FWSM Failover Help

Unanswered Question
Oct 27th, 2009

First time configuring the FWSM. I come from the days where firewalls were actually appliances. I know, so 2007!

I am having trouble following the nice 700 page guide on the FWSM. I am going through the chapter on Configuring Failover.

I ran into an error when configuring the faolover lan interface.

Here is what I want to do and hopefully you can walk me through this.

I have a server that will be plugged into VLAN 100 on port 6/1 on my CoreA 6513 and CoreB 6513. He will be bonded active/passive. I want him to use a default gateway of 10.10.10.1.

I need the FWSM to present the 10.10.10.1 ip address to the server on both the FWSMs. In the olden days (prior to FWSM) I would put an IP of 10.10.10.2 and a standby of 10.10.10.1 on CoreA and an IP of 10.10.10.3 and a standby of 10.10.10.1 on CoreB to make this happen.

On both FWSM I have created interface VLAN 100 with name TrafficCtrlA. On FWSM A I put IP 10.10.10.2/24 standby 10.10.10.1 and on FWSM B I put IP 10.10.10.3/24 standby 10.10.10.1.

I can add the failover lan unit primary command but then when I add the failover lan interface (if_name) vlan (vlan) part, I get an error that says the interface already exists. Of course it does! I just added it!

Not sure what to do with that.

Help? Please!

James

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Tue, 10/27/2009 - 14:09

On both FWSM A and B, you need configure the IP address of TrafficCtrlA as

ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2. Yes, both have the same config.

Therefore, whoever is active will use IP 10.10.10.1 and the other (standby) will use 10.10.10.2.

If TrafficCtr1A is used as server's gateway, it's a normal interface and could not be used as failover link. Here is what doc says "The failover link uses a special VLAN interface that you do not configure as a normal networking interface;"

Please follow the config guide for more detail info.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1051895

jfraasch Wed, 10/28/2009 - 05:23

Thanks. That actually is beginning to make sense. I will test later today.

Actions

This Discussion