Cisco Cisco Catalyst 6500 Series Firewall Services Module Fehlerbehebungsanleitung

Contributed by Michael Robertson and Jay Johnston, Cisco TAC
Engineers.
Nov 02, 2012

Introduction
 Prerequisites
      Requirements
      Components Used
      Conventions
 Symptoms
      Logical Topology
      Relevant Configuration
      Observed Behaviors
 Triggers
 Solutions
      Resolve Incorrect Routing Configurations
      Disable same−security−traffic permit intra−interface

Drop Packets that Arrive on an Incorrect Interface (ACLs or uRPF)
      Enable xlate−bypass
 Summary
 Related Information

Due to the design of the Firewall Services Module's (FWSM) packet processing, xlates built by incorrectly
routed packets can cause traffic failures for connections through the firewall. In order to select an egress
interface for an inbound packet, the FWSM first checks to see if the destination IP of the inbound packet
matches any existing global IP/Network in a NAT translation (xlate) for that interface in its xlate table. If a
match is found, the egress interface is simply chosen based on the local interface in the xlate entry and the
firewall does not consult the routing table to make the egress interface decision.

The default behavior of the FWSM is to build an xlate entry for the source IP of any permitted packet that is
received on one of its interfaces. If a packet is routed through the network incorrectly (for any number of
reasons) and arrives inbound on the wrong interface of the FWSM, an xlate is built to reflect this. When this
occurs, entries in the xlate table can override entries in the routing table and cause traffic failures for the
affected destinations.

This document describes the symptoms and triggers for this issue, how to diagnose it, and provides solutions
for preventing it from occurring.