09-03-2008 11:50 PM - edited 03-11-2019 06:39 AM
Hi all
I created today a new transparent context on my FWSM (3.2(6)) which is in a 6509 with IOS in the slot 9.
Here my configuration:
firewall multiple-vlan-interfaces
firewall module 9 vlan-group 1,
firewall vlan-group 1 30,[others-removed]1030
!
vlan 1030
name mse_outside
!
!
interface Vlan1030
description ** mse_outside **
ip address 10.10.30.6 255.255.255.0
ip helper-address 10.10.20.10
ip helper-address 10.10.21.10
ip helper-address 10.10.21.14
no ip redirects
ip pim sparse-dense-mode
standby ip 10.10.30.1
standby timers 1 3
standby preempt
standby authentication xxxxxxxx
!
S6509R-1250#sh vlan
.
.
.
30 mse active
1030 mse_outside active
.
.
.
And on the FWSM Context System:
FWSM# show run
!
interface Vlan30
description mse
!
!
interface Vlan1030
description mse_outside
!
context mse
description ** mse **
allocate-interface Vlan1030
allocate-interface Vlan30
config-url disk:/mse.cfg
!
And the Context:
FWSM/mse# sh run
: Saved
:
FWSM Version 3.2(6) <context>
!
firewall transparent
hostname mse
domain-name xxxxxx
enable password xxxxxx encrypted
names
!
interface Vlan30
nameif inside
bridge-group 1
security-level 100
!
interface Vlan1030
nameif outside
bridge-group 1
security-level 0
!
interface BVI1
ip address 10.10.30.4 255.255.255.0 standby 10.10.30.5
!
passwd xxxxxxxxx encrypted
access-list CSM_TFW_ACL_INBOUND_1 ethertype permit bpdu
access-list CSM_FW_ACL_inside extended permit ip any any
access-list OUTSIDE extended permit ip any any
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging device-id hostname
logging host outside 10.10.20.56
mtu inside 1500
mtu outside 1500
monitor-interface inside
monitor-interface outside
icmp permit any outside
no asdm history enable
arp timeout 14400
access-group CSM_TFW_ACL_INBOUND_1 in interface inside
access-group CSM_FW_ACL_inside in interface inside
access-group CSM_TFW_ACL_INBOUND_1 in interface outside
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa proxy-limit disable
http 10.10.20.12 255.255.255.255 outside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
!
class-map CSM_CLASS_MAP_1
match default-inspection-traffic
!
!
policy-map CSM_POLICY_MAP_global_1
class CSM_CLASS_MAP_1
inspect dns maximum-length 4096
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy CSM_POLICY_MAP_global_1 global
arp-inspection inside enable flood
arp-inspection outside enable flood
Cryptochecksum:xxxxxxx
: end
FWSM/mse#
And now to the problem:
FWSM# sh vlan
28-29 , 60 , 1030
[Note, here is the Vlan 30 missing]
FWSM# sh int vlan30
Interface Vlan30 "", is down, line protocol is down
Hardware is EtherSVI
Description: mse
Allocated to a context
MAC address 0008.7ceb.1200, MTU not set
IP address unassigned
FWSM# sh int vlan1030
Interface Vlan1030 "", is up, line protocol is up
Hardware is EtherSVI
Description: mse_outside
Allocated to a context
MAC address 0008.7ceb.1200, MTU not set
IP address unassigned
FWSM#
Also note, here is the interface Vlan30 down/down.
Any ideas why I don't see the vlan30 on the FWSM, or why this interface is down?
I'm really out of ideas :(
Thanks,
Patrick
ps. this is a repost from the network forum which is wrong there.
09-04-2008 12:34 AM
Do have have anything else in vlan 30?
I think without having at least one port connected to vlan 30, the line protocol will not come up.
09-04-2008 12:51 AM
make sur eu have vlan30 creat on the MSFC
with vlan 30 command
and assign this vlan to one of the switch interfaces with commands
interface [interfacetype/number]
switchport
switchport mode access
switchport access vlan 30
no shut
good luck
if helpful Rate
09-04-2008 01:35 AM
I've got one port with a connected PC in the vlan30. I also retested the vlan30 command (it's IOS 12.2(33)SXH2a), renamed the vlan and saved. But the FWSM still doesn't see the vlan.
09-04-2008 02:19 AM
Have you place that vlan in the vlan groups config?
09-04-2008 02:19 AM
try to rmove the vlans assigned to the firewall model and re assign it again
also remove the fwsm config and reconfigure it agin if u dont have much config as it shown here
good luck
09-04-2008 03:17 AM
Did both.
First I did a
no firewall vlan-group 1 30,1030
and after that again a
firewall vlan-group 1 1030,30
but no change. I also deleted the whole context including the interfaces and recreated it.
Still no change.
And a show fail:
FWSM# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: failover-lan Vlan 865 (up)
Unit Poll frequency 5 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds
Interface Policy 100%
Monitored Interfaces 36 of 250 maximum
Config sync: active
Version: Ours 3.2(6), Mate 3.2(6)
Last Failover at: 14:39:35 gmt Jul 25 2008
This host: Primary - Active
Active time: 3531090 (sec)
mse Interface inside (10.10.30.4): No Link (Waiting)
mse Interface outside (10.10.30.4): Normal
Other host: Secondary - Standby Ready
Active time: 0 (sec)
mse Interface inside (10.10.30.5): Normal (Waiting)
mse Interface outside (10.10.30.5): Normal
Stateful Failover Logical Update Statistics
Link : failover-link Vlan 866 (up)
Stateful Obj xmit xerr rcv rerr
General 313450062 0 580613 0
sys cmd 462036 0 462035 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 137591177 0 109369 0
UDP conn 149763755 0 6221 0
ARP tbl 24809447 0 2380 0
L2BRIDGE Tbl 822096 0 604 0
Xlate_Timeout 0 0 0 0
AAA tbl 1551 0 4 0
DACL 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 21 941920
Xmit Q: 0 0 26096456
FWSM#
09-04-2008 04:08 AM
Hi patrick
as lon as u can remove the config and rconfigure it
remove all the config and if u can use diffrent vlan numbers
but before u start to configure it again have look on the followinf link click on each step link and see the details then configure it again
and let me know
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/quick.html#wp1013477
good luck
09-04-2008 05:13 AM
Removed the config and even the whole vlan and re-created it.
But now it gets weird...
Here on the primary/active:
FWSM# sh vlan
14-18, 20-21 , 23, 28-29 , 60, 140, 144-145 , 200, 229, 232, 865-866 , 900, 1020-1021 , 1023, 1028-1030 , 1060, 1140, 1144-1145 , 1200, 1229, 1232, 2014-2018 (now without ommitinig something)
and here on the secondary:
FWSM# sh vlan
14-18, 20-21 , 23, 28-30 , 60, 140, 144-145 , 200, 229, 232, 865-866 , 900, 1020-1021 , 1023, 1028-1030 , 1060, 1140, 1144-1145 , 1200, 1229, 1232, 2014-2018
FWSM#
As you can see, on the standby is the vlan there!!
It's just missing on the primary one...
I've also compared the configs of our two 6509 catalysts, the configs are identical (besides IP adresses and standby stuff).
I also received this some minutes ago (while being logged into the primary):
FWSM#
Vlan configuration mismatch between peers.
Please correct the condition as soon as possible
in order to avoid a possible disabling of failover.
FWSM#
09-04-2008 05:19 AM
make the standby as active with command
failover active
and see if it is working ook in the standby fwsm !!
09-04-2008 05:22 AM
Ok will try this, but can't do it at the moment as it's main business time here and I don't want to risk an outage now.
Will post an update probably tomorrow.
09-04-2008 01:23 PM
Since I don't know the whole configuration, here are the standard VLAN/FWSM rules as refresher.
VLAN Guidelines:
You can use private VLANs with the FWSM. Assign the primary VLAN to the FWSM; the FWSM automatically handles secondary VLAN traffic.
You cannot use reserved VLANs.
You cannot use VLAN 1.
If you use FWSM failover within the same switch chassis, do not assign the VLAN(s) you reserved for failover and stateful communications to a switch port. But, if you use failover between chassis, you must include the VLANs in the trunk port between the chassis.
If you do not add the VLANs to the switch before you assign them to the FWSM, the VLANs are stored in the supervisor engine database and are sent to the FWSM as soon as they are added to the switch.
Assign VLANs to the FWSM before you assign them to the MSFC.
VLANs that do not satisfy this condition are discarded from the range of VLANs that you attempt to assign on the FWSM.
09-04-2008 09:54 PM
Hi,
let's assume i didn't do this:
If you do not add the VLANs to the switch before you assign them to the FWSM, the VLANs are stored in the supervisor engine database and are sent to the FWSM as soon as they are added to the switch.
Assign VLANs to the FWSM before you assign them to the MSFC.
Then you write:
VLANs that do not satisfy this condition are discarded from the range of VLANs that you attempt to assign on the FWSM.
Let's say I did first create it and assigned it to the MSFC and afterwards assigned it to the FWSM.
What could I do now?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: