I encountered problem when trying to perform a failover test on the CSM module on two CAT6513s. Below illustrates the setup of the network:
FTP client ==> FWSM ==> CSM ==> FTP servers
Two CAT6513 with FWSM and CSM are in the setup.
Test secenario and observations:
The client started a FTP connection to the VIP of the FTP service on the CSM. The FTP connection was successful and a download was initiated. In the middle of downloading, a reset command was issued on the primary CSM to force a failover to the standby CSM. The standby CSM was verified to have taken over as the primary CSM. The download session halted and subsequent attempts to initiate a FTP connection to the VIP was not successful. However, the client is able to ping to the VIP.
It was only after about half an hour or so that the problem resolve on its own.
However, no such problem occur when the FWSM is removed from the network setup. The FTP download session was not torn down even when the CSM failover took place.
Is there any configuration that I need to do on the FWSM policy or on the CSM configuration for this FTP service?
I am not too familiar with CSM, but what's the configuration for the FWSM? What I can assumed is that it was running in Active/Standby mode, but do not know whether stateful failover was also enabled. With stateful failover, the FTP session should be able to continue without any issue.
Since you mentioned standby CSM was successfully taking over the FTP process, my early assumption has something to do with stateful failover.
Can you share the failover configuration part and static NAT of the virtual IP@VIP?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :