FWSM Failover configuration - One Context

Unanswered Question
Nov 24th, 2011
User Badges:

Hi,



Is it possible to configure only one context in H.A. in FWSM? , yesterday  I tried to configure this but I can´t .


Please check my configuration and tell me your opinon, or not is possible ,  maybe I have to configure all context in H.A.


This message appears in the console when I active the FAILOVER

.

Nov 23 2011 19:20:04: %FWSM-1-105002: (Secondary) Enabling failover.

Nov 23 2011 19:20:08: %FWSM-1-105038: (Secondary) Interface count mismatch

Nov 23 2011 19:20:08: %FWSM-1-104002: (Secondary) Switching to STNDBY - Other unit has different set of vlans configured

Nov 23 2011 19:20:11: %FWSM-1-105001: (Secondary) Disabling failover.

Nov 23 2011 19:23:58: %FWSM-6-302010: 0 in use, 46069 most used


FWSM-Primario# show failover

Failover On

Failover unit PrimaryFailover LAN Interface: FAILLINK Vlan 1100 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 1 of 250 maximum

failover replication http

Config sync: active

Version: Ours 4.1(5), Mate 4.1(5)

Last Failover at: 19:18:35 UTC Nov 23 2011

        This host: Primary - Active

                Active time: 1125 (sec)

                admin Interface inside (10.1.1.1): Normal (Not-Monitored)

                admin Interface outside (20.1.1.1): No Link (Not-Monitored)

                FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.36): Normal (Waiting)

                GESTION-WAS Interface OUTSIDE (10.116.20.22): Normal (Not-Monitored)

                GESTION-WAS Interface U2000 (10.123.20.1): Normal (Not-Monitored)

        Other host: Secondary - Cold Standby

                Active time: 0 (sec)

                admin Interface inside (0.0.0.0): Unknown (Not-Monitored)

                admin Interface outside (0.0.0.0): Unknown (Not-Monitored)

                FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.37): Unknown (Waiting)

                GESTION-WAS Interface OUTSIDE (0.0.0.0): Unknown (Not-Monitored)

                GESTION-WAS Interface U2000 (0.0.0.0): Unknown (Not-Monitored)



Stateful Failover Logical Update Statistics

        Link : STATELINK Vlan 1101 (up)

        Stateful Obj    xmit       xerr       rcv        rerr     

        General         0          0          0          0       

        sys cmd         0          0          0          0       

        up time         0          0          0          0       

        RPC services    0          0          0          0       

        TCP conn        0          0          0          0       

        UDP conn        0          0          0          0       

        ARP tbl         0          0          0          0       

        Xlate_Timeout   0          0          0          0       

        AAA tbl         0          0          0          0       

        DACL            0          0          0          0       

        Acl optimization        0          0          0          0       

        OSPF Area SeqNo         0          0          0          0       

        Mamba stats msg         0          0          0          0       



        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       0       0

        Xmit Q:         0       0       0

FWSM-Primario# 

FWSM-Primario#



The configuration in the SW-6500


SW-PRIMARY#sh run | in fire

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 1,2

firewall vlan-group 1  10,20,25,400,1709

firewall vlan-group 2  1100,1101,1111,1112


SW-SECUNDARY#sh run | in fire

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 1,2

firewall vlan-group 1  900,1709

firewall vlan-group 2  1100,1101,1111,1112

ip subnet-zero

-----------------


FWSM-Primario(config)# sh run

: Saved

:

FWSM Version 4.1(5) <system>

!

resource acl-partition 12

hostname FWSM-Primario

hostname secondary FWSM-Secundario

domain-name cisco.com

enable password 8Ry2YjIyt7RRXU24 encrypted

!

interface Vlan10

!

interface Vlan29

shutdown

!

interface Vlan400

!

interface Vlan1100

description LAN Failover Interface

!

interface Vlan1101

description STATE Failover Interface

!

interface Vlan1111

description FWSW_7200_GoB_Fija

!           

interface Vlan1112

description FWSW_7200_GoB_BA

!

interface Vlan1709

!

passwd 2KFQnbNIdI.2KYOU encrypted

class default

  limit-resource IPSec 5

  limit-resource Mac-addresses 65535

  limit-resource ASDM 5

  limit-resource SSH 5

  limit-resource Telnet 5

  limit-resource All 0

!

ftp mode passive

pager lines 24

failover

failover lan unit primary

failover lan interface FAILLINK Vlan1100

failover replication http

failover link STATELINK Vlan1101

failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18

failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22

failover group 1

  preempt

  replication http

no asdm history enable

arp timeout 14400

console timeout 0


admin-context admin

context admin

  allocate-interface Vlan10

  allocate-interface Vlan29

  config-url disk:/admin.cfg

!

context GESTION-WAS

  allocate-interface Vlan1709

  allocate-interface Vlan400

  config-url disk:/GESTION-WAS

!

context FW-GoB-Fija

  allocate-interface Vlan1111

  allocate-interface Vlan1112

  config-url disk:/FW-GoB-Fija.cfg

  join-failover-group 1

!

prompt hostname context

Cryptochecksum:8b5fabc676745cfbafd6569c623a98b1

: end

------------------------------------------------------


SECUNDARY FIREWALL.


FWSM# sh run

: Saved

:

FWSM Version 4.1(5) <system>

!

resource acl-partition 12

hostname FWSM

domain-name cisco.com

enable password S13FcA2URRiGrTIN encrypted

!

interface Vlan100

shutdown

!

interface Vlan900

!

interface Vlan1100

description LAN Failover Interface

!

interface Vlan1101

description STATE Failover Interface

!

interface Vlan1111

!

interface Vlan1112

!

interface Vlan1709

!           

passwd 2KFQnbNIdI.2KYOU encrypted

class default

  limit-resource IPSec 5

  limit-resource Mac-addresses 65535

  limit-resource ASDM 5

  limit-resource SSH 5

  limit-resource Telnet 5

  limit-resource All 0

!

ftp mode passive

pager lines 24

no failover

failover lan unit secondary

failover lan interface FAILLINK Vlan1100

failover replication http

failover link STATELINK Vlan1101

failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18

failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22

failover group 1

  preempt

  replication http

no asdm history enable

arp timeout 14400

console timeout 0


admin-context PCBA-NAT

context PCBA-NAT

  allocate-interface Vlan1709

  allocate-interface Vlan900

  config-url disk:/PCBA-NAT

!

context FW-GoB-Fija

  allocate-interface Vlan1111

  allocate-interface Vlan1112

  config-url disk:/FW-GoB-Fija

  join-failover-group 1

!

prompt hostname context

Cryptochecksum:c7529707b6d10d02c296a57253a925b2

: end

FWSM#



I WILL APRECIATE YOUR COMMENTS, BECAUSE IT´S IMPORTANT , THE FWSM SUPPORT FOR DEFAULT 3 CONTEXT.



Regards,

Robert Soto.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mirober2 Sat, 11/26/2011 - 05:12
User Badges:
  • Cisco Employee,

Hi Robert,


Unfortunately no, this is not possible.


Since you enable failover at the system level, all contexts will particpate in failover and there is no way to change this.


Additionally, both firewalls in the failover pair must have identical licenses, VLANs, and software versions in order for failover to work properly.


-Mike

Actions

This Discussion