SSO SWITCHOVER / FWSM on SUP 720

Unanswered Question
Jul 23rd, 2008
User Badges:

I have a major issue that affects all services (telnet, internet etc) on my network.I have a 6509 SUP720 core switch running 2033-pk9sv-mz.122-18.SXD4.bin image and a firewall running ver 3.2(4) image inserted into a module on the switch. An IP of 206.100.10.4/30 exist between the switch and the firewall. The firewall is used to protect the internal servers which are connected to a 6509 switch having an IP address of 206.100.10.0/30 between it and core switch.


Distribution routers for remote sites connect to the core switch on a routed port and the remote sites connect to applications residing on the internal servers. This implies that the firewall protects the internal servers.


Recently, i observed SSO failover between the active and standby supervisor engines on the core switch and leading to inability of the remote sites to connect to applications on the internal servers. A reset of the firewall module resolves this problem and this issue still happens periodically.


I upgraded the image on the Core switch to s72033-adventerprisek9_wan-mz.122-33.SXH.bin and ever since the problem still persists, the SSO has stopped failing over, a reset of the firewall module no longer resolve the problem until the core switch is power cycled before the issue is resolved.


The problem started about 2 months after activating the firewall module. I do not intend removing the firewall module to address this problem because i believe such setup should work.


Any ideas on how to resolve this issue?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Wed, 07/23/2008 - 03:01
User Badges:
  • Red, 2250 points or more

That your system has stopped to failover gives me the idea that the upgrade might have not been entirely successfull on both supervisors. You might know this link but it does contain useable information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/nsfsso.html#wp1097378


The primary focus should be on finding out why the failover is no longer operational.

After that is fixed you can find out the effects of the upgrade on the firewall module.


regards,

Leo

chuks Wed, 07/23/2008 - 03:26
User Badges:

Thanks for the reply


What i meant was that the failover between the active and standby SUP happens abruptly before the upgrade and after the upgrade the abrupt failover has stopped. This implies that the active and standby failover process is normal but i still observe that the firewall stops passing traffic when this problem happens and resetting the firewall module no longer resolves the problem as it used to before the upgrade until the core switch is power cycled.


Any ideas please?



chuks Thu, 07/24/2008 - 02:05
User Badges:

Currently, the FWSM suddenly stops passing traffic and the problem is resolved by power-cycling the core switch. What is the likely impact of issuing the 'firewall autostate' command on the switch?Does it have any likely service impact? Why does the FWSM suddenly stops passing traffic thereby causing serious service failure.

Actions

This Discussion