Guest

Preview Tool

Cisco Bug: CSCsz22099 - xlate on shared interface causes bad connection with high data rate

Last Modified

Feb 22, 2014

Products (1)

  • Cisco Catalyst 6500 Series Firewall Services Module

Known Affected Releases

3.1 3.2 4.0

Description (partial)

Symptom:
In a rare corner case, a connection might be created in the FWSM's connection table that shows a very high data rate, and cannot be deleted with the command 'clear connection'.

Conditions:
To experience this problem the following conditions must all be true:
1) The FWSM must be in multiple-context mode
2) The FWSM must have a shared interface between multiple contexts
3) A xlate must be created in one of the contexts such that this xlate has a global IP address on the shared interface. In this case, we will call this context 'A'. The global IP address is 10.0.0.6. The shared interface is the 'outside' interface.

FWSM/A# show xlate deb
NAT from inside:10.0.0.6 to outside:10.0.0.6 flags Ii idle 0:00:18 timeout 3:00:00 connections 0

4) A FWSM administrator must ping this global IP sourced from the FWSM itself from within a different context. We'll call this context 'B':

FWSM/B# ping 10.0.0.6
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

5) The command 'inspect icmp' must be present in the configuration of the context sourcing the ping traffic. In this case, context B has this configured:

!
policy-map global_policy
 class inspection_default
  inspect icmp 
!

The result of this bug is that a connection will be created that has a traffic counter that increases very quickly.

FWSM/B# show conn
ICMP outside 10.0.0.6:4388 outside 10.3.103.21:8 idle 0:00:00 Bytes 97526292 

Also, the NP 1 counters 'packets to NP-3' and 'ICMP packets received' will increment very quickly:

FWSM/B# show np 1 stats | inc packets to NP-3
PKT_MNG: packets to NP-3                           : 84800410
FWSM/B# 
FWSM/B#show np 1 stats | inc ICMP packets received
PKT_MNG: ICMP packets received                : 84800423
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.