FWSM failover on VSS

marlon.balmes · ‎08-21-2013

Dear experts,

May I ask for your help in enabling failover between two fwsm in 6509 vss setup. When i checked the output of the " show failover" command I am seeing "Version: Ours 4.1(9), Mate Unknown" and the configuration from the primary unit is not being replicated to the secondary unit.

Thank you very much and appreciate your kind help.

##show version on primary fwsm##

dc-fwsm1 up 16 mins 33 secs

failover cluster up 16 mins 33 secs

Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash STI Flash 8.0.0 @ 0xc321, 20MB

0: Int: GigabitEthernet0 : address is 0023.336a.f180, irq 5

1: Int: GigabitEthernet1 : address is 0023.336a.f180, irq 7

2: Int: EOBC0 : address is 0000.1300.0000, irq 11

The Running Activation Key is not set, using default settings:

Licensed features for this platform:

Maximum Interfaces : 256

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

BGP Stub : Disabled

Service Acceleration : Disabled

VPN Peers : Unlimited

##failover config on primary fwsm##

dc-fwsm1# sh run | grep failover

failover

failover lan unit primary

failover lan interface fover Vlan255

failover replication http

failover link flink Vlan256

failover interface ip fover 10.60.28.5 255.255.255.252 standby 10.60.28.6

failover interface ip flink 10.60.28.9 255.255.255.252 standby 10.60.28.10

-------------------------------------------------------------------------------------------------------------------

##interface status on secondary fwsm##

dc-fwsm1# sh int ip br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0 unassigned YES unset up up

GigabitEthernet1 unassigned YES unset up up

Vlan251 10.30.2.1 YES CONFIG up up

Vlan252 10.60.21.1 YES CONFIG up up

Vlan253 10.60.3.1 YES CONFIG up up

Vlan255 10.60.28.4 YES CONFIG up up

Vlan256 10.60.28.9 YES CONFIG up up

Vlan350 192.168.100.2 YES CONFIG up up

EOBC0 127.0.0.31 YES CONFIG up up

=============================================================

##show version on secondary fwsm##

FWSM Firewall Version 4.1(9)

Compiled on Fri 04-May-12 11:38 by fwsmbld

dc-fwsm2 up 11 mins 58 secs

failover cluster up 11 mins 58 secs

Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash STI Flash 8.0.0 @ 0xc321, 20MB

0: Int: GigabitEthernet0 : address is 0023.336a.ec80, irq 5

1: Int: GigabitEthernet1 : address is 0023.336a.ec80, irq 7

2: Int: EOBC0 : address is 0000.1300.0000, irq 11

The Running Activation Key is not set, using default settings:

Licensed features for this platform:

Maximum Interfaces : 256

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

BGP Stub : Disabled

Service Acceleration : Disabled

VPN Peers : Unlimited

##failover config on secondary fwsm##

dc-fwsm2# sh run | grep failover

failover

failover lan unit secondary

failover lan interface fover Vlan255

failover replication http

failover link flink Vlan256

failover interface ip fover 10.60.28.5 255.255.255.252 standby 10.60.28.6

failover interface ip flink 10.60.28.9 255.255.255.252 standby 10.60.28.10

-------------------------------------------------------------------------------------------------------------------------------

##interface status on secondary fwsm##

dc-fwsm2# sh int ip brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0 unassigned YES unset up up

GigabitEthernet1 unassigned YES unset up up

Vlan255 10.60.28.5 YES CONFIG up up

Vlan256 10.60.28.10 YES CONFIG up up

EOBC0 127.0.0.31 YES CONFIG up up

jack samuel · ‎08-21-2013

Dear

There is one command that sync two FWSM to each other for failover in VSS.i cannot relocllect that but you have to put.

firewall switch 1 XXXXX

firewall switch 2 XXXXX

Thanks

marlon.balmes · ‎08-21-2013

I already found the cuplrit Now failover and config sync is working.

dc-fwsm1# sh failover

Failover On

Failover unit PrimaryFailover LAN Interface: fover Vlan 255 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

failover replication http

Config sync: active

Version: Ours 4.1(9), Mate 4.1(9)

Last Failover at: 14:27:08 GMT Aug 21 2013

This host: Primary - Active

Active time: 2243 (sec)

Interface dmz-oss-srv (10.30.2.1): Normal (Not-Monitored)

Interface lan-oss-srv (10.60.21.1): Normal (Not-Monitored)

Interface dmz-hq-srv (10.60.3.1): Normal (Not-Monitored)

Interface fwsm-msfc (192.168.100.2): Normal (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 1392 (sec)

Interface dmz-oss-srv (0.0.0.0): Normal (Not-Monitored)

Interface lan-oss-srv (0.0.0.0): Normal (Not-Monitored)

Interface dmz-hq-srv (0.0.0.0): Normal (Not-Monitored)

Interface fwsm-msfc (0.0.0.0): Normal (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : flink Vlan 256 (up)

Stateful Obj xmit xerr rcv rerr

General 61 0 60 0

sys cmd 60 0 60 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 1 0 0 0

Xlate_Timeout 0 0 0 0

AAA tbl 0 0 0 0

DACL 0 0 0 0

Acl optimization 0 0 0 0

OSPF Area SeqNo 0 0 0 0

Mamba stats msg 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 522

Xmit Q: 0 0 61

jack samuel · ‎08-21-2013

what was that so others can find this post helpful