Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
2
Replies

FWSM Failover Help

jfraasch
Level 3
Level 3

‎10-27-2009 12:51 PM - edited ‎03-11-2019 09:32 AM

First time configuring the FWSM. I come from the days where firewalls were actually appliances. I know, so 2007!

I am having trouble following the nice 700 page guide on the FWSM. I am going through the chapter on Configuring Failover.

I ran into an error when configuring the faolover lan interface.

Here is what I want to do and hopefully you can walk me through this.

I have a server that will be plugged into VLAN 100 on port 6/1 on my CoreA 6513 and CoreB 6513. He will be bonded active/passive. I want him to use a default gateway of 10.10.10.1.

I need the FWSM to present the 10.10.10.1 ip address to the server on both the FWSMs. In the olden days (prior to FWSM) I would put an IP of 10.10.10.2 and a standby of 10.10.10.1 on CoreA and an IP of 10.10.10.3 and a standby of 10.10.10.1 on CoreB to make this happen.

On both FWSM I have created interface VLAN 100 with name TrafficCtrlA. On FWSM A I put IP 10.10.10.2/24 standby 10.10.10.1 and on FWSM B I put IP 10.10.10.3/24 standby 10.10.10.1.

I can add the failover lan unit primary command but then when I add the failover lan interface (if_name) vlan (vlan) part, I get an error that says the interface already exists. Of course it does! I just added it!

Not sure what to do with that.

Help? Please!

James

Labels:
0 Helpful
2 Replies 2

Yudong Wu
Level 7
Level 7

‎10-27-2009 02:09 PM

On both FWSM A and B, you need configure the IP address of TrafficCtrlA as

ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2. Yes, both have the same config.

Therefore, whoever is active will use IP 10.10.10.1 and the other (standby) will use 10.10.10.2.

If TrafficCtr1A is used as server's gateway, it's a normal interface and could not be used as failover link. Here is what doc says "The failover link uses a special VLAN interface that you do not configure as a normal networking interface;"

Please follow the config guide for more detail info.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html#wp1051895

0 Helpful

jfraasch
Level 3
Level 3
In response to Yudong Wu

‎10-28-2009 05:23 AM

Thanks. That actually is beginning to make sense. I will test later today.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card