Cisco Cisco Catalyst 6500 Series Firewall Services Module
10
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 4.1(x)
Limitations and Restrictions
Limitations and Restrictions
Note
These limitations and restrictions also exist in FWSM 3.x.
See the following limitations and restrictions on the FWSM:
•
The following features are not supported when you use TCP state bypass:
–
Application inspection—Application inspection requires both inbound and outbound traffic to
go through the same FWSM, so application inspection is not supported with TCP state bypass.
go through the same FWSM, so application inspection is not supported with TCP state bypass.
–
AAA authenticated sessions—When a user authenticates with one FWSM, traffic returning via
the other FWSM will be denied because the user did not authenticate with that FWSM.
the other FWSM will be denied because the user did not authenticate with that FWSM.
•
Multiple context mode does not support most dynamic routing protocols. BGP stub mode is
supported. Security contexts support only static routes or BGP stub mode. You cannot enable OSPF
or RIP in multiple context mode.
supported. Security contexts support only static routes or BGP stub mode. You cannot enable OSPF
or RIP in multiple context mode.
•
Transparent firewall mode supports a maximum of eight interface pairs per context; however, when
multiple bridge-group interfaces exist in a single context, inspection may not work properly. We
recommend that you create a separate context for traffic that requires inspection.
multiple bridge-group interfaces exist in a single context, inspection may not work properly. We
recommend that you create a separate context for traffic that requires inspection.
•
For transparent firewall mode, you must configure a management IP address per interface pair.
•
The outbound connections (from a higher security interface to a lower security interface) from an
interface that is shared between the contexts can only be classified and directed through the correct
context if you configure a static translation for the destination IP address. This limitation makes
cascading contexts unsupported, because configuring the static translations for all the outside hosts
is not feasible.
interface that is shared between the contexts can only be classified and directed through the correct
context if you configure a static translation for the destination IP address. This limitation makes
cascading contexts unsupported, because configuring the static translations for all the outside hosts
is not feasible.
•
When a large number of VLANs are configured to receive multicast streams, multicast traffic can
be received on and forwarded from the first 100 VLANs configured on the FWSM, but VLANS
beyond the first 100 might not forward multicast traffic.
be received on and forwarded from the first 100 VLANs configured on the FWSM, but VLANS
beyond the first 100 might not forward multicast traffic.
•
The CPU-intensive commands, such as copy running-config startup-config (the same as the write
memory command), might affect system performance, including reducing the successful rate of
inspection and AAA connections. When a CPU-intensive action completes, the FWSM might
produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might
unexpectedly reach the maximum rate. We recommend using these commands during low traffic
periods. Other CPU-intensive actions include the show arp command, polling the FWSM with
SNMP, loading a large configuration, and compiling a large access list.
memory command), might affect system performance, including reducing the successful rate of
inspection and AAA connections. When a CPU-intensive action completes, the FWSM might
produce a burst of traffic to catch up. If you limit the resource rates for a context, the burst might
unexpectedly reach the maximum rate. We recommend using these commands during low traffic
periods. Other CPU-intensive actions include the show arp command, polling the FWSM with
SNMP, loading a large configuration, and compiling a large access list.
•
Do not configure both the timeout uauth 0 command and the aaa authentication clear-conn
command; if you do so, you cannot open any connections through the FWSM because the
connection immediately closes when AAA succeeds. This happens every time you try to open a
connection (because the FWSM is not caching uauth entries).
command; if you do so, you cannot open any connections through the FWSM because the
connection immediately closes when AAA succeeds. This happens every time you try to open a
connection (because the FWSM is not caching uauth entries).
•
During URL filtering at high rates, the HTTP connection to the server through the FWSM might not
complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled.
To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block
128 command in single mode. (CSCsj00658)
complete correctly in some scenarios with the TCP normalizer enabled and URL filtering enabled.
To solve this issue, enter the url-block block 16 command in multiple mode or the url-block block
128 command in single mode. (CSCsj00658)
•
SIP application inspection does not match regular expressions specified in the message-path against
a second or larger instance of the VIA SIP Header. Check whether your purpose is accomplished by
matching the regular expression specified in the message-path against the first VIA: SIP Header.
(CSCso69892)
a second or larger instance of the VIA SIP Header. Check whether your purpose is accomplished by
matching the regular expression specified in the message-path against the first VIA: SIP Header.
(CSCso69892)