FWSM sync failure

kmaher · ‎11-15-2008

Hello,

I am currently trying to set up a pair of FWSMs on 2 peered 6509s as a failover (active/standby) pair.

The 2 chassis have a ten gig link trunked between them with 3 VLANs on the trunk - outside (which routes to the MSFC on the 6509), state, and failover. I got the failover commands on the primary and enabled failover. I put the skeleton config on my failover unit and it saw the active unit and started the config download. Unfortunately, it failed on that 2 times with this message:

Config Sync Error: Following command could not be executed on

standby

access-list Inside_acl commit-status committed line 25 extended permit

tcp any object-group SFC_NTP_Servers eq 123

Context: single_vf

******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE,

TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION,

THE STANDBY UNIT WILL NOW REBOOT*******

If the sync fails, is that something in the configuration that causes sync failures or is that a physical connectivity issue? I don't have that much experience with the FWSM failover yet (I've only done this with the PIX 500 series previously).

Any help or suggestions would be appreciated.

Thanks.

kmaher · ‎11-15-2008

Well, looks like something rather simple. A coworker reviewed the troubleshooting doc. It turns out that our inside interfaces (which are all layer 2 ports on the 6509) must be set up on the trunk between the 2 6509s. It can not rely on the layer 2 connection to the common switch which the FWSMs are providing routing for.

Once we applied that change, the configuration on each unit replicated without issue.