cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
0
Helpful
4
Replies

SSO SWITCHOVER / FWSM on SUP 720

chuks
Level 1
Level 1

I have a major issue that affects all services (telnet, internet etc) on my network.I have a 6509 SUP720 core switch running 2033-pk9sv-mz.122-18.SXD4.bin image and a firewall running ver 3.2(4) image inserted into a module on the switch. An IP of 206.100.10.4/30 exist between the switch and the firewall. The firewall is used to protect the internal servers which are connected to a 6509 switch having an IP address of 206.100.10.0/30 between it and core switch.

Distribution routers for remote sites connect to the core switch on a routed port and the remote sites connect to applications residing on the internal servers. This implies that the firewall protects the internal servers.

Recently, i observed SSO failover between the active and standby supervisor engines on the core switch and leading to inability of the remote sites to connect to applications on the internal servers. A reset of the firewall module resolves this problem and this issue still happens periodically.

I upgraded the image on the Core switch to s72033-adventerprisek9_wan-mz.122-33.SXH.bin and ever since the problem still persists, the SSO has stopped failing over, a reset of the firewall module no longer resolve the problem until the core switch is power cycled before the issue is resolved.

The problem started about 2 months after activating the firewall module. I do not intend removing the firewall module to address this problem because i believe such setup should work.

Any ideas on how to resolve this issue?

4 Replies 4

lgijssel
Level 9
Level 9

That your system has stopped to failover gives me the idea that the upgrade might have not been entirely successfull on both supervisors. You might know this link but it does contain useable information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/nsfsso.html#wp1097378

The primary focus should be on finding out why the failover is no longer operational.

After that is fixed you can find out the effects of the upgrade on the firewall module.

regards,

Leo

Thanks for the reply

What i meant was that the failover between the active and standby SUP happens abruptly before the upgrade and after the upgrade the abrupt failover has stopped. This implies that the active and standby failover process is normal but i still observe that the firewall stops passing traffic when this problem happens and resetting the firewall module no longer resolves the problem as it used to before the upgrade until the core switch is power cycled.

Any ideas please?

You may also have a look at this:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/switch_f.html#wp1198611

There a paragraph about autostate messaging that might be relevant for you. When not having this configured, it states that failover might take up to 45s.

regards,

Leo

Currently, the FWSM suddenly stops passing traffic and the problem is resolved by power-cycling the core switch. What is the likely impact of issuing the 'firewall autostate' command on the switch?Does it have any likely service impact? Why does the FWSM suddenly stops passing traffic thereby causing serious service failure.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: