No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


Service-manage is not working correctly

Publication Date:  2017-10-06 Views:  179 Downloads:  0
Issue Description

Customer is having the following topology. He opened a ticket because although he enabled service-manage https onVLANIF202 on both firewalls, he was able to connect via WebUI only to Firewall B.

Active device configuration:

interface Vlanif202
 ip address
 vrrp vrid 1 virtual-ip active
 service-manage https permit
 service-manage ping permit

interface GigabitEthernet0/0/1
 ip address
 vrrp vrid 2 virtual-ip active
 service-manage ping permit



Handling Process

We have set traffic statistics on Firewall A and we have seen that Firewall A drops the packets because service-manage policy is missing.

Root Cause

Service-manage policy, requires that if the inbound interface is not the managed interface, you need to add service-manage also on inbound interface of the service packets.


Although we fixed the problem, customer still wanted explanation why Firewall A needs service manage on GI 0/0/1 + Vlanif202 and on Firewall B is enough to put only on Vlanif202.

1. Customer want to access FW_A.

a)    Packet flow:

-       Packet arrives at router. Router looks at the IP routing table . Next hop is

-       Since the next hop is, Packet arrives at FW_A ( he controls the Virtual IP of the group

-       The destination is, which is the physical address of Vlaif202 of Fw_A


-       Inbound interface of packets is Gi 0/0/1,

-       Destination is => you need to put service-manage on both

2. Customer wants to access FW_B

b)   Packet flow:

              -       Packet arrives at router. Router looks at the IP routing table . Next hop is ( same as first case )

       -       Packets arrive again at Fw_A but this time, the destination of the packets is physical IP address of Vlaif202 on Fw_B

       -       Fw_A looks in the routing table and sees that the destination is not him, but a host on the same VLAN202.

                            -       He forwards the packets in the VLAN202, because he knows the is in same VLAN

Conclusion: Fw_B receives the packets from Fusion_A

                             -       Inbound interface:Vlan202

                             -       Destination Vlanif ip address => you need to put service-manage only on Vlanif since this is also inbound+destination


Customer needs to add service-manage permit https on both Gi 0/0/1 interfaces on both firewalls. Even if on firewall B is not needed, in case firewall A goes out of service, he will be unable to connect to firewall B.