It is important for the troubleshooter to understand the issue and picture the logical design where the FWSM is a part.
Follow these steps to identify and understand the problem:
Step 1 Define the problem: It is very important to get the definition from the technical side and user impact.
(a) Define the problem.
(b) Identify one stream with source and destination.
(c) Verify whether all the packets are flowing through the FWSM, whether any one particular flow is impacted, or whether a few applications are impacted.
(d) Understand the security segregation for the flow (note whether the direction of the flow is from a lower to a higher security zone or from a higher to a lower security zone).
(e) Verify whether the FWSM has Network Address Translation (NAT) configured for the flow. Check the mode of the FWSM (routed or transparent mode/single or multiple context).
Step 2 Draw the logical design: It is important to trace the flow of IP packets having issues with the logical design available.
(a) Plot the source and destination of the stream identified in the diagram (this will depend on steps 1b and 1c).
(b) Verify whether all or a particular traffic is impacted.
(c) Check whether FWSM and the switch are communicating to each other before taking a deep dive into troubleshooting.
— Verify whether the ping from the inside next hop interface to the FWSM inside interface is successful.
— Verify whether the ping from the inside next hop interface to the outside next hop interface is successful. Repeat the same steps from the outside next hop interface or any of the demilitarized zone (DMZ) interfaces.
(d) Capture all your command outputs and configurations.
(e) Make sure you are able to ping the source and destination from the FWSM.
Step 3 Do a quick review of the configuration: It is important to review the configuration based on standards for configuring the sample design.
(a) Using the capture in Step 2d, review the configuration based on standards.
Topics to review are based on the flow of traffic from different security zones.
— NAT is configured (if applicable).
— Static translation is configured (if applicable).
— Access list is configured and the traffic hit is seen in the access list.
— The routing in the FWSM points to the correct interface (this can be verified in Step 2c).
— Verify whether other standard configurations, such as interface configuration, NAT, access-list configuration, routing statements, and other configurations, such as auth-proxy and authentication, authorization, and accounting (AAA), are configured properly.
(b) Based on capture details, if the root cause is identified:
— Work on the solution plan.
— If the solution plan is not available, work on the mitigation plan and possible options.
Step 4 Apply the planned change and verify whether the problem is fixed. After verification, it is important to conduct other standard tests to confirm the solution or workaround, and also verify whether it has problems on other traffic patterns passing through the firewall.
Troubleshooting in general is an art gained from experience. You need a good technical understanding and problem-solving skills. The following section gives a logical view to resolving problems with the FWSM and its flow.
Was this article helpful?