[c-nsp] VLAN behavior behind FWSM

Greg Schwimer gschwimer at godaddy.com
Wed Jul 20 15:29:32 EDT 2005 

Are you running transparent or routed mode on the FWSM?  Any contexts?

John Neiberger wrote:

>Can you elaborate a bit more about the problem you've seen that is
>similar to this?
>
>Our problem is getting even stranger. The FWSM *is* getting involved,
>but I am at a loss to explain why or even how.
>
>Imagine two VLANS configured on the FWSM, Alpha and Beta. We have users
>in Alpha trying to talk to other users in Alpha. The FWSM is seeing some
>of this traffic but it is showing up in the log because the traffic is
>being denied. The really strange thing is that the FWSM thinks the
>traffic is going from VLAN Alpha to VLAN Beta!
>
>So, to further elaborate, let's say that we have two devices in VLAN
>Alpha with IP address 10.1.1.1 and 10.1.1.2. VLAN Alpha has an incoming
>access list applied. The FWSM logs show entries similar to this:
>
>Jul 20 2005 10:54:27: %FWSM-4-106100: access-list ALPHA-IN denied tcp
>ALPHA/10.1.1.1(3178) -> BETA/10.1.1.2(29479) hit-cnt 3 (300-second
>interval)
>
>VLAN Beta has an entirely different range of addresses, let's say
>10.2.2.0/24. There is no config on the FWSM that would make the FWSM
>think that 10.1.1.0 is in any way related to VLAN Beta. Yet, for some
>reason, the FWSM is seeing this traffic and dropping it. I can think of
>no way that the FWSM could even be seeing this traffic. My only guess is
>that perhaps, for example, 10.1.1.1 sends an ARP request for 10.1.1.2
>and the FWSM answers with its own MAC address. Then, when 10.1.1.1 send
>a TCP SYN to 10.1.1.2, the FWSM thinks that 10.1.1.2 resides on a
>different VLAN and drops the traffic because it isn't explicitly allowed
>in the ALPHA-IN access list. Very weird.
>
>Any thoughts?
>
>Thanks,
>John
>--
>
>  
>
>>>>Kenny Long <long.kenny at gmail.com> 7/19/05 5:39:43 PM >>>
>>>>        
>>>>
>You could assume the FWSM is completely out of the loop but then you
>would eliminate finding the problem that I have occasionally seen
>cause the symptoms you describe.
>If the FWSM is doing the alias command, I would double check this
>page, and verify your configs
>http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#topic1
>
>Please make sure the FWSM is not trying to "own" any of these
>problematic IP addresses, by responding to ARP requests with its own
>Mac address.
>
>Kenny
>
>
>On 7/19/05, Simon Hamilton-Wilkes <simon at jettis.com> wrote:
>  
>
>>Yes the FWSM is completely out of the loop, as any other gateway
>>    
>>
>device
>  
>
>>would be.
>>
>>Simon
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>>https://puck.nether.net/mailman/listinfo/cisco-nsp 
>>archive at http://puck.nether.net/pipermail/cisco-nsp/ 
>>
>>    
>>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>https://puck.nether.net/mailman/listinfo/cisco-nsp 
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>  
>

More information about the cisco-nsp mailing list