Preview Tool

Cisco Bug: CSCsz22099 - xlate on shared interface causes bad connection with high data rate

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Catalyst 6500 Series Firewall Services Module

Known Affected Releases

3.1 3.2 4.0

Description (partial)

In a rare corner case, a connection might be created in the FWSM's connection table that shows a very high data rate, and cannot be deleted with the command 'clear connection'.

To experience this problem the following conditions must all be true:
1) The FWSM must be in multiple-context mode
2) The FWSM must have a shared interface between multiple contexts
3) A xlate must be created in one of the contexts such that this xlate has a global IP address on the shared interface. In this case, we will call this context 'A'. The global IP address is The shared interface is the 'outside' interface.

FWSM/A# show xlate deb
NAT from inside: to outside: flags Ii idle 0:00:18 timeout 3:00:00 connections 0

4) A FWSM administrator must ping this global IP sourced from the FWSM itself from within a different context. We'll call this context 'B':

FWSM/B# ping
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

5) The command 'inspect icmp' must be present in the configuration of the context sourcing the ping traffic. In this case, context B has this configured:

policy-map global_policy
 class inspection_default
  inspect icmp 

The result of this bug is that a connection will be created that has a traffic counter that increases very quickly.

FWSM/B# show conn
ICMP outside outside idle 0:00:00 Bytes 97526292 

Also, the NP 1 counters 'packets to NP-3' and 'ICMP packets received' will increment very quickly:

FWSM/B# show np 1 stats | inc packets to NP-3
PKT_MNG: packets to NP-3                           : 84800410
FWSM/B#show np 1 stats | inc ICMP packets received
PKT_MNG: ICMP packets received                : 84800423
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.