All Cisco-Network Study Notes: Troubleshooting Steps

Troubleshooting Steps

If you follow the configuration steps carefully, you usually will not run into any problem with connections across the FWSM. If you run into connection problems, work through the following steps to correct the problems:


Step 1.	Be sure you can ping to the directly connected interface of the FWSM. If you cannot pass traffic across the FWSM, you must ensure that you can ping to the interface of the FWSM from a host in the same VLAN. For example, if you mapped the inside interface to VLAN 10, a host (10.1.1.10) on VLAN 10 must be able to ping to the FWSM inside interface (10.1.1.1). If you cannot ping, work through the following steps to correct the problem; otherwise proceed to the next step: (a). Make sure the ICMP is allowed on the interface of FWSM by using the icmp command. You can execute the show icmp command to verify whether the icmp is allowed on the interface. To enable ICMP on the inside interface, use the following command: FWSM(config)# icmp permit 0 0 inside (b). If the ping is still unsuccessful, run the debug icmp trace command and see if FWSM displays any debug output. If there are no debug messages on ICMP on the FWSM, go to the next step. (c). Ping to other devices in the same VLAN and subnet. If you are not successful, check the port that is connected to the device. If the ping is successful, move to the next step. (d). Execute the show interface command and ensure that the interfaces are shown up/up. If they are shown in any other state, verify that the nameif command used the proper VLAN number with the commands that follow: FWSM# show nameif nameif vlan10 inside security100 nameif vlan30 outside security0 FWSM# (e). If you still have problems with the interface, execute the show vlan command and be sure the correct VLANs are downloaded properly on the FWSM. FWSM# show vlan 10, 30 FWSM# (f). If you have FWSM set up with Hybrid mode, be sure to configure the VLANS on the switch before defining the SVI on the MSFC. If you have configured an SVI interface on the MSFC before configuring the VLAN on the switch, you must remove the SVI from the MSFC and VLANs from the switch. Reconfigure VLANs on the switch first and then configure the SVI interface on the MSFC. (g). If the packets still do not flow, change the Ether channel algorithm on the switch.
Step 2.	If you can successfully ping the inside and outside interface from the corresponding VLANs, the next step is to make sure that you can ping across the FWSM. If you cannot do so, follow the next step.
Step 3.	By default, FWSM denies all packets from higher to lower security, and lower to higher security networks. So you must configure the ACL to allow this traffic on both directions. You can execute show access-list in conjunction with show access-group commands to verify whether the ACL is configured, and applied to the correct interface. You must also allow the return packet from the opposite direction. For example, to ping the outside from the inside, you must allow the ICMP on the inside interface and on the outside interface. If you do not want to allow ICMP packets on the outside interface, you can configure fixup protocol icmp. If the packets are dropped by the ACL, this information will be logged in the syslog, if you turn on syslogging to level 4. If with the show access-list command packet, counters are incrementing, you know that the ACL is allowing the packets that the NAT may not be configuring or may be configuring incorrectly. So, go to the next step.

Step 4.	Check to see if the translation is not being built. If the hit counters are incrementing on the ACL, make sure you are not running with a translation issue. As the NAT is taken care of by the NP3 processor, you can execute the show np3 nat\|global\|static\|alias command to verify the configuration. You can execute show xlate detail command to see if the translation is being built up as follows: FWSM(config)# show xlate detail Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static 1 in use, 2 most used ICMP PAT from inside:10.1.1.10/45 to outside:30.1.1.1/1036 flags r FWSM(config)#
Step 5.	Verify that the route exists in the routing table for the destination network. If the ACL and translation are fine, execute the show route command to verify that the routing table is in the firewall module. Example 4-14 is an example of a routing table.