FWSM intra chassis failover #urgent#

Unanswered Question
Jun 14th, 2009

Hi,

What will be the configurations needed to perform a intra-chassis active-active failover between 2 FWSMs, i have done defining the failover and state vlan on switch and also defined it in firewall vlan group.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
trevora Mon, 06/15/2009 - 01:51

there is no difference to intra or inter chassis failover. It is the same as failover on ASA's. You just need to make sure that the interface vlans are seen across both 6500's.

manmeetshergill Mon, 06/15/2009 - 04:18

Hi trevora,

Thanks for the reply, i have done the config on both the fwsms fitted on the same switch as according to ASAs.

The doubt the vlan config that has to be done on the switch.

both the modules are not seeing each other, when i assign firewall vlan group to secondary module the whole network goes down..



Kureli Sankar Mon, 06/15/2009 - 04:52

What do you mean by "whole network goes down".


Through traffic breaks?


This may happen if both the FWSMs go active.


The above could happen if the FWSMs cannot see each other via the failover vlans.


Pls. copy and paste the


sh run | i firewall


lines from the switch


and


sh run fail


from both the FWSMs.


If it is very critical I'd suggest to open a case with TAC.



manmeetshergill Mon, 06/15/2009 - 06:16

The config on the sw is as follows:

firewall autostate

firewall multiple-vlan-interfaces

firewall module 2 vlan-group 1

firewall vlan-group 1 5-7,11,12,15,54,61,62,105-107,111,112,115,121,211


//if i assign this firewall vlan group to the other module the network goes down



The failover config on Primary FWSM is as follows:



FWSM-PRIMARY-UNIT# sh run failover

failover

failover lan unit primary

failover lan interface failover Vlan61

failover polltime unit msec 500 holdtime 3

failover polltime interface 3

failover key *****

failover replication http

failover link state Vlan62

failover interface ip failover 192.168.50.1 255.255.255.0 standby 192.168.50.2

failover interface ip state 192.168.51.1 255.255.255.0 standby 192.168.51.2

failover group 1

preempt

replication http

failover group 2

secondary

preempt 5

replication http



The config on secondary FWSM is as follows:


failover

failover lan unit secondary

failover lan interface failover Vlan61

failover polltime unit msec 500 holdtime 3

failover polltime interface 3

failover key ****

failover replication http

failover interface ip failover 192.168.50.1 255.255.255.0 standby 192.168.50.2

failover group 1

preempt

replication http

failover group 2

secondary

preempt 5

replication http



trevora Mon, 06/15/2009 - 07:22

It is critical that the vlans (via vlan-group on 6500) are assigned to both FWSM modules even if they are in the same chassis otherwise it is impossible to do failover. If you were doing inter chassis then the best is a trunk between the 6500's to carry the vlans.

I see that you are using a 2nd vlan for statefull info, that is ok but you can use the same vlan as the failover link without any performance problems. I noticed that you did not config the stae interface on the secondary FW.


What I suggest is:

1) Write erase the config on the secondary FW. Then issue command NO FAILOVER on the primary to switch off failover.


2) Change the 6500 config by adding: firewall module 1 vlan-group 1

This will make the vlans available to both FWSM's.


3) Then enter the failover config on the secondary. You don't need the failover groups on the secondary. Go back to the primary and issue cmd FAILOVER from config mode, then do the same on secondary.


In a few seconds failover should be up and running. If you have problems try removing: failover replication http and use the default.


manmeetshergill Mon, 06/15/2009 - 21:44

what configs has to be done on the switch regarding failover vlans ?

do i have to assign an ip address to it ?


manmeetshergill Tue, 06/16/2009 - 23:44

Hi,

I tried the above steps, this time the network didnt went down..

the output i am getting is as follows :

for primary FWSM

Failover unit Primary

Failover LAN Interface: failover Vlan 61 (up)

Unit Poll frequency 500 milliseconds, holdtime 3 seconds

Interface Poll frequency 3 seconds

Interface Policy 50%

Monitored Interfaces 14 of 250 maximum

failover replication http

Config sync: active

Version: Ours 3.1(3), Mate Unknown

Group 1 last failover at: 21:23:56 GMT Jun 16 2009

Group 2 last failover at: 21:23:59 GMT Jun 16 2009


This host: Primary

Group 1 State: Active

Active time: 329035 (sec)

Group 2 State: Active

Active time: 329031 (sec)


admin Interface inside (10.88.4.2): Normal (Waiting)

admin Interface outside (10.88.4.2): Normal (Waiting)

primary Interface x.x.x.x : Normal (Waiting)

primary Interface x.x.x.x : Normal (Waiting)

primary Interface x.x.x.x : Normal (Waiting)

primary Interface x.x.x.x : Normal (Waiting)

primary Interface x.x.x.x : Normal (Waiting)

primary Interface x.x.x.x: Normal (Waiting)

secondary Interface x.x.x.x : Normal (Waiting)

secondary Interface x.x.x.x

: Normal (Waiting)

secondary Interface x.x.x.x : Normal (Waiting)

secondary Interface x.x.x.x : Normal (Waiting)

secondary Interface x.x.x.x : No Link (Waiting)

secondary Interface x.x.x.x : Normal (Waiting)


Other host: Secondary

Group 1 State: Failed

Active time: 0 (sec)

Group 2 State: Failed

Active time: 0 (sec)


admin Interface x.x.x.x: Unknown (Waiting)

admin Interface x.x.x.x: Unknown (Waiting)

primary Interface x.x.x.x: Unknown (Waiting)

primary Interface x.x.x.x: Unknown (Waiting)

primary Interface x.x.x.x: Unknown (Waiting)

primary Interface x.x.x.x: Unknown (Waiting)

primary Interface x.x.x.x: Unknown (Waiting)

primary Interface x.x.x.x: Unknown (Waiting)

secondary Interface x.x.x.x: Unknown (Waiting)

secondary Interface x.x.x.x : Unknown (Waiting)

secondary Interface x.x.x.x: Unknown (Waiting)

secondary Interface x.x.x.x: Unknown (Waiting)

secondary Interface x.x.x.x: Unknown (Waiting)

secondary Interface x.x.x.x: Unknown (Waiting)


Stateful Failover Logical Update Statistics

Link : state Vlan 62 (up)

Stateful Obj xmit xerr rcv rerr

General 0 0 0 0

sys cmd 0 0 0 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0

L2BRIDGE Tbl 0 0 0 0

Xlate_Timeout 0 0 0 0


Logical Update Queue Information

Cur Max Total

Recv Q: 0 0 0

Xmit Q: 0 0 0


manmeetshergill Tue, 06/16/2009 - 23:44

for secondary fwsm:



Failover On

Failover unit Secondary

Failover LAN Interface: failover Vlan 61 (up)

Unit Poll frequency 500 milliseconds, holdtime 3 seconds

Interface Poll frequency 3 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

failover replication http

Config sync: active

Version: Ours 3.1(3), Mate Unknown

Group 1 last failover at: 21:12:48 GMT Jun 16 2009

Group 2 last failover at: 21:12:48 GMT Jun 16 2009


This host: Secondary

Group 1 State: Active

Active time: 56976 (sec)

Group 2 State: Active

Active time: 56976 (sec)



Other host: Secondary

Group 1 State: Not Detected

Active time: 0 (sec)

Group 2 State: Not Detected

Active time: 0 (sec)



Stateful Failover Logical Update Statistics

Link : state Vlan 62 (up)

Stateful Obj xmit xerr rcv rerr

General 0 0 0 0

sys cmd 0 0 0 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0

Xlate_Timeout 0 0 0 0


Logical Update Queue Information

Cur Max Total

Recv Q: 0 0 0

Xmit Q: 0 0 0


If is give "no failover active" command on primary fwsm the network takes around 20-30 seconds to come back up. (in active/active failover the failover wont take that long ..

any suggesstions ?


Thanks

Kureli Sankar Thu, 06/18/2009 - 03:28

sh vlan in both fwms-s should see the exact same vlans.


What syslogs do you see? failover messages are logged in level 1.


Is the failover key correct on both units? Doesn't look like it. According to the output that you pasted it appears that one unit has one extra character.


You do not have IP addresses configured for the interfaces? You need to configure standby IP address for all the interfaces as well.


Like I mentioned earlier, pls. open a TAC case and we will look at it. This seems like a little complex to solve via the forum.


I would try to do the following:


* Make sure all the interfaces are configured with standby IP address.


1. remove the vlans from the secondary module.


2. from the primary/active unit - remove the failover key line


3. session into the secondary and issue a write erase and reload without saving.


4. when it comes back up just copy the failover lines (without the failover key line) that it had before.


5. Then push the vlans down from the switch to this module.


6. It should detect the active module and do a bulk sync at this point.


Make sure the license (sh ver output) matches between the two units exactly and that the secondary module is also running 3.1.3


On a side note, there are quite a few defects addressed since 3.1.3 code, I'd suggest upgrading the code.


http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm


The latest in the 3.1.x train is c6svc-fwm-k9.3-1-14.bin


manmeetshergill Mon, 06/22/2009 - 22:07

Hi sankar,

Thanks a lot for ur reply.

i tried the same as u stated above.. but i am coming up with same results.

failover group 1 interfeace show normal(waiting) while the interfaces on failover group 2 show unknown(waiting).

i think both the modules are unable to contact each other.

when i turn on failover on the secondary module the network goes down.

one more thing is that the logg shows access denied possible spoof attack when i gave no failover command on secondary module.

everything is getting really confusing.

how shuld i go about it ?


Kureli Sankar Tue, 06/23/2009 - 02:55

Could you just try active/standby failover instead of active active? Try to remove the failover groups as well and keep it simple.


It is extremely hard to troubleshoot something like this just via the forum.


Is there a way you can open a TAC case? Let me know the case number once you do.


What code is the switch running? Does the switch show the mac address of the blades in the appropriate vlans pushed down to the FWSMs?


sh mac-address-table vlan blah



manmeetshergill Fri, 06/26/2009 - 04:58

i have active/active license so cant try active/standby(or can i).

i am trying to get a case open in tac but i have to go through procedures(need some time for that).

switch is running 12.2(18).

yes the switch shows the mac add of blades in apropriate vlans.

Kureli Sankar Sun, 06/28/2009 - 04:54

With active/active license you can most certainly configure active/standby configuration.

manmeetshergill Wed, 07/01/2009 - 23:26

i tried configuring active/standby config.

but the problem i am facing is the same..

when i enable failover on secondary module the failover gets off on primary module.

what aould be the reason ?

Kureli Sankar Thu, 07/02/2009 - 05:01

Failover gets off on primary module for what reason?

what do the logs show on both blades at this time? Could you copy and paste them here along with sh run fail from each blade?

Actions

This Discussion