Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
2
Replies

FWSM 2.2(1) - failover & xlate issue

grim
Level 1
Level 1

‎11-15-2005 06:33 AM - edited ‎03-09-2019 01:03 PM

Config: 2 * Cat 6513 (hybrid OS) 7.6(10) / 12.1(22)E5 + 2 * FWM 2.2(1). 1 * FWM per 6513 chassis. FWM in multiple context and failover mode. The state and failover replication is performed over two seperate VLANs / Gb ether channel links between the 6513s.

Issue: On failover, the standby unit becomes active and some connections survive. However, some connections do not survive for which there is an xlate entry. Need to "clear xlate global a.b.c.d" to force the connection to be re-established and then the connection works again. Applies to more than one protocol ie ICMP, TCP etc.

"show failover" on the standby unit shows "Stateful Failover Logical Update Statistics" with receive errors for "Xlate_Timeout", "TCP NPs" and "UDP NPs" (other counters are clean) of about 90%, 0.5% and 26% respectively. The counters are increasing slowly. The TCP and UDP NPs error counts are identical and increment together. The Xlate_Timeout error counter increments independently.

Questions:

Why do I need to clear xlate? Surely I shouldn't need to do this? The fact I need to clear the xlate implies the xlate got to the standby unit... but maybe it is an old entry that shouldn't be there because the active / standby replication has failed in some way?

If the LU receive errors indicate that the xlates are not being replicated from active to standby unit, does the FWM sort this out by resending or is the update lost and does that explain my different xlate count on the active / standby units?

If I do a "show xlate" on the active and standby units they have a different number of xlates in their tables. Shouldn't these get replicated between the firewalls? Why are the numbers different?

If these are bugs that you have seen before, do you know the Cisco bugID?

Thanks, Dave.

Labels:
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎11-21-2005 08:38 AM

Failover should be automatic and there is no need to issue the "Clear xlate" everytime a failover occurs. In fact, this will clear all the existing translations as well.

If you do not see the exact number (or close in case the new xlate is just now made on the primary) of xlates on both active and standby units, then that is a clear indication that replication from active to standby is not happening. I would suggest you to verify your failover configurations.

0 Helpful

a.kiprawih
Level 7
Level 7

‎11-22-2005 06:50 PM

I agree that FWSM failover does not require 'cle xla' in order to enable the new active blade to resume firewalling function.

Typical failover test is to use ping@icmp where you should see only a few timeout during switchover processes.

Maybe you could post your fwsm config here to allow us to see the config.

So far, I do not have any issues with my FWSMs (2.2(1)) running on redundant Cat6513.

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents