Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
3
Replies

FWSM failover time!

fly
Level 2
Level 2

‎04-26-2006 11:07 PM - edited ‎03-09-2019 02:44 PM

Dear Sir/Madam,

I configed two FWSM unit on two 6509 boxes. using failover.

i made a test, ping pass the FWSM, I found it lost 8-12 packets when i reload active FWSM module in one 6509 box.

i configed rapid PVST on two 6509. when configed normal PVST, I found spanning tree on FWSM internal interface (po270) vlan got through blocked listening learning forwarding state.

it needed 30 seconds to get another standby FWSM working, lost about 20-30 packets.

after i config rapid PVST, spanning tree time can be ignored. it was very fast.

how can i speed up failover time for two FWSM, i found poll time is 1 seconds by default.

how long does the FWSM failover take in normal condition. Does cisco has some documents to give some proof?

I thought It wouldn't lost packets when failover was switching. i configed stateful failover, and i configed rapid PVST, it also lost 8-12 packets. is this normal?

thank you!

Jun Li

Labels:
0 Helpful
3 Replies 3

aghaznavi
Level 5
Level 5

‎05-03-2006 09:11 AM

This document describes how to configure and upgrade a replacement Firewall Services Module (FWSM) for one that has failed. This document also describes how to configure the Catalyst 6500 Series Switch in order to minimize downtime. This applies to a FWSM as part of a failover pair, and a FWSM that is already physically swapped (refer to the hardware installation guide for details).

http://www.cisco.com/warp/public/707/fwsm-replace-hw-failure.html

0 Helpful

Erik Molenaar
Level 1
Level 1
In response to aghaznavi

‎05-03-2006 11:54 PM

Hi,

One other question abou this.

In the document you refer to it says:

"In order to run failover, the two FWSMs must run the same version of code."

In a document about upgrading to version 3.1.1 however i found that:

"The two units in a failover configuration should have the same major (first number), minor (second

number), and maintenance (third number) software version. However, you do not need to maintain

version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support."

What's the true story ??

Erik

0 Helpful

fly
Level 2
Level 2
In response to aghaznavi

‎05-07-2006 06:04 PM

thank you!

but I saw other document, when configured pix failover, you can config portfast, But for FWSM, I can't config port fast function, So there is a spanning tree progress, need 30 seconds to resume.

I config Rapid PVST to resolve this issue, now it works well, But i worry about loop problem when connect to normal PVST switch.

except spanning tree issue, i found when failover happened, such as i reload active FWSM module. It lost 8-9 packets. if i don't config rapid PVST, using PVST it will lost 20-26 packets.

I see the document you kindly provided, But don't say anything about this.

I ask a cisco guy. He said there are packets to be lost, it is normal. the switch should relearn the MAC address, need some time.

Thank you!

Jun Li

0 Helpful
Customers Also Viewed These Support Documents