Table Of Contents
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.1(x)
Important Notes
New Features
New Features in Release 4.1(6)
New Features in Release 4.1(1)
Upgrading or Downgrading the Software
Viewing Your Current Version
Upgrading from 2.x or 3.x
Upgrading the Operating System and ASDM Images
Downgrading From 4.1
Important Notes
Downgrading
Chassis System Requirements
Catalyst 6500 Series Requirements
Cisco 7600 Series Requirements
Management Support
Software License Information
Limitations and Restrictions
Open Caveats
Resolved Caveats
Resolved Caveats in Release 4.1(9)
Resolved Caveats in Release 4.1(8)
Resolved Caveats in Release 4.1(7)
Resolved Caveats in Release 4.1(6)
Resolved Caveats in Release 4.1(5)
Resolved Caveats in Release 4.1(4)
Resolved Caveats in Release 4.1(3)
Resolved Caveats in Release 4.1(2)
Resolved Caveats in Release 4.1(1)
Related Documentation
Hardware Documents
Software Documents
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.1(x)
May 2012
This document contains release information for FWSM Release 4.1(1) through 4.1(9).
This document includes the following sections:
•
Important Notes
•New Features
•Upgrading or Downgrading the Software
•Chassis System Requirements
•Management Support
•Software License Information
•Limitations and Restrictions
•Open Caveats
•Resolved Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Important Notes
•For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM.
•You can disable the limited TCP normalization support for FWSM using the no control-point tcp-normalizer command.
•When you log in to the system execution space from the switch in multiple context mode, a feature introduced in FWSM Release 3.2 lets you use authentication using a AAA server or local database. Previously, the only method of authentication available was to use the login password defined in the system configuration. The new authentication method is enabled by the aaa authentication telnet console command in the admin context. If you upgrade to Release 3.2 and later, and have this command already in the admin context configuration, then authentication for the system execution space is enabled using the specified server or local database, even if you did not intend to enable it. To use the login password instead, you must remove the aaa authentication telnet console command in the admin context.
•Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
•In 3.x, when you used the set connection command for an access list (match access-list), then connection settings were applied to each individual ACE; in 4.0 and later, connection settings are applied to the access list as a whole.
New Features
This section includes the new features for FWSM releases.
Note There are no new features in FWSM Releases 4.1(2) through 4.1(5) nor in Releases 4.1(7) through 4.1(9).
•New Features in Release 4.1(6)
•New Features in Release 4.1(1)
New Features in Release 4.1(6)
Table 1 lists the new feature for FWSM Release 4.1(6).
Table 1 New Feature for FWSM Release 4.1(6)
Feature
|
Description
|
Increased SNMP packet size
|
Increased maximum SNMP response size to 1400, which makes it easier to poll multiple OIDs in a single query. Past FWSM design restricted the packet size of SNMP responses to 484 bytes.
|
New Features in Release 4.1(1)
Table 2 lists the new features for FWSM Version 4.1(1).
Table 2 New Features for FWSM Version 4.1(1)
Feature
|
Description
|
Platform Features
|
Separate hostnames for primary and secondary blades
|
This feature lets you configure a separate hostname on the primary and secondary FWSMs. If the secondary hostname is not configured, the primary and secondary hostnames are the same.
We modified the following command: hostname primary_hostname [secondary secondary_hostname].
|
Firewall Features
|
Creation of UDP sessions with unresolved ARP in the accelerated path
|
If you configure the FWSM to create the session in the accelerated path even though the ARP lookup fails, then it will drop all further packets to the destination IP address until the ARP lookup succeeds. Without this feature, each subsequent UDP packet goes through the session management path before being dropped by the accelerated path, causing potential overload of the session management path.
We introduced the following command: sysopt connection udp create-arp-unresolved-conn.
|
DCERPC Enhancement: Remote Create Instance message support
|
In this release, DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance RPC messages.
No commands were modified.
|
NAT/PAT Global Pool usage enhancement
|
This feature lets you track and manage the usage of global pools for NAT/PAT configurations.
We introduced the following command: show global usage.
|
Reset Connection marked for Deletion
|
You can now disable the sending of a reset (RST) packet for a connection marked for deletion. Starting in this release, reset packets are not sent by default. You can restore the previous behavior, so that when the FWSM receives a SYN packet on the same 5-tuple (source IP and port, destination IP and port, protocol) which was marked for deletion, it will send a reset packet.
We introduced the following command: service reset connection marked-for-deletion.
|
PPTP-GRE Timeout
|
You can now set the timeout for GRE connections that are built as a result of PPTP inspection.
We modified the following command: timeout pptp-gre.
|
Management Features
|
Turning on/off names in Syslog messages
|
This feature enables users to choose whether or not to apply name translation while generating syslogs to the console, syslog server, and FTP syslog server.
We introduced the following command: logging names.
|
Shared Management Interface in Transparent Mode
|
You can now add a management VLAN that is not part of any bridge group. This VLAN is especially useful in multiple context mode where you can share a single management VLAN across multiple contexts.
We introduced the following command for transparent mode: management-only.
|
Teardown Syslog Enhancement
|
New syslogs were added for when a connection is torn down.
We introduced the following syslog messages: 302030 through 33.
|
SNMP Buffer enhancement
|
With this enhancement, SNMP requests will be handled more efficiently, so that the allocated blocks for SNMP are freed up quickly, thus leaving enough blocks for other processes.
No commands were modified.
|
Troubleshooting Features
|
Crashinfo enhancement
|
The crashinfo enhancement improves the reliability of generating crash information.
No commands were modified.
|
Upgrading or Downgrading the Software
This section describes how to upgrade to the latest version, and includes the following topics:
•Viewing Your Current Version
•Upgrading from 2.x or 3.x
•Upgrading the Operating System and ASDM Images
•Downgrading From 4.1
Note For ASDM procedures, see the ASDM release notes.
Viewing Your Current Version
Use the show version command to verify the software version of your FWSM.
Upgrading from 2.x or 3.x
Starting in Release 4.0(1), many commands are migrated to new commands (for example, the http-map commands are converted to policy-map type inspect http commands).
If you upgrade from 2.x or 3.x, the configuration is converted. This converted configuration is not saved to memory until you enter the write memory command (or the write memory all command from the system execution space in multiple context mode).
If you try to downgrade to 2.x or 3.x using a converted configuration, many commands will be rejected. Moreover, if you add access lists to the 4.x configuration to take advantage of larger access list memory space, then downgrading could result in an inability to load all the new access lists.
If you want to downgrade, be sure to copy a saved 2.x or 3.x configuration to the starting configuration before you reload with the 2.x or 3.x image.
Upgrading the Operating System and ASDM Images
This section describes how to install the ASDM and operating system (OS) images to the current application partition using TFTP. For FTP or HTTP, or to install to a different partition, see the "Managing Software, Licenses, and Configurations" chapter in Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI.
To install and start using the new images, perform the following steps:
Detailed Steps
Step 1 If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm
Step 2 For multiple context mode, change to the system execution space:
hostname# changeto system
Step 3 Install the new OS using TFTP:
hostname# copy tftp://server[/path]/filename flash:
For example:
hostname# copy tftp://10.1.1.1/c6svc-fwm-k9.4-1-1.bin flash:
Step 4 Install the new ASDM using TFTP:
hostname# copy tftp://server[/path]/filename flash:asdm
For example:
hostname# copy tftp://10.1.1.1/asdm-621f.bin flash:asdm
Step 5 To reload to start running the new software, enter the following command:
Downgrading From 4.1
This section describes how to downgrade from 4.1, and includes the following topics:
•Important Notes
•Downgrading
Important Notes
If you configure the shared management VLAN feature that was introduced in 4.1(1), this feature is not supported when you downgrade to a pre-4.1(1) release.
See the following issues when you use this feature, and then downgrade:
•The interface configuration for the shared VLAN is accepted in the first context configuration in which it appears, but is rejected in subsequent transparent mode contexts.
•For these subsequent contexts, if the startup-config has the management VLAN configuration defined directly after another VLAN configuration for through traffic, then the name and security level associated with the (rejected) shared management VLAN is erroneously applied to the immediately preceding VLAN.
Workaround: Remove the interface configuration for the shared VLAN from all contexts before you downgrade.
For example, you have the following configuration in 4.1:
ip address 10.90.90.4 255.255.255.0 standby 10.90.90.5
After downgrading, the shared management interface vlan101 command is rejected if it was already used in another context; so the nameif dmz and security-level 100 commands are applied to VLAN 100, overwriting the original nameif and security-level commands. (The VLAN 101 management-only and ip address commands are rejected because they are not allowed for the interface vlan command pre-4.1). The resulting VLAN 100 configuration is the following:
Downgrading
This section describes how to downgrade the ASDM and operating system (OS) images to the current application partitionusing TFTP. For FTP or HTTP, or to install to a different partition, see the "Managing Software, Licenses, and Configurations" chapter in Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI.
To install and start using the old images, perform the following steps:
Step 1 If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm
Step 2 If you configured shared management VLANs for transparent mode contexts, see the "Important Notes" section to remove the configuration for each context.
Step 3 For multiple context mode, change to the system execution space:
hostname# changeto system
Step 4 Install the old OS using TFTP:
hostname# copy tftp://server[/path]/filename flash:
For example:
hostname# copy tftp://10.1.1.1/c6svc-fwm-k9.4-0-1.bin flash:
Step 5 (Optional) Install the old ASDM using TFTP:
hostname# copy tftp://server[/path]/filename flash:asdm
ASDM Version 6.2F is backwards compatible with previous versions, so you do not need to downgrade ASDM.
For example:
hostname# copy tftp://10.1.1.1/asdm-611f.bin flash:asdm
Step 6 To reload to start running the old software, enter the following command:
Chassis System Requirements
You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in these release notes as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC 2).
The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.
Note The Catalyst operating system software is not supported.
The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static VLANs. However, the WAN port can connect to the MSFC, which can connect to the FWSM.
The FWSM runs its own operating system.
Note Because the FWSM runs its own operating system, upgrading the Cisco IOS software does not affect the operation of the FWSM.
This section includes the following topics:
•Catalyst 6500 Series Requirements
•Cisco 7600 Series Requirements
Catalyst 6500 Series Requirements
Table 3 shows the supervisor engine version and software.
Table 3 Support for FWSM 4.1 on the Catalyst 6500
| |
FWSM Features:
|
| |
|
PISA Integration
|
Route Health Injection
|
Virtual Switching System
|
Cisco IOS Software Release
|
12.2(33)SXJ2
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXJ2
|
720
|
No
|
Yes
|
No
|
12.2(33)SXJ2
|
32
|
No
|
Yes
|
No
|
12.2(33)SXI8
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXI8
|
720
|
No
|
Yes
|
No
|
12.2(33)SXJ1
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXJ1
|
720
|
No
|
Yes
|
No
|
12.2(33)SXJ1
|
32
|
No
|
Yes
|
No
|
12.2(33)SXJ
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXJ
|
720
|
No
|
Yes
|
No
|
12.2(33)SXJ
|
32
|
No
|
Yes
|
No
|
12.2(33)SXI6
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXI6
|
720
|
No
|
Yes
|
No
|
12.2(33)SXI7
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXI7
|
720
|
No
|
Yes
|
No
|
12.2(18)SXF and higher
|
720, 32
|
No
|
No
|
No
|
12.2(18)SXF2 and higher
|
2, 720, 32
|
No
|
No
|
No
|
12.2(33)SXI
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXI
|
720, 32
|
No
|
Yes
|
No
|
12.2(33)SXI2
|
720-10GE
|
No
|
Yes
|
Yes
|
12.2(33)SXI2
|
720, 32
|
No
|
Yes
|
No
|
12.2(18)ZYA
|
32-PISA
|
Yes
|
No
|
No
|
Cisco IOS Software Modularity Release
|
12.2(18)SXF4
|
720, 32
|
No
|
No
|
No
|
Cisco 7600 Series Requirements
Table 4 shows the supervisor engine version and software.
Table 4 Support for FWSM 4.1 on the Cisco 7600
| |
FWSM Features:
|
| |
|
PISA Integration
|
Route Health Injection
|
Virtual Switching System
|
Cisco IOS Software Release
|
12.2(33)SRD6
|
720-3C-1GE
|
No
|
No
|
No
|
12.2(33)SRA
|
720, 32
|
No
|
No
|
No
|
12.2(33)SRB
|
720, 32
|
No
|
No
|
No
|
12.2(33)SRC
|
720, 32, 720-1GE
|
No
|
No
|
No
|
12.2(33)SRD
|
720, 32, 720-1GE
|
No
|
No
|
No
|
12.2(33)SRE
|
720, 32, 720-1GE
|
No
|
No
|
No
|
12.2(33)SRE2
|
720-3C-1GE
|
No
|
No
|
No
|
Management Support
The FWSM supports the following management methods:
•Cisco ASDM—Software Release 6.2F supports FWSM software Release 4.1 features. ASDM is a browser-based configuration tool that resides on the FWSM. The system administrator can configure multiple security contexts. If desired, individual context administrators can configure only their contexts.
•Command-line interface (CLI)—Access the CLI by sessioning from the switch or by connecting to the FWSM over the network using Telnet or SSH. The FWSM does not have its own external console port.
Software License Information
The FWSM supports the following licensed features:
•Multiple security contexts. The FWSM supports two virtual contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:
–20
–50
–100
–250
•BGP stub support.
•GTP/GPRS support.
Limitations and Restrictions
Note These limitations and restrictions also exist in FWSM 3.x.
See the following limitations and restrictions on the FWSM:
•The following features are not supported when you use TCP state bypass:
–Application inspection—Application inspection requires both inbound and outbound traffic to go through the same FWSM, so application inspection is not supported with TCP state bypass.
–AAA authenticated sessions—When a user authenticates with one FWSM, traffic returning via the other FWSM will be denied because the user did not authenticate with that FWSM.
•Multiple context mode does not support most dynamic routing protocols. BGP stub mode is supported. Security contexts support only static routes or BGP stub mode. You cannot enable OSPF or RIP in multiple context mode.
•Transparent firewall mode supports a maximum of eight interface pairs per context; however, when multiple bridge-group interfaces exist in a single context, inspection may not work properly. We recommend that you create a separate context for traffic that requires inspection.
•For transparent firewall mode, you must configure a management IP address per interface pair.
•The outbound connections (from a higher security interface to a lower security interface) from an interface that is shared between the contexts can only be classified and directed through the correct context if you configure a static translation for the destination IP address. This limitation makes cascading contexts unsupported, because configuring the static translations for all the outside hosts is not feasible.
•The CPU-intensive commands, such as copy running-config startup-config (the same as the write memory command), might affect system performance, including reducing the successful rate of inspection and AAA connections. When a CPU-intensive action completes, the FWSM might produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might unexpectedly reach the maximum rate. We recommend using these commands during low traffic periods. Other CPU-intensive actions include the show arp command, polling the FWSM with SNMP, loading a large configuration, and compiling a large access list.
•Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn command; if you do so, you cannot open any connections through the FWSM because the connection immediately closes when AAA succeeds. This happens every time you try to open a connection (because the FWSM is not caching uauth entries).
•During URL filtering at high rates, the HTTP connection to the server through the FWSM might not complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled. To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block 128 command in single mode. (CSCsj00658)
•SIP application inspection does not match regular expressions specified in the message-path against a second or larger instance of the VIA SIP Header. Check whether your purpose is accomplished by matching the regular expression specified in the message-path against the first VIA: SIP Header. (CSCso69892)
•SIP calls with a SIP URI length greater than 256 characters are dropped by the FWSM. Make the SIP User Agent make SIP calls with a SIP URI length less than 256 characters. (CSCsm37291)
•If the FWSM uses EIGRP, and receives multiple equal-cost routes to the same destination, it installs all of them in the EIGRP topology table. But the FWSM fails to install all the equal-cost routes into the routing table. (CSCso98423)
Open Caveats
The caveats listed in Table 5 are open in the latest maintenance release.
If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from later releases. For example, if you are running Release 4.1(1), then you need to add the caveats in this section to the resolved caveats from 4.1(2) and above to determine the complete list of open caveats.
If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtoolss
Table 5 Open Caveats
Caveat
|
Description
|
CSCtc19367
|
Discrepancy between max xlate count and show global usage most used cnt
|
CSCte02131
|
show xlate count and show global usage on standby do not match
|
CSCte08789
|
FWSM generates Corrupted crashinfo file
|
Resolved Caveats
This section contains resolved caveats in each maintenance release and includes the following topics:
•Resolved Caveats in Release 4.1(9)
•Resolved Caveats in Release 4.1(8)
•Resolved Caveats in Release 4.1(7)
•Resolved Caveats in Release 4.1(6)
•Resolved Caveats in Release 4.1(5)
•Resolved Caveats in Release 4.1(4)
•Resolved Caveats in Release 4.1(3)
•Resolved Caveats in Release 4.1(2)
•Resolved Caveats in Release 4.1(1)
Resolved Caveats in Release 4.1(9)
The caveats listed in Table 6 were resolved in Release 4.1(9) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/
Table 6 Resolved Caveats in FWSM Release 4.1(9)
Caveat
|
Description
|
CSCei38791
|
no access-list x ? gives error
|
CSCts02267
|
FWSM - Remove "dns" keyword from CLI for static policy NAT
|
CSCts50980
|
FWSM not forwarding multicast fragments >8792 bytes
|
CSCtz37106
|
IPv6 static route CLI push to fwsm through CSM fails
|
CSCtu29020
|
Traceback in Thread Name ssh
|
CSCtx80666
|
FWSM 4.1.7 crashes while removing contexts
|
CSCtx80776
|
pings are counted for conn-max cumulatively
|
CSCty24997
|
warn the usage while configuring set connection tcp timeout
|
CSCty49940
|
FWSM np completion-unit disabled after deleting context
|
CSCtz01442
|
FWSM parser change: Disallowing DNS Guard with ASR Groups
|
Resolved Caveats in Release 4.1(8)
The caveats listed in Table 7 were resolved in Release 4.1(8) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/
Table 7 Resolved Caveats in FWSM Release 4.1(8)
Caveat
|
Description
|
CSCtn27129
|
FWSM crashed in np_cls_download_process when adding Policy NAT ACEs
|
CSCtq39473
|
FWSM crashes under thread name EIGRP-IPv4: PDM
|
CSCtr52678
|
FWSM can not set the MSS value on IPV6 packets
|
CSCtr74381
|
URL Filtering fails if data appended to HTTP GET header
|
CSCts38551
|
Fastpath NP ARP Entries not Timed Out from CP in Transparent Mode
|
CSCts68298
|
FWSM: CLI should reject multicast address for next hop IP
|
CSCtt94371
|
FWSM tcp syslogging creates many connections when server goes down
|
CSCtu02674
|
Enh:DCERPC inspection doesnt support RCI messages for all the scenorio's
|
CSCtw45873
|
Remove asserts in IPv46 API
|
CSCtw56411
|
FWSM software traceback on thread name doorbell_poll
|
Resolved Caveats in Release 4.1(7)
The caveats listed in Table 8 were resolved in Release 4.1(7) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/
Table 8 Resolved Caveats in FWSM Release 4.1(7)
Caveat
|
Description
|
CSCso92808
|
CUPC fails to transmit port 50001 due to reassembly limit of 8192
|
CSCtr38044
|
Memory leak in 0x008881e5
|
CSCtr60971
|
Max DHCP Relay Server allowed is 10;FWSM gives error when adding 10th
|
CSCtr75137
|
FWSM 4.1 memory leak snmp in binsize 576 pc = 0x00ab40f7
|
Resolved Caveats in Release 4.1(6)
The caveats listed in Table 9 were resolved in Release 4.1(6) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/
Table 9 Resolved Caveats in FWSM Release 4.1(6)
Caveat
|
Description
|
CSCsk71402
|
fwsm - cannot add static mac-address-table entry
|
CSCtb31446
|
fast path NP Hard assert causes FWSM to pause indefinitely
|
CSCtg02624
|
Traceback with call http_proxy_send_form_page
|
CSCti25015
|
route-monitor: inconsistency of metric after second gateway recovery
|
CSCti93353
|
FWSM dns doctroring might over-write embedded ip addresses it should not
|
CSCtj31001
|
FWSM does not pass Jumbo IPV6 packets
|
CSCtl01291
|
FWSM 3.2 - deny-flow-max stuck when denied is not at 4096
|
CSCtl06095
|
FWSM allowing some tcp non-syn pkts to pass when there is no conn
|
CSCtl76091
|
Issuing commands for mcast displaying the same database crashes FWSM.
|
CSCtl92927
|
crash at 0xb5b9f2 in Thread name ssh
|
CSCtn83135
|
NAT failure for data channel connections in Transparent FW mode
|
CSCto31630
|
EHN:Increase packet size for SNMP response on FWSM
|
CSCto43960
|
FWSM: DCERPC inspection of packet with multiple segments fails
|
CSCto56305
|
FWSM nested traceback in thread name doorbell poll (NP2 PC 0x5ba1)
|
Resolved Caveats in Release 4.1(5)
The following caveats were resolved in Release 4.1(5) and were not previously documented. If you are a registered Cisco.com user, you can view more information about the caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/
•CSCtk61424—OpenSSL Ciphersuite Downgrade and J-PAKE Issues
Symptom:
The device may be affected by an OpenSSL vulnerabilities described in CVE-2010-4180 and CVE-2010-4252.
Conditions:
Device configured with any feature that uses SSL.
Workaround:
Not available
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.1/3.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
CVE IDs CVE-2010-4180 and CVE-2010-4252 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
•CSCtl21186—Cmd authorization fails for certain commands on fallback to LOCAL db
Symptom:
Certain commands like 'show running-config', 'show interface' are allowed to be executed by users with lower privilege-level when fallback has occured.
Conditions:
1. Fallback to LOCAL is configured
2. All FWSM commands are assigned their default privilege levels in LOCAL db.
3. Users with lower privilege-level than 15 login into privileged-exec mode and execute 'show running-config' or 'show interface' commands, and some config commands.
Workaround:
none.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.0/5.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE ID CSCtl94142 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
•CSCtl84952—SCCP inspection DoS vulnerability
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. Devices are affected when SCCP inspection is enabled.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml
Note: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the vulnerability described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml
•CSCtn04571—Breakage in dcerpc inspection code
Symptom:
RCI response is not processed correctly. Enabling dcerpc debugs shows that the signature 'MEOW' is not found.
Conditions:
Processing RCI response.
Workaround:
None.
Resolved Caveats in Release 4.1(4)
The caveats listed in Table 10 were resolved in software Release 4.1(4). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 10 Resolved Caveats in Release 4.1(4)
Caveat ID
|
Descriptions
|
CSCsu64376
|
Standby reloads when 'tcp' added to obj-grp used by ACL having port 0
|
CSCtf84419
|
Multiple policy-nat statements might not match right until ACL recompile
|
CSCth72685
|
FWSM np completion-unit disabled after reboot however in startup config
|
CSCth74635
|
FWSM may crash in thread "fast_fixup" with inspect dcerpc enabled
|
CSCti38339
|
FWSM may reload with traceback in Thread Name: skinny
|
CSCti41683
|
Inspect FTP doesn't work if class for TCP bypass is checked against
|
CSCtj21761
|
term pager command affects all sessions and future sessions
|
CSCtj29249
|
Transparent FWSM doesn't send RST for data with state-bypass configured
|
CSCtj46839
|
RTSP streaming problems through FWSM
|
CSCtj62348
|
FWSM: management-access command orphaned if configured intf is removed
|
CSCtj78005
|
After removing service-policy state-bypass flag not updated in np vlan
|
CSCtk19326
|
FWSM 4.0 may fail to send RST for non-syn TCP segment with no connection
|
CSCtk62630
|
FWSM: Copying optimized ACL to running config results in incomplete ACL
|
Resolved Caveats in Release 4.1(3)
The caveats listed in Table 11 were resolved in software Release 4.1(3). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 11 Resolved Caveats in Release 4.1(3)
Caveat ID
|
Descriptions
|
CSCtc23265
|
Add best effort failover support for TCP proxy
|
CSCtf87102
|
Access-list optimization w/ discontinuous masks does not work correctly
|
CSCtg64606
|
Some Special IPV6 addresses can not be handled by FWSM well
|
CSCtg66395
|
FWSM doesn't NAT Audio stream of SIP connection
|
CSCtg91966
|
Unicast RPF statistics cannot be cleared
|
CSCth10381
|
FWSM: Discrepancy between sh perfmon vs sh service-policy output
|
CSCth48464
|
Secondary Pinhole not opened for SDP two-media connections
|
CSCth49514
|
Regular translation creation failed errors on forcing switchover
|
CSCth51877
|
Reactivatoin-mode depletion does not work correctly on FWSM
|
CSCth52880
|
Http inspection protocol violation when content lenght > 2684000000
|
CSCth64565
|
FWSM 3.2.10 sunrpc-server command doesn't work host IP and network mask
|
CSCth71469
|
Traceback in 'fast_fixup' Thread Due to DCERPC Inspection
|
CSCth86890
|
Snmpwalk on the admin ctx shows only failover ip in ipAdEntAddr table
|
CSCth95284
|
FWSM 4.0.11 might crash at Thread Name: PAT XlateCache
|
Resolved Caveats in Release 4.1(2)
The caveats listed in Table 12 were resolved in software Release 4.1(2). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 12 Resolved Caveats in Release 4.1(2)
Caveat ID
|
Description
|
CSCsf01863
|
Syslog 302013 does not show user field properly
|
CSCtc54126
|
SIP media connections stays at connection table after closed call
|
CSCtd19411
|
cut-through proxy in transparent sends invalid ACK before SYN-ACK
|
CSCtd46324
|
FWSM software reloads on doorbell_poll while deleting a dns session
|
CSCtd72287
|
FWSM: unexpectedly reloads in Thread Name: MGCP
|
CSCtd94681
|
FWSM re-uses some PAT translation ports too frequently
|
CSCte25307
|
Telnet NOOP command sent to FWSM causes next character to be dropped
|
CSCte48165
|
Broken single ip address feature for more than 1 "virtual" protocols use
|
CSCte49110
|
FWSM setting DF bit on reassembled skinny packet
|
CSCte51034
|
FWSM doesnt failover static routes pointing to its own interface
|
CSCte66339
|
policy-map names exceeding 16 characters leak memory upon ACE addition
|
CSCte70411
|
IPv6 object-group does not allow nested objects
|
CSCte85951
|
Memory leak with HTTP inspection and "match" commands in policy-map
|
CSCtf15459
|
FWSM: about 15 seconds continuous traffic drops when active is reloaded
|
CSCtf27583
|
FWSM: May crash in Thread name fast-fixup - due to inspect dcerpc
|
CSCtf31676
|
Secondary Active FWSM Creates a Context Using BIA MAC
|
CSCtf41503
|
FWSM sends a ACK with wrong TCP options.
|
CSCtf49704
|
FWSM software forced reloads in - Thread Name: websns_snd
|
CSCtf51696
|
SQL*Net Inspection Opens Pinholes Based on Non-Redirect Messages
|
CSCtf57135
|
fwsm 3.2 - deny-flow-max stuck when denied is not at 4096
|
CSCtf73798
|
CheckHeaps crash after SSH command
|
CSCtf77950
|
SNMP - Interfaces not recognised by snmpwalk to FWSM
|
CSCtf83964
|
FWSM OSPF neighbors stuck in LOADING state for long time
|
CSCtf92566
|
IPv6 fragment packet dropped with "Invalid udp length"
|
CSCtf94490
|
Unable to query SNMP OID cufwUrlfServerStatus on FWSM
|
CSCtg01772
|
FWSM stops traffic forwarding by changing static route's distance metric
|
CSCtg14948
|
FWSM DHCPrelay intermittent failures
|
CSCtg17279
|
In shared vlan scenario destination NAT might break communication.
|
CSCtg31044
|
client_port field is not rewritten in the RTSP SETUP reply
|
CSCtg35889
|
NP1/2 Lockup on standby FWSM
|
CSCtg60275
|
Configuring conflicting static NAT causes failover fail and sync config
|
Resolved Caveats in Release 4.1(1)
The caveats listed in Table 13 were resolved in software Release 4.1(1). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 13 Resolved Caveats in Release 4.1(1)
Caveat ID
|
Description
|
CSCsk12223
|
FWSM unexpectedly reloads on Thread name ssh
|
CSCsx26083
|
ENH: FWSM DCERPC inspection doesn't support 'Remote Create Instance' msg
|
CSCsx79204
|
PPTP GRE connections do not have configured idle timeout set
|
CSCsz81503
|
FWSM Bidir forwarding fails after reload
|
CSCta44620
|
Software Forced reset in fast_fixup with multiple FTP connections
|
CSCta58702
|
FWSM pause indefinitely due to high icmp traffic through 2 mgt sessions
|
CSCta60764
|
Cut-thru-proxy:certificate error after completion of intial authenticati
|
CSCta64836
|
Firewall blade unexpectdly reloads with traffic
|
CSCta64957
|
No new connections on after failover with a particular NAT configuration
|
CSCta68828
|
FWSM forming OSPF adjacency with 5 seconds delay
|
CSCta73803
|
concurrent snmpwalk across many contexts causes loss of 16384 blocks
|
CSCta74788
|
Incorrect xlate replicated to standby for same security interface
|
CSCtb03565
|
FWSM corrupts ICMP time to live exceeded with MPLS TAG
|
CSCtb03929
|
snmp polling of NP data should not exhaust all 16k blocks
|
CSCtb14966
|
SunRPC inspection drops GETPORT reply packet
|
CSCtb18628
|
routing Route-monitor not update the routing table with same metric routes
|
CSCtb18847
|
data-path NP 3 pause indefinitely with established command
|
CSCtb23513
|
Authentication in progress sessions not removed with DACLs
|
CSCtb34170
|
Static PAT causing failure for traffic from inside
|
CSCtb49352
|
FWSM Cert Enrollment doesnt work with SCEP
|
CSCtb49822
|
url-filtering http traffic with segmented GET blocked by url-filtering configuration
|
CSCtb76719
|
Meaning of Flags 's' and 'S' is Reversed in 'show conn detail' Output
|
CSCtb88893
|
Transparent mode FWSM, Active passing braodcast arp from standby
|
CSCtc02363
|
RTSP inspect incorrect IP address translation in URL headers
|
CSCtc12597
|
FWSM software forced reload in Thread Name: ACL Cache during SNMP Poll
|
CSCtc32047
|
FWM sends RST instead of silently drop packets
|
CSCtc36009
|
TCP reset option incorrectly appears in set connection timeout command
|
CSCtc36050
|
capture feature shows ICMP payload modified by firewall when it is not
|
CSCtc36380
|
FWSM corrupts ICMP checksum in ICMP unreachable packets
|
CSCtc36651
|
FTP fails in Active/Active mode when two contexts not active on same FW
|
CSCtc38617
|
TCP Sequence Numbers Randomized for TCP State Bypassed Conns
|
CSCtc40207
|
Standby transparent FWSM might send arp request using active MAC
|
CSCtc68193
|
snmp query for any OID under 1.3.6.1.2.1. causes np xlate query
|
CSCtc71533
|
IPv6 object-group does not allow group-objects
|
CSCtc72148
|
WS-C6506-E-FWM/ High CPU usage
|
CSCtd23101
|
FWSM access-list optimization cause missing lines
|
CSCtd42763
|
logging FWSM: Syslog 111005 does not print when exiting config mode
|
CSCtd60672
|
FWSM fails to compile ACL when custom partition size used with failover
|
CSCtd62290
|
FWSM: TACACS+ CMD Accounting packets have a Caller-ID field of 0.0.0.0
|
CSCtd73676
|
Only one virtual protocol can be configured with the "virtual" command
|
CSCtd78604
|
FWSM: ACLs missing after adding items to object-groups
|
CSCtd86296
|
logging FWSM: Need to extend syslog message %FWSM-2-106024
|
CSCte48563
|
NP3 pauses due to duplicate xlate created for identity traffic
|
Related Documentation
See the following sections for related documentation:
•Hardware Documents
•Software Documents
Hardware Documents
See the following related hardware documentation:
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation and Verification Note
•Catalyst 6500 Series Switch Installation Guide
•Catalyst 6500 Series Switch Module Installation Guide
Software Documents
See the following related software documentation:
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages
•Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
•Release Notes for Cisco ASDM
•Open Source Software Licenses for FWSM
•Catalyst 6500 Series Cisco IOS Software Configuration Guide
•Catalyst 6500 Series Cisco IOS Command Reference
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2012 Cisco Systems, Inc. All rights reserved.
