I am unable to make FWSM failover work in an inter-chassis configuration:
6509 switch - 12.2(18)
FWSM - 3.1
Here's the brief-up of the configs that i have done:
1. There are two 6509's where the FWSM's are inserted in the same slot and both FWSM's are identical configuration.
2. The FWSM's have been tried in the same chassis and failover is working between them (I tried no failover active and the other FWSM was able to pick up). So, intra-chassis failover works fine. And this means that the failover config is right.
3. The LAN based failover and stateful failover VLAN's have been created on the core switches, added to the vlan-group statement and they are shown as up/up status on the fwsm interface status.
4. I am able to ping the failover ip's of the other fwsm from one fwsm.
5. ICMP is permitted on the inside interface (MSFC to FWSM interface).
6. The FWSM in Core-1 (1st 6509 switch) is standby (though Core-1 is the HSRP primary L3 switch and all VLAN's are active on it) and the FWSM in Core-2 (HSRP secondary switch) is the active one.
7. ICMP is allowed to the hosts connected to the protected segment / VLAN behind the FWSM.
What's not working?
1. I cannot ping the FWSM (inside interface) on Core switch 1 from a PC connected to Core switch 2. But I can ping the FWSM on Core-2 from the PC connected to Core-2. Also, I can ping the FWSM on Core-1 from Core-2 switch directly. There are no persistent routes on the PC causing this issue. Not sure of why this is happening?
2. Saying a no failover active on active FWSM (in Core-2) does a failover but still does not work as I am unable to ping any VLAN IP's protected by the FWSM's.
I think that the trunk carrying the VLAN's may be blocked by spanning tree? I need to check that tomorrow. But I was able to ping the standby FWSM from the switch having the active FWSM. So, I think that the trunks are carrying the firewall VLAN's?
Thats the reason that I am able to ping from core 2 to the remote FWSM (FWSM in core 1).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...