Solved

FWSM VLAN Doesn't Appear / Work

Posted on 2009-05-04
10
718 Views
Last Modified: 2012-05-06
Hello,

I have a FWSM inside a 6500 running hybrid CatOS / IOS.

I need to add a new VLAN to the fwsm.  I have created the vlan in catos:

  set vlan 20 name DMZ type ethernet mtu 1500 said 100020 state active

I have added it to a trunk:

  set trunk 4/13 on dot1q 20

And given it to the firewall:

  set vlan 20 firewall-vlan 13

All of this is the same for another bunch of vlans given to the firewall.  However, if I do this:

  >sh vlan firewall-vlan 13
  Secured vlans by firewall module 13 :
  10-11,13,20-21,80,95,129-130,900-902

Vlan 20 is present as a secured vlan.

However, sh config shows:
  set vlan 10-11,80,95,129-130,900-902 firewall-vlan 13

No mention of vlan 20 (or 13, or 21, other vlans I used to confirm the behaviour was consistant).

On the fwsm side, vlan20 is up, and I can add config to it.  I can put things in vlan20 and ping them from the fwsm.  So despite the above config looking weird, layer 2 does seem to be in place.

However, if I try and ping something on the new vlan from the inside interface, it doesn't get there.

There aren't any errors in the logs of the fwsm, but if I log the rule that permits the traffic on the inside acl, it does show that the traffic is destined for the new vlan.  It just doesn't get there.

Nat exemption is correct, routing is correct, acls are correct.

So the anomily is the catos config weirdness.  The criteria for the addition of a vlan to the fwsm is that 1) it isn't on the msfc, which it isn't.  2) It isn't reserved, which it isn't 3) It is attached to a port, which it is.

Any ideas what is causing this?

0
Comment
Question by:muff
  • 5
  • 5
10 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24307168


did you issue the "show startup-config" instead off the "show config" command?

make sure you "wr mem" it

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24310083
This is on the CatOs part of the system, so there is no "we mem", and "sh config" is equivalent to "sh run".
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24310459


Right, I forgot, its been a little while since I last used catos, seriously, it does not sound right, what about the version of code you are using?  You definitely did the correct steps. I would open a TAC case and search teh version of code you are using against know bugs.

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24314974
It isn't a new version of code, but I can't consider recommending an upgrade to a core and critical device without a diagnosis.

The cisco knowledgebase doesn't help, and TAC is a last resort - the support path I need to follow seems to be designed to make it difficult to log a call.

I'll wait and see if anyone has any suggestions.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24315846

What does "sh vlan 20" output?

harbor235 ;}
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Author Comment

by:muff
ID: 24315965
Nothing unusual - other than different ports, this is the same output as vlans that work fine.

In fact, we switched to one of the vlans that appear in the sh firewall-vlan output that wasn't being used, and the problem with forwarding traffic wasn't present.

So not appearing the sh firewall-vlan list seems to indicate that there is a problem somewhere.

The fwsm licence is for 256 interfaces by the way, and using about 10.

> (enable) sh vlan 20

VLAN Name                             Status    IfIndex Mod/Ports, Vlans

---- -------------------------------- --------- ------- ------------------------

20   DMZ                              active    264     4/13-16

                                                        5/13-16

                                                        13/1-4

                                                        15/1

                                                        16/1
 
 

VLAN Type  SAID       MTU   Parent RingNo BrdgNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------

20   enet  100020     1500  -      -      -      -    -        0      0
 
 

VLAN MISTP-Inst DynCreated  RSPAN

---- ---------- ---------- --------

20   -          static     disabled

Open in new window

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24316150


Did you add the vlan to the FWSM first before completing the work on the switch? Vlan guidelines for the FWSM state they should be added to the switch first. If so is it possible to remove the vlan and start over?

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24321102

The vlan was added to the switch first, on all occasions.

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24321322

Got me stumped, it's not a license issue, it must be a bug. I would love to hear the outcome of this one
It's hard not seeing the configs of both devices though.

Good luck to you,

harbor235 ;}
0
 
LVL 9

Accepted Solution

by:
muff earned 0 total points
ID: 25791693
This problem was never solved.  Instead, an already defined but unused vlan was usurped for this service.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now