06-14-2009 06:30 AM - edited 03-11-2019 08:43 AM
Hi,
What will be the configurations needed to perform a intra-chassis active-active failover between 2 FWSMs, i have done defining the failover and state vlan on switch and also defined it in firewall vlan group.
06-15-2009 01:51 AM
there is no difference to intra or inter chassis failover. It is the same as failover on ASA's. You just need to make sure that the interface vlans are seen across both 6500's.
06-15-2009 04:18 AM
Hi trevora,
Thanks for the reply, i have done the config on both the fwsms fitted on the same switch as according to ASAs.
The doubt the vlan config that has to be done on the switch.
both the modules are not seeing each other, when i assign firewall vlan group to secondary module the whole network goes down..
06-15-2009 04:52 AM
What do you mean by "whole network goes down".
Through traffic breaks?
This may happen if both the FWSMs go active.
The above could happen if the FWSMs cannot see each other via the failover vlans.
Pls. copy and paste the
sh run | i firewall
lines from the switch
and
sh run fail
from both the FWSMs.
If it is very critical I'd suggest to open a case with TAC.
06-15-2009 06:16 AM
The config on the sw is as follows:
firewall autostate
firewall multiple-vlan-interfaces
firewall module 2 vlan-group 1
firewall vlan-group 1 5-7,11,12,15,54,61,62,105-107,111,112,115,121,211
//if i assign this firewall vlan group to the other module the network goes down
The failover config on Primary FWSM is as follows:
FWSM-PRIMARY-UNIT# sh run failover
failover
failover lan unit primary
failover lan interface failover Vlan61
failover polltime unit msec 500 holdtime 3
failover polltime interface 3
failover key *****
failover replication http
failover link state Vlan62
failover interface ip failover 192.168.50.1 255.255.255.0 standby 192.168.50.2
failover interface ip state 192.168.51.1 255.255.255.0 standby 192.168.51.2
failover group 1
preempt
replication http
failover group 2
secondary
preempt 5
replication http
The config on secondary FWSM is as follows:
failover
failover lan unit secondary
failover lan interface failover Vlan61
failover polltime unit msec 500 holdtime 3
failover polltime interface 3
failover key ****
failover replication http
failover interface ip failover 192.168.50.1 255.255.255.0 standby 192.168.50.2
failover group 1
preempt
replication http
failover group 2
secondary
preempt 5
replication http
06-15-2009 07:22 AM
It is critical that the vlans (via vlan-group on 6500) are assigned to both FWSM modules even if they are in the same chassis otherwise it is impossible to do failover. If you were doing inter chassis then the best is a trunk between the 6500's to carry the vlans.
I see that you are using a 2nd vlan for statefull info, that is ok but you can use the same vlan as the failover link without any performance problems. I noticed that you did not config the stae interface on the secondary FW.
What I suggest is:
1) Write erase the config on the secondary FW. Then issue command NO FAILOVER on the primary to switch off failover.
2) Change the 6500 config by adding: firewall module 1 vlan-group 1
This will make the vlans available to both FWSM's.
3) Then enter the failover config on the secondary. You don't need the failover groups on the secondary. Go back to the primary and issue cmd FAILOVER from config mode, then do the same on secondary.
In a few seconds failover should be up and running. If you have problems try removing: failover replication http and use the default.
06-15-2009 09:44 PM
what configs has to be done on the switch regarding failover vlans ?
do i have to assign an ip address to it ?
06-16-2009 11:44 PM
Hi,
I tried the above steps, this time the network didnt went down..
the output i am getting is as follows :
for primary FWSM
Failover unit Primary
Failover LAN Interface: failover Vlan 61 (up)
Unit Poll frequency 500 milliseconds, holdtime 3 seconds
Interface Poll frequency 3 seconds
Interface Policy 50%
Monitored Interfaces 14 of 250 maximum
failover replication http
Config sync: active
Version: Ours 3.1(3), Mate Unknown
Group 1 last failover at: 21:23:56 GMT Jun 16 2009
Group 2 last failover at: 21:23:59 GMT Jun 16 2009
This host: Primary
Group 1 State: Active
Active time: 329035 (sec)
Group 2 State: Active
Active time: 329031 (sec)
admin Interface inside (10.88.4.2): Normal (Waiting)
admin Interface outside (10.88.4.2): Normal (Waiting)
primary Interface x.x.x.x : Normal (Waiting)
primary Interface x.x.x.x : Normal (Waiting)
primary Interface x.x.x.x : Normal (Waiting)
primary Interface x.x.x.x : Normal (Waiting)
primary Interface x.x.x.x : Normal (Waiting)
primary Interface x.x.x.x: Normal (Waiting)
secondary Interface x.x.x.x : Normal (Waiting)
secondary Interface x.x.x.x
: Normal (Waiting)
secondary Interface x.x.x.x : Normal (Waiting)
secondary Interface x.x.x.x : Normal (Waiting)
secondary Interface x.x.x.x : No Link (Waiting)
secondary Interface x.x.x.x : Normal (Waiting)
Other host: Secondary
Group 1 State: Failed
Active time: 0 (sec)
Group 2 State: Failed
Active time: 0 (sec)
admin Interface x.x.x.x: Unknown (Waiting)
admin Interface x.x.x.x: Unknown (Waiting)
primary Interface x.x.x.x: Unknown (Waiting)
primary Interface x.x.x.x: Unknown (Waiting)
primary Interface x.x.x.x: Unknown (Waiting)
primary Interface x.x.x.x: Unknown (Waiting)
primary Interface x.x.x.x: Unknown (Waiting)
primary Interface x.x.x.x: Unknown (Waiting)
secondary Interface x.x.x.x: Unknown (Waiting)
secondary Interface x.x.x.x : Unknown (Waiting)
secondary Interface x.x.x.x: Unknown (Waiting)
secondary Interface x.x.x.x: Unknown (Waiting)
secondary Interface x.x.x.x: Unknown (Waiting)
secondary Interface x.x.x.x: Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : state Vlan 62 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
L2BRIDGE Tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
06-16-2009 11:44 PM
for secondary fwsm:
Failover On
Failover unit Secondary
Failover LAN Interface: failover Vlan 61 (up)
Unit Poll frequency 500 milliseconds, holdtime 3 seconds
Interface Poll frequency 3 seconds
Interface Policy 50%
Monitored Interfaces 0 of 250 maximum
failover replication http
Config sync: active
Version: Ours 3.1(3), Mate Unknown
Group 1 last failover at: 21:12:48 GMT Jun 16 2009
Group 2 last failover at: 21:12:48 GMT Jun 16 2009
This host: Secondary
Group 1 State: Active
Active time: 56976 (sec)
Group 2 State: Active
Active time: 56976 (sec)
Other host: Secondary
Group 1 State: Not Detected
Active time: 0 (sec)
Group 2 State: Not Detected
Active time: 0 (sec)
Stateful Failover Logical Update Statistics
Link : state Vlan 62 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
If is give "no failover active" command on primary fwsm the network takes around 20-30 seconds to come back up. (in active/active failover the failover wont take that long ..
any suggesstions ?
Thanks
06-18-2009 03:28 AM
sh vlan in both fwms-s should see the exact same vlans.
What syslogs do you see? failover messages are logged in level 1.
Is the failover key correct on both units? Doesn't look like it. According to the output that you pasted it appears that one unit has one extra character.
You do not have IP addresses configured for the interfaces? You need to configure standby IP address for all the interfaces as well.
Like I mentioned earlier, pls. open a TAC case and we will look at it. This seems like a little complex to solve via the forum.
I would try to do the following:
* Make sure all the interfaces are configured with standby IP address.
1. remove the vlans from the secondary module.
2. from the primary/active unit - remove the failover key line
3. session into the secondary and issue a write erase and reload without saving.
4. when it comes back up just copy the failover lines (without the failover key line) that it had before.
5. Then push the vlans down from the switch to this module.
6. It should detect the active module and do a bulk sync at this point.
Make sure the license (sh ver output) matches between the two units exactly and that the secondary module is also running 3.1.3
On a side note, there are quite a few defects addressed since 3.1.3 code, I'd suggest upgrading the code.
http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm
The latest in the 3.1.x train is c6svc-fwm-k9.3-1-14.bin
06-22-2009 10:07 PM
Hi sankar,
Thanks a lot for ur reply.
i tried the same as u stated above.. but i am coming up with same results.
failover group 1 interfeace show normal(waiting) while the interfaces on failover group 2 show unknown(waiting).
i think both the modules are unable to contact each other.
when i turn on failover on the secondary module the network goes down.
one more thing is that the logg shows access denied possible spoof attack when i gave no failover command on secondary module.
everything is getting really confusing.
how shuld i go about it ?
06-23-2009 02:55 AM
Could you just try active/standby failover instead of active active? Try to remove the failover groups as well and keep it simple.
It is extremely hard to troubleshoot something like this just via the forum.
Is there a way you can open a TAC case? Let me know the case number once you do.
What code is the switch running? Does the switch show the mac address of the blades in the appropriate vlans pushed down to the FWSMs?
sh mac-address-table vlan blah
06-26-2009 04:58 AM
i have active/active license so cant try active/standby(or can i).
i am trying to get a case open in tac but i have to go through procedures(need some time for that).
switch is running 12.2(18).
yes the switch shows the mac add of blades in apropriate vlans.
06-28-2009 04:54 AM
With active/active license you can most certainly configure active/standby configuration.
07-01-2009 11:26 PM
i tried configuring active/standby config.
but the problem i am facing is the same..
when i enable failover on secondary module the failover gets off on primary module.
what aould be the reason ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: