that they have done on page B-4 on Context A.as opposed to configuring a static NAT for processing traffic to correct context nat(inside,outside) 209.165.201.0 10.1.2.0.The other question is on page B-2 (diagram) Context A has a customer A network linked to the inside interface. Is it possible to put a default route towards that "Network 2" cloud and restrict traffic from the 6509 switch towards the context A?
View 5 Replies View RelatedI have problem with traffic coming from GRE interface and going further through FWSM on the same 6509-E chassis.It's very interesting and confusing. If packets are fragmented, I can go through, however, if I use normal packets (usual ping for example) traffic goes from outside to inside and stops on it's way back.
Here is the detailed info:
WS-C6509-E with WS-SUP720-3B
FWSM HW 4.0, SW 4.1(4)
GRE is done in hardware (source is loopback interface - only one loopback per GRE tunnel).
Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
our FWSM (in 6509) is not coming up, when tried to sesssion up using "Session slot 1 proc 1" command,It is giving error , "Tyring 127.0.0.11 .....connection timed out remote host not responding".
In "show mod" command output at Switch in IOS console: under Card Type Section: it is showing Model & Serial Number correctly, Under MAC address sectino: displaying some MAC address But in Online Diag Status, it showing "Unknown" for Module 1.
We tried re-seating in other slots, but of no use. Giving same error. Some of other forms are saying it is the issue with 128 Mb CF image problem, FWSM is no more reachable from 6509 IOS console. We even tried using FWSM console (using PC-Conse & LCP Console) but FWSM is not contactable.
I think I got a strange behavior on a context of my WS-SVC-FWM-1 (on a Catalyst 6509 running IOS 12.2(18)SXF17a) that is running FWSM Firewall Version 4.1(3). This context sends these log messages every ten minutes:
Jul 17 2011 23:31:16: %FWSM-6-302010: 0 in use, 0 most used
Jul 17 2011 23:31:17: %FWSM-6-302010: 2245 in use, 107133 most used
[code]...
If I issue the "show conn" three seconds later the log message, the output I got is: FWSM# sh conn 1041 in use, 107133 most used
In another context on the same FWSM the log message sent every ten minutes is just this one:
Jul 17 2011 23:31:17: %FWSM-6-302010: 1358 in use, 72503 most used
Jul 17 2011 23:41:22: %FWSM-6-302010: 1590 in use, 72503 most used
In this case there is no the log message where the "in use" field and "most used" field are 0 (zero). why does the context send the message with the "in use" field and "most used" field 0 (zero).
I have attached a drawing of our network. We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns. I am trying to get one side up and running before I worry about redundancy and so forth. For this reason I have set all the HSRP priorities to 110 on the left 6509. I have HSRP running between the ISP routers and V LAN 101 of the 6509's. This works as I can ping yahoo and Google just fine from the 6509 switch. I can't get from my laptop connected to V LAN 23 to the internet.
It doesn't even attempt to NAT as there are no translations. I have public address assigned by my ISP configured between the ISP routers and my 6509 on V LAN 101. I then have the public address assigned to V LAN 100. I configured V LAN 100 on the switch and V LAN 100 on the FWSM with the IP address in the drawing. I have my NAT statements and route in my FWSM according to the drawing as well. On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers. I can reach anything on the inside of my network, including the old network addresses from V LAN 23.
1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers?
2. If I have to configure NAT at the FWSM, does this requires me to extend the public network down to the FWSM?
3. I'll take any examples you may have as I am stuck.
I am having issues trying to track down what is causing a high number of connection on our FWSM in our core 6509 switch. I recently upgraded my FWSM to 3.1(20) and I'm looking for a tool to be able to find the culprit. When I receive these messages I try to get onto the firewall in time to be able to get information regarding this issue but by the time I do the device recovers. Is there a way to tweat the threshold of the SNMP trap for high connections? Is there any way I can retreive this information via SNMP? Is there are command that will allow me to extract the local IP making the most connections?
View 1 Replies View RelatedI happen to noticed the FWSM was dropping packets at about 387 packets every 5 minutes. My outside FWSM is WAN facing and has a 1gig link (35% utilized) my inside facing has about 100 downstream switches to the closets. I do not see my 6509's back plane is being over utilized and my understanding of the FWSM show be go for 5 gig so it isn't oversubscribe. Why i am seeing packets dropped?
[Code] ......
i have 6509+FWSM(4.0.4) now i wanna use stite to stite and ez vpn in the fwsm (multiple context) multiple context mode in fwsm support ipsec vpn?
View 2 Replies View RelatedDoes the FWSM for a 6506/6509 is supported in a VSS environment?Also, does the FWSM work with the 2T supervisor module?
View 1 Replies View RelatedI need to enable Management access to FWSM using CA ssl certificate.
FWSM Version 3.2(5) in Cisco 6509 switch.
Got to know how to generate, import and export certificate but my query is how to get it applied to the management ip do i need to apply in the management interface.
We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
On the FWSM I would see the following under Network Objects:
Network Objects
- JQ-Test
- JQ-Test2
- JQ-Test3
Network Object Group
+ JQ Group
- JQ-Test
- JQ-Test2
- JQ-Test3
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
Network Objects
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
Network Object Group
+ JQ Group
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?
We have a setup of FWSMs configured in single mode in 6509 chassis. Both 6509 are configured in VSS. Recently I have upgraded the firmwre from 4.0(3) to 4.1(3).....before upgradation config sync was not having any problem.
After upgradation...If any one of the FWSM reload..while coming up it gets stuck in config sync and no command we can run on any of the unit and get the error as..
Configuration update in progress by another process. Also on stannby fwsm no running-config displays.
If we used # failover suspend-config on primary and then reloads the standby fwsm...standby boots up with startup config and when # no failover suspend-config command runs on active fwsm..the sync started and completing succssfully within 15 sec..
Also failover works well..with #no failover active..
Currently we have two inter-chassis FWSM redundancy. I would like to configure them for intra-chassis.
Both FWSM's are in slot 7 of 6509 switches and i want to take secondary out from one of the 6509 switch and insert in the slot 3 of primary switch.
I addedd the following commands in my primary switch.
There were commands already present for FWSM in primary switch
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
firewall vlan-group 1 2,3,777
to create intra-chassis redundancy i addedd the following command also there.
firewall module 3 vlan-group 1
after adding that, my firewalls worked fine but there was a issue with site loading. People from outside were able to access inside but from inside, we were not able to go outside.
do we need to clear arp from both FWSM's ? is there any other precautionary step, which we need to follow while working on it.
We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
I have a 10Mbps connection link which I will like to reduce to 5Mbps on a 6509 switch as indicated in the config below. [code] After applying the service policy on the vlan interface, i got this "match vlan is not supported for this interface". I actually tried the rate limit command but I cant see the effect using the speedtest.
View 2 Replies View Relatedi have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan group and add to firewall module 1 vlan group 10, 20. i need to have zero downtime.
View 2 Replies View RelatedI have used the following basic configuration to do rate limiting on a vlan interface on a 6509:
access-list 100 permit ip any any
class-map match-all ratelimit
match access-group 100
policy-map ratelimit-10Mb
class ratelimit
police 10000000 428750 conform-action transmit exceed-action drop
[code]....
How do I combine the two correctly to give me a vlan port rate limited at 10Mb up and down, but still setting aside (dynamically) 2Mb for voice?
I have FWSM v4.0 installed on Cisco 7609 router and when I want to configure FWSM services on it, VLAN traffic is not passing through the FWSM or not Reaching upto fwsm
View 1 Replies View RelatedI am trying to make the multicast working between few hosts inside a single vlan. Host are running mysql cluster and Multicast is used to send master/slave status information to the IP 228.10.10.10 on port 45566.The vlan is defined in FWSM and the host are connected via the core-switch(6513). (hosts-->core-sws--->fwsm)I have tried searching the documentation, but couldn't find specific info to enable multicast between hosts residing in same vlan. FWSM is running code 3.1(4). since the hosts are residing in the same vlan, I am thinking of applying the <multicast-routing> just for that SVI in FWSM.
View 6 Replies View RelatedFor ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
For example
ASA inside int---10.1.1.1
outside int---120.11.1.1
when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?
I have an ACS 5.4 which is integrated with AD and a RSA. Is there any possibility to Stop the ACS Application automatically if either of these devices are down.
View 2 Replies View RelatedRoughly once an hour my games will simply just stop responding, most notably on League of Legends everything else continues to happen around me uninterrupted but I cannot move my character nor can I use any abilities for about ~4 seconds and will do the same for literally every online game I have played.It doesn't seem to cut out my internet but when it happens on occasion it will crash a Skype call for about the same duration the unresponsiveness occurs.I have Optimum Online and a Linksys wired router with Windows 7.
View 2 Replies View RelatedI have 13 WAP4410N and I have the same problem.
View 2 Replies View RelatedInternet explorer closes automatically?
View 1 Replies View Relatedtwo 6509 chassis with VSS configuration.One of those chassis have one FWSM installed and the configuration is like this:
Switch: firewall multiple-vlan-interfacesfirewall switch 1 module 3 vlan-group 1firewall vlan-group 1 3-5,7,8,10,200 interface Vlan200 ip address 10.50.50.1 255.255.255.252end
I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.I do not see any debuging info in the logsI successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.
We have a 25Mbit connection comming in through a cable in the basement, going through a modem that is connected to a RVS4000 small buisness router on the first floor, that acts as the single NAT. Connected to that in parallel we have 4 wireless b/g or b/g/n routers of various cisco/linksys models, one for each floor, each with DHCP disabled.Over the last few months there have been some issues with the router and I'm curious if there is anything that can be done to solve them.The firmware of the router is the latest at the time of this writing, V2.0.2.7
1. The router will occasionally lock up and completely stop responding to DNS requests. Attempting to open a website will result in browsers giving their standard 'DNS Lookup Failure' messages. The router will also become completely non-responsive when trying to access it via its IP address (standard 192.168.1.1). No username/password dialog appears.However oddly enough IRC and other chats like skype will still work fine.Restoring Factory settings has not worked. This issue has gotten to the point where this happens about once a day. Restarting the router will fix the issue. While I think the issue may sometimes resolve itself, it could also just be one of the other people in the house restarting it manually.I'm assuming that the router is to blame here and not the cable modem in the basement or the DNS server of our ISP, mostly due to the fact that the router becomes unresponsive and won't let me log in as admin when this happens. also restarting the router, not the modem, seems to fix the issue.
2. The router's log is always empty Specifically I have enabled 'Output' and 'Local Log' as you can see here:
3. Issues with some people hogging bandwidth With 25 people and a 25Mbit connection each person in the house should effectively get about 125KB/s of download speed, especially since not everyone is always using bandwidth. However it can happen where one person is, often without knowing it, hogging a large chunk of bandwidth and slowing the network down for everyone, such as downloading multiple large files from different sites, streaming high-quality video, etc.I would like to know if any of the following might be possible to do with this router: See the bandwidth usage per individual MAC or IP address on the network over timeLimit the amount of bandwidth a specific MAC or IP address can use. Make the distribution of bandwidth more fair when a few people are using far more of it than other people.
I have at times resorted to limiting P2P via IPS in the past, and of-course that does work somewhat, but that's not ideal. I'd much rather just know who is doing it, and specifically by how much they are slowing other people down. While the IPS page will list the IP addresses of those trying to use P2P when it's disabled, there is no way for me to really quantify how much bandwidth they'd be using otherwise, and this doesn't at all include things straight-up HTTP downloads.In any case, this router should easily be able to handle ~25 simultaneous connections, right? Are there any settings that I should make sure to enable or set to distribute bandwidth more fairly, given the setup we have?
4. The IPS report chart is not readable.This is a bit of a nit-pick, but the IPS report chart is basically not readable because the colors used in the key are identical in color. Can you tell the difference between the colors of 'Network Traffic' and 'Attack Counts' in the key at the top? They could have used any two colors that are at least somewhat distinguishable, even light grey and dark grey would have been better, not magenta and another magenta.
i have a server with windows server 2003 that SQL server 2008 is installed on it.regulary server service will be stoped automativcaly and all shared folders will be unshared and i must restart server and waiting for next stop and .
View 1 Replies View Relatedsometimes my net will randomly dc and wen i trouble shoot it says "windows could automatically detect this networks proxy" and then when i go to diagnose it says "your computer appears to be correctly configured but the device or resource (dns server) is not responding.
View 17 Replies View RelatedYesterday I was on my cousin's computer, and we had to remove the ethernet cord to connect it to mine as my wireless adapter wasn't cooperating with his internet. This was all fine and dandy until we had to plug the ethernet cord back into his computer. It locks everything up. If you try to open a program, it won't open. If a program is already open when the cord is plugged in, it stops responding within 15 seconds.I called my brother, and he suggested I run a virus scan via Microsoft Security Essentials and MalwareBytes, which I did. MalwareBytes found 5 problems, MSE found 1 additional one. They have all been removed, however this problem still persists. If you try to start the computer with the ethernet cord plugged in, it will allow him to put in his password, it will say welcome for about 3-5 minutes, then the screen will go black. The mouse is visible, doing it's motion to indicate that it's loading something, but it never achieves anything.
View 1 Replies View RelatedI need to create a DMZ Vlan. Core switch is a 6509. FW is an ASA5520. Need to create a VLAN for DMZ purposes for outside facing servers. NAT is used on ASA.
View 7 Replies View Related