ace with fwsm failover

Dec 16th, 2008


we have 2x6509 with ace and fwsm each. ace is acting as a bridge between fwsm and servers. fwsm is the gateway for all severs.

fwsm is having 2 context (fwsm A and fwsm B) with fwsm context A active of 6509A and other fwsm context B on 6509B. similarly ace has 2 context. ace context A is active on 6509A and context B is active on 6509B.we had an issue where fwsm context A on 6509A was failed over.hence fwsm context A became active on 6509 B. but ACE context A on 6509 A didnt detect it. all traffic got stopped. i had to manually failover fwsm context A from 6509 B to 6509 A to make it work,

there is a object track feature in ACE, not sure how wil it work here. can this be used then how? is there anything else can eb done to avoid anything manually. how can we make the failover to work. in this case fwsm failover so ace can detect it and if ace fails fwsm should detect it


Syed Iftekhar Ahmed Tue, 12/16/2008 - 16:41

Why did the traffic stopped.

Each interface on FWSM-A needs to have direct layer 2 connectivity to each corresponding interface on FWSM-B. The same also

holds for the ACE.

Additionally, the interfaces on FWSM 1 and FWSM 2, that are facing the

ACE, both need to have direct layer 2 connectivity to the corresponding

interfaces of both ACE 1 and ACE 2.

In other words trunk between the two switches should carry all vlans utilized by FWSM & ACE.

With L2 trunk available, STP will put vlan X (vlan b/w ACE & FWSM) in blocking state once FWSM-A goes down.

So if CONTEXT-A on FWSM-A goes down then incoming traffic should hit CONTEXT-A on FWSM-B first & then from there it should cross the Trunk between the switches and should hit corresponding ACE context on ACE-A.

Few questions

1. Are you trunking all data vlans (FWSM & ACE) between the two switches?

2.Are you allowing BPDUs to pass through ACE?

3. Have you disabled BPDU guard & Loop guard globally on Cat65Ks

4. If you run "show spanning tree vlan X" & "show spanning tree vlan Y" (where X & Y are vlans bridged by ACE, Do you see same Root for both vlans.

Syed Iftekhar Ahmed


