Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Very weird issue with our FWSM

Hi all

We have a redundant Cat6500-E with Sup720-3B and FWSM setup.

Software releases:

Sup: 12.2(33)SHX2

FWSM: 3.2(6)

The issue, if I add several new VLANs to the Catalyst and then give them to the FWSM with the command:

firewall vlan-group 1 14-18,20,21,23...

The usualy appear on the FWSM of this Catalyst. Then I add them on the other Catalyst and there they also apear. But here starts the problem, they don't always do...

When they don't then this message appears on the FWSM:


Vlan configuration mismatch between peers.

Please correct the condition as soon as possible

in order to avoid a possible disabling of failover.


If I login then to this FWSM and make a show vlan, the vlan isn't shown on this FWSM, while on the other, idential configured Catalyst+FWSM it is.

The only solution to get the Vlan working on this FWSM, is to reboot the whole Catalyst. A reload of only the FWSM isn't enough.

Any ideas what this could be or how I could debug this?



Cisco Employee

Re: Very weird issue with our FWSM


Seems like you have the FWSMs in active/standby failover setup.

Once you push the extra vlans to one module it will see more vlans than the other and that will break failover and the blades will go into a pseudo standby condition.

Now, you need to push the vlans to the modules at the same time from both the chassis.

sh vlan - should show the exact same vlans on both the FWSM in order for failover to work properly.

Also, make sure these vlans exist in the switch's vlan database as well prior to pushing them down to the FWSM.


Re: Very weird issue with our FWSM

Hi Kusankar

Thanks for your reply.

Can you explain me how I could acomplish to configure both chassis at the same second?

2-3 seconds delay didn't work last time.

The rest is done as you wrote.

Cisco Employee

Re: Very weird issue with our FWSM

In that case, failover will go into pseudo standby and once you see the same vlans in both the units you can always enable failover again.

Or you can try the following:

no failover --> in the standby unit

Wait for a few min.

Then push the extra vlans into the active unit and then to the standby unit that has no failover configured.

Make sure sh vlan shows the same vlans on both the units and then enable failover on the standby unit.

Let me know how that goes.


Re: Very weird issue with our FWSM

Thanks for your answer.

I'll try that, but it will probably take 1-4 months until I have the chance to. It's our core network and I can reboot only twice a year and the next one is in 4 weeks. After that, all VLANs should work (until I add new ones).

I'll try to keep this thread in mind when I add new ones next time.