FWSM: Active/Standby Failover not functioning properly

Unanswered Question
Apr 23rd, 2007


We've noticed that Active/Standby Failover does not function anymore.

(Lucky for us the FWSM is runnig very solid)

After restarting either one of the two units in the failover configuration, the already active unit becomes totally unavailable.

In this state the unit cannot be reached (neither directly by SSH nor from within the chassis via the 'session slot...' and 'telnet 127.0.0.X' commands) and is carrying no traffic.

(We've noticed this problem before when configuring Multicast on the FWSM. After removal of the MC configuration all seemed to work fine, but now we have the same problem back again.)


- two FWSM modules in active/standby failover

- two Cat6500 chassis, each containing one FWSM, and two Supervisor Engine 720 in RPR+

- software version FWSMs: version 3.1.3 of 3.1.1

- software version Supervisor Engine 720s: s72033-advipservicesk9_wan-mz.122-18.SXF4.bin

- Chassis interconnected by two times 10Gb/s trunks, both carrying statelink and failover over separate VLANs

Show version:

f01/sec/act# sh ver

FWSM Firewall Version 3.1(3)

Detected an old ASDM version.

You will need to upgrade it before using ASDM.

Compiled on Thu 06-Jul-06 12:44 by dalecki

f01 up 2 days 20 hours

Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash SanDisk SDCFB-128 @ 0xc321, 20MB

0: Int: Not licensed : irq 5

1: Int: Not licensed : irq 7

2: Int: Not licensed : irq 11

The Running Activation Key is not valid, using default settings:

Licensed features for this platform:

Maximum Interfaces : 256

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

Serial Number: SAD0637022V

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000

Configuration last modified by enable_1 at 14:46:39.980 MET Fri Apr 20 2007

Could it be we lost the activation key along the upgradin' way?

In that case, isn't it strange that we cannot reach the failed unit, even with 'session slot' command?

Please see attachement.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Frederick Reimer Mon, 04/23/2007 - 08:57

The FWSM does not have an activation key; it is normal for it to be all 0's. It would help if we had a show fail output...

Erik Molenaar Mon, 04/23/2007 - 23:19

Thanks for your reply.

The output of the 'sh fail' command is already included in the attachement.

According to Cisco for certain options it does need an activation key:

"Managing Licenses

When you install the software, the existing activation key is extracted from the original image and stored in a file in the FWSM file system. This section includes the following topics:

? Obtaining an Activation Key

? Entering a New Activation Key

Obtaining an Activation Key

To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps:


Step 1 Obtain the serial number for your FWSM by entering the following command:

hostname> show version | include Number

Enter the pipe character (|) as part of the command.

Step 2 Connect a web browser to one of the following websites (the URLs are case-sensitive):

Use the following website if you are a registered user of Cisco.com:


Use the following website if you are not a registered user of Cisco.com:


Step 3 Enter the following information, when prompted:

?Your Product Authorization Key

?The serial number of your FWSM.

?Your e-mail address.

The activation key will be automatically generated and sent to the e-mail address that you provide.


Entering a New Activation Key

To enter the activation key, enter the following command:

hostname(config)# activation-key key

The key is a four-element hexadecimal string with one space between each element. For example, a key in the correct form might look like the following key:

0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

The leading 0x specifier is optional; all values are assumed to be hexadecimal.

If you are already in multiple context mode, enter this command in the system execution space. "


Jon Marshall Tue, 04/24/2007 - 00:04

Hi Erik

It's probably a long shot as the symptoms are not exactly the same as the ones i have seen but whenever i get issues with failover it's because a vlan has been allocated to one switch that hasn't been added to the other.

Coudl you check the 6500 config and ensure that you have allocated the same vlans to the FWSM's on both chassis.



Erik Molenaar Tue, 04/24/2007 - 00:18

Hi Jon,

Checked that out and all seems ok.

Strange thing is that the failing unit is not even reachable from within the switch (session slot1 proc 1 command)

jorg.ramakers Tue, 11/25/2008 - 05:46

Most likely it was a bug.

You should see the mac-addresses of the fwsm blade on the portchannel on the 6500.

sh mac-ad int po270.

Port-channel270 is the interface where the blade is connected to the 6500. If you don't see the mac-addresses on this portchannel you sgould upgrade. Beaware, it could be another portchannel beginnen po27x




This Discussion