6500FWSM(transparent,failover) question

king-1195 · ‎02-20-2006

The customer'demand:The core is two 6500 with FWSM. IDF has about ten 3560s, every 3560 has two link to each 6500. vlan 2 is used for network device,including interconnecting to WAN router;vlan5 for users;vlan6 for production.FWSM (transparent)is used for protecting production subnet with failover.The configuration is Following :

1） primary6500:

firewall multiple-vlan-interfaces

firewall vlan-group 1 6,10,16

firewall vlan-module 1 1

inter vlan 2

ip add 10.209.33.3 255.255.252.0

standby 16 10.209.33.2

standby 16 pri 105

standby 16 pre

inter vlan 16

ip add 10.209.40.2 255.255.252.0

standby 16 10.209.40.1

standby 16 pri 105

standby 16 pre

inter vlan 6

inter vlan 10

inter range gig 2/21-24

switch trunk en dot1q

channel-group 1 mode active

ip route 0 0 10.209.32.1

2) secondary6500:

firewall multiple-vlan-interfaces

firewall vlan-group 1 6,10,16

firewall vlan-module 1 1

inter vlan 2

ip add 10.209.33.4 255.255.252.0

standby 16 10.209.33.2

standby 16 pri 85

standby 16 pre

inter vlan 16

ip add 10.209.40.3 255.255.252.0

standby 16 10.209.40.1

standby 16 pri 85

standby 16 pre

inter vlan 6

inter vlan 10

inter range gig 2/21-24

switch trunk en dot1q

channel-group 1 mode active

ip route 0 0 10.209.32.1

3)primary FWSM

transparent

nameif vlan16 outside security0

nameif vlan6 inside security100

ip add 10.209.40.4 255.255.252.0 second 10.209.40.5

monitor-inter inside

monitor-inter outside

router outside 0 0 10.209.40.1 1

access-list BPDU ethertype permit bpdu

access-group BPDU in interface inside

access-group BPDU in interface outside

failover lan interface faillink vlan 10

failover link statelink vlan 11

failover lan unit primary

failover interface ip faillink 10.209.40.33 255.255.255.252 standby 10.209.40.34

failover interface ip statelink 10.209.40.49 255.255.255.252 standby 10.209.40.50

failover interface-policy 1

failover replication http

failover

4)primary FWSM

transparent

failover lan unit secondary

failover lan interface faillink vlan 10

failover interface ip faillink 10.209.40.33 255.255.255.252 standby 10.209.40.34

failover

My question: The log of FWSM shows the failover is Ok .But the channel-port1 and gig 2/21-24 is auto down .The interface gig 2/21-24 of one 6500 shows err-disable ,other 6500 show noncontect .The log of 6500 show channel-misconfig and reduplicate ip add 10.209.40.2 in vlan16 in one 6500,and reduplicate ip add 10.209.40.3 in vlan16 in other 6500. And I shutdown port-channel1 and no shutdown it,the port-channel1 and gig2/21-24 is up .BUt After a few minutes ,the port-channel1 and gig2/21 -24 is auto down again. The trunk and port-channel is used for communicating failover and other vlan informain.if the trunk and port-channel is down, failover is should not work ,why is my failover ok ? And， if I delete vlan10,11 form fire vlan-group ,the port-channel and gig is OK,but the failover is not work .so I think is's failover configuration reslut in it . But I don't know how to reslove it ? Please help me. Thanks

pradeepde · ‎02-23-2006

I have a document which explains about failover configuration. I hope this document will help you,

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html

There are also several documents in the above mentioned URL on the right hand corner. Those documents will also give you some information.