Guest

Preview Tool

Cisco Bug: CSCsy92620 - FWSM classifier not recovering from incorrect, conflicting nat

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Catalyst 6500 Series Firewall Services Module

Known Affected Releases

3.2(7)

Description (partial)

Symptom:
FWSM doesn't seem to recover after clearing the following type of misconfiguration:

* FWSM in multicontext mode, with two contexts A and B sharing a same VLAN.
* a translation is created on Context A, that uses IP address of interface on context B as global IP.
That configuration is incorrect and causes a problem as there is a conflict between A's global statement IP, and B interface IP.  Traffic on the vlan to context B will stop passing through, and arp table in context B is empty for that VLAN.

After removing the nat and global, and clearing xlates and local-hosts, the problem should be gone but it remains.
Conditions:
Example configuration:

* on context A:

interface vlan123
 nameif sharedA
 security-level 0
  ip address 10.2.3.4 255.255.255.224 standby 10.2.3.10

global (sharedA) 1 10.2.3.33 netmask 255.255.255.224
nat (inside) 1 192.168.1.1 255.255.255.255
* on Context B:

interface Vlan 123
 nameif sharedB
 security-level 0
 ip address 10.2.3.33 255.255.255.224 standby 10.2.3.60
===
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.