Firewall Services Module Hot Issues from Cisco TAC

DOC: SUNRPC inspection is incompatible with XLATE BYPASS , Open CSCtc54367

Symptom: This is a documentation bug to get the documentation updated to indicate that the 'inspect sunrpc' feature is not compatible with the xlate-bypass feature present in FWSM code version 3.2 and later. The two features cannot co-exist as the sunrpc inspection relies on xlates for functionality and xlate bypass may prevent the inspection from functioning correctly.
Conditions: This condition is present in FWSM code version 3.2 and later where xlate bypass was first introduced.

TCP Normalizer May Drop TCP FIN Packets After 30+ Days Uptime , Fixed CSCsi27512

Symptom: FTP client / server do not close their connection in some cases when the server uses multiline 221 closure sequence.
Conditions: When some OS is used (not all of them, not identified properly) and the server uses multi line 221 closure sequence like: 221-You have transferred 0 bytes in 0 files. 221-Total traffic for this session was 2551 bytes in 1 transfers. 221-Thank you for using the FTP service on orbi. 221 Goodbye. instead of the classic 221 Goodbye;
Workaround: 1. Disable ftp inspection OR disable 221 mutliline. or 2. if running a version of FWSM code where the command is supported, you can disable the TCP Normalizer feature which has minimal impact. Disable the normalizer with the command: "no control-point tcp-normalizer" or 3. If running in an active/standby failover mode setup, a forced switchover should alleviate the problem. If not running a failover mode that is if there i no failover pair, but have failover enabled, then a "no failover" and "failover" [i.e disabling and enabling failover] should help.

FWSM introduces out of order packets into TCP connections , Fixed CSCsl10667

Symptom: Under rare circumstances the FWSM might re-order packets in a TCP stream. This might cause high speed TCP transfers through the FWSM to report decreased throughput.
Conditions: The packets must be traversing a FWSM. The faster the packets traverse the firewall (ie: The shorter the inter-packet gap) the more likely the FWSM is to re-order packets in the stream.
Workaround: In version 3.2 of the FWSM, setting the connection for tcp-state-bypass seems to help the throughput. However, this workaround negates the basic security checks of the FWSM and probably is not appropriate for most situations.

High CPU due to ACK storm with a TCP-based inspection enabled , Fixed CSCsi73738

Symptom: On a Firewall Services Module (FWSM), high CPU utilization might be seen with a TCP-based (SQL*Net, HTTP, ESMTP, etc.) inspection engine enabled. The traffic that is subjected to the inspection might fail to flow correctly through the firewall. Websense url-filtering may also trigger this problem.
Conditions: All of the following conditions must be met to hit this bug: 1) The traffic must be subjected to a TCP-based inspection engine on the FWSM. 2) The control-point tcp-normalizer feature must be enabled (it is enabled by default). When this problem is seen, the CPU usage of the firewall might become very high, and the output of the command 'show asp drop' might show a very high count of "TCP invalid ACK" drops.
Workaround: To workaround this problem, perform one of the following actions: 1) Disable the TCP Normalizer with the command 'no control-point tcp-normalizer'. For more information on the effect of this command and what purpose it serves, see the FWSM command reference at the following URL: http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/c4.html#wp1864750 OR 2) Disable the offending inspection engine.

ENH: Established entries in CP and NP go out of sync for sunrpc traffic , Fixed CSCsx08762

Symptom: Sunrpc holes in NP and CP go out of sync as a result of which, even if the hole count has not reached the limits in CP, insertion of holes into NP fails.
Conditions: Established entries reaching the limit in NP 3
Workaround:Clear the CP and NP databases using 'clear sunrpc active' and 'clear local' commands respectively.
Further Problem Description: This issue is fixed partially by CSCso42729. In this DDTS we take care that the CP and NP databases remain in sync even if there are errors in insertion/deletion of established entries from NP. Also counters have been added to mark the failures.

http traffic with segmented GET blocked by url-filtering configuration , Fixed CSCtb49822

Symptom: Some specific web pages might fail to load through a FWSM configured for URL filtering. Sections of the page might not load at all, and hitting the 'refresh' button on the browser sometimes allows the page to load successfully.
Conditions: All of the following conditions must be met to hit this bug: - The FWSM must be running version 3.2 or 4.0 - The URL being accessed must be considered a "long" url, meaning that the length of the URL is greater than 1159 bytes - The FWSM must be configured for url filtering - The HTTP GET is segmented across multiple TCP packets by the HTTP client, and the HOST portion of the http request is not present in the first TCP packet of the GET request. This might occur with Internet Explorer, but not with the firefox web browser.
Workaround: To mitigate this problem, do any or all of the following: 1) Add the "longurl-truncate" argument to the "filter" command on the firewall that is subjecting the HTTP client to the FWSM's url-filtering services. Example of filter command with 'longurl-truncate' argument: filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 longurl-truncate 2) Use the firefox web browser instead of Internet Explorer

ACL hitcount not updated in ASDM and in show access-list brief , Fixed CSCta77829

Symptom: ASDM does not show the correct hitcount for access-list entries.
Conditions: FWSM 4.0 with ASDM 6.1F Exact conditions are not known at this time, however whether the defect occurs or not is dependent on the access-list used.
Workaround: Use show access-list or show access-list name on the CLI This will show the correct hitcount. As a side effect it will also update the hitcount in ASDM, however the hitcount in ASDM will still not automatically update correctly after that.
Further Problem Description: This is a defect in the show access-list name brief command, which is used by ASDM to retrieve the hitcount.

Traffic gets drop when acl optimization is on and after modifying ACEs , Fixed CSCtc97643
Symptom: When acl optimization is enabled and after modifying ACL entries, all traffic going through FWSM gets drop. Conditions: ACL optimization is enabled and modifying ACE config. Workaround: Disable ACL optimization.

Portmap translation problems after failover , Fixed CSCsv82747
Symptom: In a rare corner case, the FWSM might fail to create correct translations. Specifically, portmap translations might fail to be created by the FWSM. The total number of translations shown with the output of 'show xlate count' and 'show xlate' might differ, which is incorrect. The following syslog might also be displayed for the failing traffic flow: %FWSM-3-305006: portmap translation creation failed for tcp src inside:10.2.3.2/4636 dst outside:192.168.2.3/16147
Conditions: The FWSM must be configured to translate traffic. The FWSM is more likely to encounter this failed state if it building and tearing down translations at a high rate.
Workaround: None

FWSM show memory displays incorrect data in multi context mode , Fixed CSCsm90200
Symptom: Show memory may show incorrect memory usage. The used memory value will show an impossible value that is greater that 100%.
Conditions: FWSM running 3.1.8 or later in multi context mode. This is a cosmetic issue and will not affect production traffic.
Workaround: None at this time.

ERROR: np_logger_query request .Traffic failing on FWSM , Fixed CSCsr51684
Symptom The FWSM might fail to pass traffic, and the following output will be seen when certain commands are run ('show console output' will give this output): NP-PCcmplx logger frame timeout Message #183 : NP-PCcmplx logger frame timeout Message #184 : NP-PCcmplx logger frame timeout Also, np_logger errors seen when executing some sh commands , like sh fail, sh int etc.
Conditions TCP syn-cookies must be configured on the firewall. This can be enabled by adding certain arguments to the end of static statements, or by configuring connection limits with MPF.
Workaround None. The firewall must be reloaded to mitigate the problem.

Adding remark lines to an optimized ACL can trigger prolonged high CPU , Fixed CSCta62033
Symptom: When adding a remark line to an access-list (when optimization is enabled) the CPU make spike to 95%+ for an extended period of time during compilation. Depending on the size of the ACL, this has been seen to take up to 30-40 minutes. But when adding a permit or deny line to the same ACL, the compilation time is less than a minute.
Conditions: access-list optimization is enabled
Workaround: none

Add best effort failover support for TCP proxy , Open CSCtc23265
This is a change to the way the firewall handles flows after a failover that are subjected to the TCP proxy. The TCP proxy is a feature on the firewall that is active for connections that require higher-level inspection. For example, if the inspection engines are enabled for certain traffic flows such as sqlnet or voice signalling traffic, the TCP proxy feature on the firewall will ensure that the firewall receives the complete TCP data in order to perform complete inspection of the traffic. This code change implements a change whereby if a failover takes place as the active firewall is processing TCP traffic subjected by the proxy, when the old standby firewall becomes active it will update its state of the TCP connection when traffic is received on that TCP. Therefore, it will update its TCP state for the connection according to the traffic received from the TCP endpoints, and the TCP connection should continue to flow correctly. Before this change, if a failover occurred while the firewall was processing traffic subjected to the TCP proxy, the new active firewall might not have an up-to-date connection state for that TCP, causing the firewall to send inappropriate ACK's to the TCP endpoints to update their TCP state to match the firewall's. This could cause a storm of traffic as the firewall and the TCP endpoints both try to update each other with their version of the "correct" TCP state, and the CPU on the firewall might be high, as well as the connectivity through the firewall for these flows might suffer.

FWSM - ssh thread never ends up when aaa authentication fails , Fixed CSCsf16544
Symptom : SSH management connection to the FWSM is never cleared : Resource Current Peak Limit Denied Context Telnet 1 1 5 0 System SSH 1 1 5 0 System Conns 1 3 unlimited 0 System
Conditions: An external TACACS ACS server is configured with "aaa authentication", and the ACS server stops responsding in the middle of the authentication process.
Workaround: There is no workaround to clear out these SSH sessions without doing a reload of the FWSM,

cut-through proxy in transparent sends invalid ACK before SYN-ACK , Open CSCtd19411
Symptom: cut-through proxy / network authentication fails on FWSM 4.0.x in transparent mode.
Conditions: a tcp-state checking device like an ASA or another FWSM needs to be between the FWSM context handling the cut-through proxy and the client. client ---- ASA --- FWSM (transparent mode/cut through proxy) --- cloud
Workaround: disable tcp-state checking on intermediate device (ASA above) or move the client on the directly connected inside interface of the FWSM.
Further Problem Description: In a pcap capture you'll see the following pattern and depending on your network topology, the authentication prompt may or may not be seen. client ---- FWSM SYN ---> Seq #1 Delay of 2 seconds SYN ----> Seq #1 <---- ACK Seq# 50 ack #2 Delay of 3 seconds <---- SYN ACK Seq# 49 ack #2