Cisco Cisco Catalyst 6500 Series Firewall Services Module
10
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.0(x)
Open Caveats
The FWSM does not send EIGRP summarized routes under some conditions immediately after a
reload even though auto-summary is enabled. This occurs when EIGRP network statements exist for
40 or more interfaces.
reload even though auto-summary is enabled. This occurs when EIGRP network statements exist for
40 or more interfaces.
Workaround: After the reload, wait for some amount of time (depending on the number of network
statements configured) and issue the clear eigrp neighbors command.
statements configured) and issue the clear eigrp neighbors command.
•
CSCsr57543
When an access list has more than one access list remark command, and other ACEs form an
optimization scenario, one or more remark statements are removed from the optimized output.
optimization scenario, one or more remark statements are removed from the optimized output.
Workaround: None.
•
CSCsu56609
Voice traffic for SCCP calls does not go through when the FWSM is configured for NAT exemption
(nat 0 access-list).
(nat 0 access-list).
Workaround: Use identity NAT (nat 0) or static identity NAT instead of NAT exemption.
Alternatively, if the configuration allows, you can disable NAT control using the no nat control
command.
Alternatively, if the configuration allows, you can disable NAT control using the no nat control
command.
•
CSCsw44990
The output for the show np 3 aaa stats command shows AAA lookup failures incrementing even
though all the AAA requests are successful.
though all the AAA requests are successful.
Workaround: None.
•
CSCsw45260
The number of rejects shown in the show aaa-server command is incorrect; the RADIUS server
reject counter is incrementing even though the RADIUS server is not sending any Reject messages.
reject counter is incrementing even though the RADIUS server is not sending any Reject messages.
Workaround: None.
•
CSCsy62047
When applying an inspection service policy, the FWSM shows the following error: portmap_index:
unable to locate fixup. This occurs when the class map contains any match statements other than
match port.
unable to locate fixup. This occurs when the class map contains any match statements other than
match port.
Workaround: Use a class-map that matches a port or use the class-inspection-default class map.
•
CSCsz82463
The FWSM blocks certain RTSP streams.
Workaround: Permit all RTSP ports.
•
CSCsz95950
ICMP Traceroute does not work across an FWSM when the traffic is routed asymmetrically between
two physical FWSMs in failover. ICMP Type 11 (Time Exceeded) responses are arriving at a
location that is different from the originating FWSM. This happens because the ICMP connections
are not statefully replicated to the failover peer even with ICMP inspection enabled.
two physical FWSMs in failover. ICMP Type 11 (Time Exceeded) responses are arriving at a
location that is different from the originating FWSM. This happens because the ICMP connections
are not statefully replicated to the failover peer even with ICMP inspection enabled.
Workaround: Do not route traffic asymmetrically; or use UDP Traceroute instead.
•
CSCtc23265
After the FWSM fails over with H.323 inspection enabled, active H.323 connections through the
FWSM might be disconnected. You have to re-establish the connections.
FWSM might be disconnected. You have to re-establish the connections.
Workaround: If no NAT is being performed by the FWSM, disable the H.323 inspection and permit
all necessary connectivity between the H.323 endpoints explicitly via the access lists on the FWSM.
all necessary connectivity between the H.323 endpoints explicitly via the access lists on the FWSM.