Cisco Cisco Catalyst 6500 Series Firewall Services Module Release Notes
9
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 3.2(x)
Open Caveats
policy-map p1
class c1
set connection timeout idle 3:0:0
set connection timeout tcp 2:0:0
service-policy p1 global
(CSCsk57385)
•
The FWSM processes virtual Telnet connections after you remove the virtual telnet command. You
need to reload the FWSM after you remove the virtual telnet command to avoid the following
situation.
need to reload the FWSM after you remove the virtual telnet command to avoid the following
situation.
After you remove the virtual telnet command, the FWSM processes virtual Telnet connections as
through the box connections and thinks there is a host on the inside with the virtual IP address.
Because AAA is configured for through the box connections, a uauth is created. Once a uauth is
created, the connection is forwarded to the specific IP address. Because no hosts are available at this
IP address, the connection is closed. However, the uauth remains and all connections through the
box go through until the uauth times out. You cannot clear a uauth if the FWSM sees an invalid host.
It needs to be done via an access-list to check the connections going through the box. (CSCsl08082)
through the box connections and thinks there is a host on the inside with the virtual IP address.
Because AAA is configured for through the box connections, a uauth is created. Once a uauth is
created, the connection is forwarded to the specific IP address. Because no hosts are available at this
IP address, the connection is closed. However, the uauth remains and all connections through the
box go through until the uauth times out. You cannot clear a uauth if the FWSM sees an invalid host.
It needs to be done via an access-list to check the connections going through the box. (CSCsl08082)
•
Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn
command; if you do so, you cannot open any connections through the FWSM because the
connection immediately closes when AAA succeeds. This happens every time you try to open a
connection (because the FWSM is not caching uauth entries).
command; if you do so, you cannot open any connections through the FWSM because the
connection immediately closes when AAA succeeds. This happens every time you try to open a
connection (because the FWSM is not caching uauth entries).
•
During URL filtering at high rates, the HTTP connection to the server through the FWSM might not
complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled.
To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block
128 command in single mode. (CSCsj00658)
complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled.
To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block
128 command in single mode. (CSCsj00658)
Open Caveats
This section contains open caveats in the latest maintenance release.
If you are running an older release, and you need to determine the open caveats for your release, then
add the caveats in this section to the resolved caveats from later releases. For example, if you are running
Release 3.2(4), then you need to add the caveats in this section to the resolved caveats from 3.2(5) and
later to determine the complete list of open caveats.
add the caveats in this section to the resolved caveats from later releases. For example, if you are running
Release 3.2(4), then you need to add the caveats in this section to the resolved caveats from 3.2(5) and
later to determine the complete list of open caveats.
•
CSCei76209
The show mroute output is missing interfaces in the OIF list after it switches to the shortest path
tree (s,g). The show mfib output shows this correctly.
tree (s,g). The show mfib output shows this correctly.
Workaround: None.
•
CSCsi03512
You cannot ping across the FWSM after entering the [no] fabric sw-mode force bus command on
the switch. This happens when switching mode is toggled on a Catalyst 6500 with supervisor 720
from Truncated mode to Bus mode and back to Truncated mode.
the switch. This happens when switching mode is toggled on a Catalyst 6500 with supervisor 720
from Truncated mode to Bus mode and back to Truncated mode.
Workaround: Reload the Catalyst 6500 switch.
•
CSCsj04940
When configuring the nameif command in single transparent mode, portmap_index: unable to
locate fixup message. Message is seen only in Transparent mode.
locate fixup message. Message is seen only in Transparent mode.