Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2147
Views
5
Helpful
11
Replies

Failover failed - FWSM

marvinio
Level 1
Level 1

‎10-11-2006 08:18 AM - edited ‎03-09-2019 04:29 PM

Running 3.1(3)

Inter-chasis failover

Active/Standby multi context mode on FWSM.

Trying to add a secondary FWSM into a inter-chasis switch config to active as standby unit. Setup primary FWSM and fail over lan link no issues. However on Secondary FW after entering the 'failover' command I get the following out:

FWSM(config)# failover

FWSM(config)# sh fai

Failover On

Failover unit Secondary

Failover LAN Interface: faillink Vlan 698 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

Config sync: active

Version: Ours 3.1(3), Mate 3.1(3)

Last Failover at: 16:49:07 GMT Oct 11 2006

This host: Secondary - Disabled

Active time: 0 (sec)

Other host: Primary - Not Detected

Active time: 6288 (sec)

Stateful Failover Logical Update Statistics

Link : Unconfigured.

Then, within a few seconds the output reflect:

FWSM(config)# sh failover

Failover Off (pseudo-Standby)

Failover unit Secondary

Failover LAN Interface: faillink Vlan 698 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

And the Failover is disabled. The OS is the same as you can see from the first output and the fail over link is up and working and I can ping between the firewalls using the link.

Output of config on secondar:

failover lan unit secondary

failover lan interface faillink Vlan698

failover interface ip faillink 10.129.254.125 255.255.255.252 standby 10.129.254.126

failover

The show failover history command states:

FWSM# sh failover history

==========================================================================

From State To State Reason

==========================================================================

Not Detected Disabled No Error

Disabled Negotiation Set by the CI config cmd

Negotiation Cold Standby Detected an Active mate

Cold Standby Disabled HA state progression failed

Any help much appreciated..

Labels:
0 Helpful
11 Replies 11

beth-martin
Level 5
Level 5

‎10-17-2006 05:47 AM

Did you try power cycling the device ?

0 Helpful

alfredo.rodriguez
Level 1
Level 1
In response to beth-martin

‎12-19-2006 08:59 AM

I have he himself problem. How is solved, reset the FWSM module, or restart all the Catalyst equipment?

0 Helpful

jgervia_2
Level 1
Level 1

‎12-19-2006 07:03 PM

Hello,

Couple of questions here. I can't find much documentation on 'pseudo-standby'. You can ping across the vlan (698) for failover - but have you actually configured any vlans with secondary addresses and put them in for monitoring? ie:

interface inside

ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

interface outside

ip address 2.2.2.2 255.255.255.0 standby 2.2.2.3

monitor-interface inside

monitor-interface outside

Pseudo-failover is probably because you have failover configured yet no interfaces configured to actually failover (or monitored to see if they failover).

--Jason

Please rate this message if it solves some/all of your issue.

0 Helpful

alfredo.rodriguez
Level 1
Level 1
In response to jgervia_2

‎12-20-2006 02:29 AM

Hi,

Yes, I ping to the IP of the LAN interface failover and to the interface of standby can be made.

Yes, I have configured any vlans with secundary address and put them in for monitoring.

What I must do? Do disabled the characteristic monitor-interface?

Regards!

0 Helpful

jgervia_2
Level 1
Level 1
In response to alfredo.rodriguez

‎12-20-2006 03:11 PM

Hello,

At this point, I have to think something is wrong with one of the following

1) your failover configuration on the primary

2) your failover configuration on the secondary

3) the trunk between the to switches

4) the vlans being passed up to the firewall module.

If you're willing to post your configurations showing those pieces, we'll be able to help more.

--Jason

0 Helpful

jbanker
Level 1
Level 1

‎12-20-2006 11:44 PM

I just signed on to post this same exact question. I have just upgraded to version 3.1(3) from 2.x (failover was working) and failover will not work. After this upgrade my IPS will also not talk to the firewall. It seems that the hello messages are getting blocked. For the life of me I cannot figure out this issue.

I am using transparent mode, I use a etherchannel between my 6509's and the ports are forwarding. If I give the failover command on the standby I receive Failover off (Pseudo). If I do a failover active on the standby link both units become active and routing issues occur (obviously)...HSRP goes crazy, EIGRP loses its mine and spanning tree goes wild. Attached are my system configs.

Preview file
118 KB
0 Helpful

varakantam
Level 1
Level 1
In response to jbanker

‎12-22-2006 01:48 AM

You are missing state link configuration on the secondary firewall. That could be an issue, I will keep looking for any other config issues in the meanwhile.

Can you try enabling state link on secondary ? Also 3.1.4 was posted early last week.

Also, could restrict your etherchannel trunk to pass only required vlans ?

Secondary FWSM

=================

no failover

failover lan unit secondary

failover lan interface faillink Vlan10

failover interface-policy 1

failover replication http

failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2

Primary FWSM

======================

failover

failover lan unit primary

failover lan interface faillink Vlan10

failover interface-policy 1

failover replication http

failover link statelink Vlan11

failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2

failover interface ip statelink 192.168.253.6 255.255.255.252 standby 192.168.253.5

0 Helpful

jbanker
Level 1
Level 1
In response to varakantam

‎12-22-2006 08:25 AM

I have used the statelink on the second firewall and still no luck. You should be able to only have the fail link then the configs should sync, statelink will be added and the only difference would be which one is secondary and which one is primary. I will try to pass only required vlans between my cores.

0 Helpful

jbanker
Level 1
Level 1
In response to varakantam

‎12-22-2006 08:58 AM

Quick question....on my Core's I am using IOS Version 12.2(18)SXF6 and my SUP is a 720. When reading documentation I see this:

Required

Cisco IOS - 12.2(18)SXF2 and higher for SUP 2, 720, 32

Ciso IOS modularity - 12.2(18)SXF4 for SUP 720, 32

What is the difference bettween IOS software and IOS modulairty software?

0 Helpful

varakantam
Level 1
Level 1
In response to jbanker

‎12-22-2006 11:51 AM

IOS Modularity is a new breed of IOS softtware with dynamic reconfiguration capabilities (addition of pathes to fix an issue or backout etc, process restarts)

jbanker
Level 1
Level 1

‎01-03-2007 12:49 PM

I was having the same issue with fail over and just figured out what the issue was. I had one vlan on my standby unit that wasn't pushed to the module like it was on my primary unit. This command has to be identical on both units. Once it was failover worked perfectly:

firewall vlan-group 1 2,10,11,13,14,16,17,19,26-30,110,120,130,140,150,160

firewall vlan-group 1 180,200,210,220,230,240,241,250,255,500,501,600,601,700

firewall vlan-group 1 701,710,711,910,911,966,985-991

0 Helpful
Customers Also Viewed These Support Documents