Troubleshooting Steps

Troubleshooting Steps

There are a combination of show and debug commands available to troubleshoot problems with transparent firewall. You can determine the mode of firewall with the following command:

PIX# show firewall

You can find out the mac-address-table on the PIX in transparent mode with the following command:

PIX# show mac-address-table [interface_name]

The following is sample output from the show mac-address-table command that shows the entire table:

PIX# show mac-address-table
interface mac address type Time Left
-----------------------------------------------------------------------
outside 0009.7cbe.2100 static -
inside 0010.7cbe.6101 static -
inside 0009.7cbe.5101 dynamic 10
PIX#

The following command displays the mac-address-table only for inside interface:

PIX# show mac-address-table inside
interface mac address type Time Left
-----------------------------------------------------------------------
inside 0010.7cbe.6101 static -
inside 0009.7cbe.5101 dynamic 10
PIX#

Use the following debug command in addition to the show commands to troubleshoot the transparent firewall issues:

  • debug arp-inspection To track the code path of arp forwarding and arp inspection module in transparent firewall.

  • debug mac-address-table To track insert/delete/update to the bridge table maintained for transparent firewall.

  • debug l2-indication To track code path for processing of layer 2 (l2) indications.

You need to turn on syslog level 4 to see all messages pertaining to transparent problem. This can help in identifying problems pertaining to transparent firewall.

  • MAC Spoofing If you receive a MAC address entry that conflicts with the existing static entry (MAC address to a specific interface), you will get the following syslog message:

    %PIX-3-321001: Deny MAC address , possible spoof attempt on interface

    For example, if you have a static MAC address defined pointing to the DMZ interface, and if you receive the same MAC address dynamically from the inside interface, then it will be considered as MAC spoofing.

  • ARP Inspection If the ARP inspection module drops a packet, the following syslog message will be generated:

    [View full width]
    %PIX-3-321002: ARP inspection check failed for arp  received from host
      on interface . This host is advertising MAC Address
      for IP Address , which is currently statically assigned to MAC
     Address .

  • Host Movement If a MAC address of a host is moved from one interface to the other, the following syslog message will be generated:

    %PIX-4-411001: MAC  moved from  to

    Here interface-1 is the name of the interface from where the host has moved. Interface-2 is the name of the interface to where the host has moved.

  • L2 Table Flooding When the bridge table is full and an attempt is made to add one more entry by the Mac-address of the host, the following syslog message will be generated:

    [View full width]
    %PIX-4-411002: Detected bridge table full while inserting MAC  on interface
    . Number of entries =