Preview Tool

Cisco Bug: CSCsy92620 - FWSM classifier not recovering from incorrect, conflicting nat

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Catalyst 6500 Series Firewall Services Module

Known Affected Releases


Description (partial)

FWSM doesn't seem to recover after clearing the following type of misconfiguration:

* FWSM in multicontext mode, with two contexts A and B sharing a same VLAN.
* a translation is created on Context A, that uses IP address of interface on context B as global IP.
That configuration is incorrect and causes a problem as there is a conflict between A's global statement IP, and B interface IP.  Traffic on the vlan to context B will stop passing through, and arp table in context B is empty for that VLAN.

After removing the nat and global, and clearing xlates and local-hosts, the problem should be gone but it remains.
Example configuration:

* on context A:

interface vlan123
 nameif sharedA
 security-level 0
  ip address standby

global (sharedA) 1 netmask
nat (inside) 1
* on Context B:

interface Vlan 123
 nameif sharedB
 security-level 0
 ip address standby
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.