Cisco Cisco Catalyst 6500 Series Firewall Services Module
15
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.0(x)
Resolved Caveats
Workaround: Remove the management access configuration with the clear configure
management-access command.
management-access command.
•
CSCtj78005
When state-bypass was configured at one time and had been removed from the configuration,
FWSM does not log the Deny TCP no connection or send RST back for a non-syn TCP packet.
FWSM does not log the Deny TCP no connection or send RST back for a non-syn TCP packet.
Workaround: Ensure that state-bypass is not in the startup-configuration, and reload the FWSM.
•
CSCtk19326
When an FWSM is running Version 4.0, and the service reset no-connection command is
configured (in admin context if multi-mode), then the FWSM does not send RSTs back to the host
for outbound non-syn TCP segments when no connection exists.
configured (in admin context if multi-mode), then the FWSM does not send RSTs back to the host
for outbound non-syn TCP segments when no connection exists.
The following is sample output from the show np [1|2] global-table command:
`- Tcp Reset Enabled: 0
0 = do not send RST
1 = send RST
Workaround: Remove and reapply the service reset no-connection command.
•
CSCtk62630
When you enter the copy optimized-running-config command on an FWSM with optimized ACLs,
the resulting ACL copied into the running-config is corrupted and missing large portions.
the resulting ACL copied into the running-config is corrupted and missing large portions.
Workaround: Do not run the copy optimized-running-config command. This command serves
only to copy the optimized ACL back into the running configuration. It is not required for ACL
optimization to function.
only to copy the optimized ACL back into the running configuration. It is not required for ACL
optimization to function.
•
CSCti41683
When you have two separate class-maps configured, one for “application inspection” and the other
for “tcp-state-bypass” with deny ACEs for traffic that need “application inspection,” though the
traffic hits the deny ACE for the class-map whose action is “tcp-state-bypass,” the same traffic still
does not pass through any other application inspection configuration leading to protocols like FTP,
which need dynamic ports to be opened to not work.
for “tcp-state-bypass” with deny ACEs for traffic that need “application inspection,” though the
traffic hits the deny ACE for the class-map whose action is “tcp-state-bypass,” the same traffic still
does not pass through any other application inspection configuration leading to protocols like FTP,
which need dynamic ports to be opened to not work.
Workaround: Either open all ports for the hosts that need application inspection, which is a security
concern, or remove the tcp-state-bypass configuration, both of which might lead to connectivity
issues.
concern, or remove the tcp-state-bypass configuration, both of which might lead to connectivity
issues.
Resolved Caveats in Software Release 4.0(13)
•
CSCsu64376
The standby device reloads when you add TCP to an object group within an access list in port 0.
Workaround: Do not use port 0 for TCP.
•
CSCtf84419
Multiple policy NAT statements might not match right until you recompile the ACL. If you
configure two policy NAT statements that overlap, and the first policy NAT ACL uses object groups,
when a second policy NAT statement is added that overlaps (the ACL could also match the traffic
but is less specific), the xlate is built using the new NAT entry.
configure two policy NAT statements that overlap, and the first policy NAT ACL uses object groups,
when a second policy NAT statement is added that overlaps (the ACL could also match the traffic
but is less specific), the xlate is built using the new NAT entry.