Vlan not going UP/UP on FWSM

Unanswered Question
Sep 3rd, 2008

Hi all

I created today a new transparent context on my FWSM (3.2(6)) which is in a 6509 with IOS in the slot 9.

Here my configuration:

firewall multiple-vlan-interfaces

firewall module 9 vlan-group 1,

firewall vlan-group 1 30,[others-removed]1030

!

vlan 1030

name mse_outside

!

!

interface Vlan1030

description ** mse_outside **

ip address 10.10.30.6 255.255.255.0

ip helper-address 10.10.20.10

ip helper-address 10.10.21.10

ip helper-address 10.10.21.14

no ip redirects

ip pim sparse-dense-mode

standby ip 10.10.30.1

standby timers 1 3

standby preempt

standby authentication xxxxxxxx

!

S6509R-1250#sh vlan

.

.

.

30 mse active

1030 mse_outside active

.

.

.

And on the FWSM Context System:

FWSM# show run

!

interface Vlan30

description mse

!

!

interface Vlan1030

description mse_outside

!

context mse

description ** mse **

allocate-interface Vlan1030

allocate-interface Vlan30

config-url disk:/mse.cfg

!

And the Context:

FWSM/mse# sh run

: Saved

:

FWSM Version 3.2(6) <context>

!

firewall transparent

hostname mse

domain-name xxxxxx

enable password xxxxxx encrypted

names

!

interface Vlan30

nameif inside

bridge-group 1

security-level 100

!

interface Vlan1030

nameif outside

bridge-group 1

security-level 0

!

interface BVI1

ip address 10.10.30.4 255.255.255.0 standby 10.10.30.5

!

passwd xxxxxxxxx encrypted

access-list CSM_TFW_ACL_INBOUND_1 ethertype permit bpdu

access-list CSM_FW_ACL_inside extended permit ip any any

access-list OUTSIDE extended permit ip any any

pager lines 24

logging enable

logging buffered informational

logging trap informational

logging device-id hostname

logging host outside 10.10.20.56

mtu inside 1500

mtu outside 1500

monitor-interface inside

monitor-interface outside

icmp permit any outside

no asdm history enable

arp timeout 14400

access-group CSM_TFW_ACL_INBOUND_1 in interface inside

access-group CSM_FW_ACL_inside in interface inside

access-group CSM_TFW_ACL_INBOUND_1 in interface outside

access-group OUTSIDE in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.30.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa proxy-limit disable

http 10.10.20.12 255.255.255.255 outside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

!

class-map CSM_CLASS_MAP_1

match default-inspection-traffic

!

!

policy-map CSM_POLICY_MAP_global_1

class CSM_CLASS_MAP_1

inspect dns maximum-length 4096

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy CSM_POLICY_MAP_global_1 global

arp-inspection inside enable flood

arp-inspection outside enable flood

Cryptochecksum:xxxxxxx

: end

FWSM/mse#

And now to the problem:

FWSM# sh vlan

28-29 , 60 , 1030

[Note, here is the Vlan 30 missing]

FWSM# sh int vlan30

Interface Vlan30 "", is down, line protocol is down

Hardware is EtherSVI

Description: mse

Allocated to a context

MAC address 0008.7ceb.1200, MTU not set

IP address unassigned

FWSM# sh int vlan1030

Interface Vlan1030 "", is up, line protocol is up

Hardware is EtherSVI

Description: mse_outside

Allocated to a context

MAC address 0008.7ceb.1200, MTU not set

IP address unassigned

FWSM#

Also note, here is the interface Vlan30 down/down.

Any ideas why I don't see the vlan30 on the FWSM, or why this interface is down?

I'm really out of ideas :(

Thanks,

Patrick

ps. this is a repost from the network forum which is wrong there.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
g.meerkoetter Thu, 09/04/2008 - 00:34

Do have have anything else in vlan 30?

I think without having at least one port connected to vlan 30, the line protocol will not come up.

Marwan ALshawi Thu, 09/04/2008 - 00:51

make sur eu have vlan30 creat on the MSFC

with vlan 30 command

and assign this vlan to one of the switch interfaces with commands

interface [interfacetype/number]

switchport

switchport mode access

switchport access vlan 30

no shut

good luck

if helpful Rate

patoberli Thu, 09/04/2008 - 01:35

I've got one port with a connected PC in the vlan30. I also retested the vlan30 command (it's IOS 12.2(33)SXH2a), renamed the vlan and saved. But the FWSM still doesn't see the vlan.

Marwan ALshawi Thu, 09/04/2008 - 02:19

try to rmove the vlans assigned to the firewall model and re assign it again

also remove the fwsm config and reconfigure it agin if u dont have much config as it shown here

good luck

patoberli Thu, 09/04/2008 - 03:17

Did both.

First I did a

no firewall vlan-group 1 30,1030

and after that again a

firewall vlan-group 1 1030,30

but no change. I also deleted the whole context including the interfaces and recreated it.

Still no change.

And a show fail:

FWSM# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: failover-lan Vlan 865 (up)

Unit Poll frequency 5 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds

Interface Policy 100%

Monitored Interfaces 36 of 250 maximum

Config sync: active

Version: Ours 3.2(6), Mate 3.2(6)

Last Failover at: 14:39:35 gmt Jul 25 2008

This host: Primary - Active

Active time: 3531090 (sec)

mse Interface inside (10.10.30.4): No Link (Waiting)

mse Interface outside (10.10.30.4): Normal

Other host: Secondary - Standby Ready

Active time: 0 (sec)

mse Interface inside (10.10.30.5): Normal (Waiting)

mse Interface outside (10.10.30.5): Normal

Stateful Failover Logical Update Statistics

Link : failover-link Vlan 866 (up)

Stateful Obj xmit xerr rcv rerr

General 313450062 0 580613 0

sys cmd 462036 0 462035 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 137591177 0 109369 0

UDP conn 149763755 0 6221 0

ARP tbl 24809447 0 2380 0

L2BRIDGE Tbl 822096 0 604 0

Xlate_Timeout 0 0 0 0

AAA tbl 1551 0 4 0

DACL 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 21 941920

Xmit Q: 0 0 26096456

FWSM#

Marwan ALshawi Thu, 09/04/2008 - 04:08

Hi patrick

as lon as u can remove the config and rconfigure it

remove all the config and if u can use diffrent vlan numbers

but before u start to configure it again have look on the followinf link click on each step link and see the details then configure it again

and let me know

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/quick.html#wp1013477

good luck

patoberli Thu, 09/04/2008 - 05:13

Removed the config and even the whole vlan and re-created it.

But now it gets weird...

Here on the primary/active:

FWSM# sh vlan

14-18, 20-21 , 23, 28-29 , 60, 140, 144-145 , 200, 229, 232, 865-866 , 900, 1020-1021 , 1023, 1028-1030 , 1060, 1140, 1144-1145 , 1200, 1229, 1232, 2014-2018 (now without ommitinig something)

and here on the secondary:

FWSM# sh vlan

14-18, 20-21 , 23, 28-30 , 60, 140, 144-145 , 200, 229, 232, 865-866 , 900, 1020-1021 , 1023, 1028-1030 , 1060, 1140, 1144-1145 , 1200, 1229, 1232, 2014-2018

FWSM#

As you can see, on the standby is the vlan there!!

It's just missing on the primary one...

I've also compared the configs of our two 6509 catalysts, the configs are identical (besides IP adresses and standby stuff).

I also received this some minutes ago (while being logged into the primary):

FWSM#

Vlan configuration mismatch between peers.

Please correct the condition as soon as possible

in order to avoid a possible disabling of failover.

FWSM#

Marwan ALshawi Thu, 09/04/2008 - 05:19

make the standby as active with command

failover active

and see if it is working ook in the standby fwsm !!

patoberli Thu, 09/04/2008 - 05:22

Ok will try this, but can't do it at the moment as it's main business time here and I don't want to risk an outage now.

Will post an update probably tomorrow.

mcvhintex Thu, 09/04/2008 - 13:23

Since I don't know the whole configuration, here are the standard VLAN/FWSM rules as refresher.

VLAN Guidelines:

You can use private VLANs with the FWSM. Assign the primary VLAN to the FWSM; the FWSM automatically handles secondary VLAN traffic.

You cannot use reserved VLANs.

You cannot use VLAN 1.

If you use FWSM failover within the same switch chassis, do not assign the VLAN(s) you reserved for failover and stateful communications to a switch port. But, if you use failover between chassis, you must include the VLANs in the trunk port between the chassis.

If you do not add the VLANs to the switch before you assign them to the FWSM, the VLANs are stored in the supervisor engine database and are sent to the FWSM as soon as they are added to the switch.

Assign VLANs to the FWSM before you assign them to the MSFC.

VLANs that do not satisfy this condition are discarded from the range of VLANs that you attempt to assign on the FWSM.

patoberli Thu, 09/04/2008 - 21:54

Hi,

let's assume i didn't do this:

If you do not add the VLANs to the switch before you assign them to the FWSM, the VLANs are stored in the supervisor engine database and are sent to the FWSM as soon as they are added to the switch.

Assign VLANs to the FWSM before you assign them to the MSFC.

Then you write:

VLANs that do not satisfy this condition are discarded from the range of VLANs that you attempt to assign on the FWSM.

Let's say I did first create it and assigned it to the MSFC and afterwards assigned it to the FWSM.

What could I do now?

Actions

This Discussion