FWSM inter-chassis failover issue

Unanswered Question
Mar 3rd, 2007

Hi friends,

I am unable to make FWSM failover work in an inter-chassis configuration:

6509 switch - 12.2(18)

FWSM - 3.1

Here's the brief-up of the configs that i have done:

1. There are two 6509's where the FWSM's are inserted in the same slot and both FWSM's are identical configuration.

2. The FWSM's have been tried in the same chassis and failover is working between them (I tried no failover active and the other FWSM was able to pick up). So, intra-chassis failover works fine. And this means that the failover config is right.

3. The LAN based failover and stateful failover VLAN's have been created on the core switches, added to the vlan-group statement and they are shown as up/up status on the fwsm interface status.

4. I am able to ping the failover ip's of the other fwsm from one fwsm.

5. ICMP is permitted on the inside interface (MSFC to FWSM interface).

6. The FWSM in Core-1 (1st 6509 switch) is standby (though Core-1 is the HSRP primary L3 switch and all VLAN's are active on it) and the FWSM in Core-2 (HSRP secondary switch) is the active one.

7. ICMP is allowed to the hosts connected to the protected segment / VLAN behind the FWSM.

What's not working?

1. I cannot ping the FWSM (inside interface) on Core switch 1 from a PC connected to Core switch 2. But I can ping the FWSM on Core-2 from the PC connected to Core-2. Also, I can ping the FWSM on Core-1 from Core-2 switch directly. There are no persistent routes on the PC causing this issue. Not sure of why this is happening?

2. Saying a no failover active on active FWSM (in Core-2) does a failover but still does not work as I am unable to ping any VLAN IP's protected by the FWSM's.

Possible causes?

I think that the trunk carrying the VLAN's may be blocked by spanning tree? I need to check that tomorrow. But I was able to ping the standby FWSM from the switch having the active FWSM. So, I think that the trunks are carrying the firewall VLAN's?

Thats the reason that I am able to ping from core 2 to the remote FWSM (FWSM in core 1).

Not really sure on what else could be the cause?

Any pointers to this will be highly appreciated.

Thanks a lot

Gautam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 03/05/2007 - 00:13

Hi Gautam

What does the "sh failover" command from the active FWSM show ?.

if it works within the same chassis but not between 2 chassis check

1) As you say, spanning-tree. A dedicated trunk for the FWSM would help here.

2) The vlans allowed on the trunk.

3) Check the switch config for both switches. Where you allocate vlans to the FWSM ie.

firewall vlan-group x "vlan nos".

Make sure these are exactly the same on both switches.

HTH

Jon

gautamzone Mon, 03/05/2007 - 07:11

Hi Jon,

Thanks a lot for your response. The issue was finally resolved after I changed the routing of the FWSM to point to the core switch's actual IP instead of the HSRP IP.

For some reason, putting the HSRP IP of core on the route in FWSM did not seem to work.

When I changed to the real IP of the switch, it worked!!! Strange but that was the solution!!

Thanks a lot anyways

Gautam

Actions

This Discussion