FWSM sync failure

Unanswered Question
Nov 15th, 2008

Hello,

I am currently trying to set up a pair of FWSMs on 2 peered 6509s as a failover (active/standby) pair.

The 2 chassis have a ten gig link trunked between them with 3 VLANs on the trunk - outside (which routes to the MSFC on the 6509), state, and failover. I got the failover commands on the primary and enabled failover. I put the skeleton config on my failover unit and it saw the active unit and started the config download. Unfortunately, it failed on that 2 times with this message:

Config Sync Error: Following command could not be executed on

standby

access-list Inside_acl commit-status committed line 25 extended permit

tcp any object-group SFC_NTP_Servers eq 123

Context: single_vf

******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE,

TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION,

THE STANDBY UNIT WILL NOW REBOOT*******

If the sync fails, is that something in the configuration that causes sync failures or is that a physical connectivity issue? I don't have that much experience with the FWSM failover yet (I've only done this with the PIX 500 series previously).

Any help or suggestions would be appreciated.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kmaher Sat, 11/15/2008 - 12:50

Well, looks like something rather simple. A coworker reviewed the troubleshooting doc. It turns out that our inside interfaces (which are all layer 2 ports on the 6509) must be set up on the trunk between the 2 6509s. It can not rely on the layer 2 connection to the common switch which the FWSMs are providing routing for.

Once we applied that change, the configuration on each unit replicated without issue.

Actions

This Discussion