The problem started with connections flapping to all VLANs resources in FWSM. As both FWSM modules are running on active-standby mode and it will swing to standby unit should the active node fail.
l do "show failover" when the problem occurs on the active unit and it shows all VLAN interface status in "Waiting" mode. l did few times - reboot on both units and everytime when l tried reinitialise the failover from the standby unit it prompts the error message as below:
Detect Active Mate
VLAN configuration mismatch
Failover will be disabled."
Currently, l have switched off the standby unit in order to stabilize the situation.
Hi .. the config seems Ok .. the only thing I suggest you is to make sure VLAN 700 and VLAN 800 are not being used for any other purpose apart from link and state full failover.
"The failover link uses a special VLAN interface that you do not configure as a normal networking
interface; rather, it exists only for failover communications. This VLAN should only be used for the
failover link (and optionally for the state link). Sharing the failover link VLAN with any other VLANs
can cause intermittent traffic problems and ping and ARP failures."
I hope it helps .... please rate it if it does !!!
Since the configs look ok, have you checked to see if you have the same firewall-group applied to both modules??..
Your VLAN mismatch isn't normal.
just my 5c .
I have noticed that your VTP mode on both cats is set to transparent mode. This setting could explain the VLANs mismatches issues. Perhaps the FWSMs are not fully aware of each other's VLANs. I suggest you to review this and also have a look at the attached document.
I hope it helps ... please rate it itf it does !!!
But doesn't transparent mean that one can create VLANs in each switch. If this is right, then the VLANs have been configured on both switches manually. So why do we need to make one CAT 6500 switch VTP Server and the other VTP client.
Yes it is correct but because you have one FWSM on each CAT6500 then you need to have the firewall vlan-group 1 configured the same on both switches .. which from what I could see is not the case.. for example if you look at the firewall vlan-group 1 in one of your switches VLAN 202 is missing. ..
anyway .. that was a suggestion for you look at ...
Now we have the firewall vlan-group 1 exactly the same on both CAT 6500 units and I have still have the same symptom as what I had before.
Can you please post the ouput of the following commands
debug fover cable
debug fover fail
debug fover switch
show vlan on ACTIVE
show vlan on STDBY
Also can you please check your STP status for each of the VLANS and see which of your switches is inforwarding state for each of the VLAN's attached to FWSM
Can you also verify if you
After a few copy+ paste:
Primary_Galactip -> 10-14,16-18,128,129,131,132,134,136-138,200-204,210,211
You miss to configure VLAN 202 in the secondary firewall vlan-group.
This can be the issue that is causing that failover situation.
Your 6500 trunk it's ok, so the traffic should flow naturally, but u have missed that vlan in the firewall group, and it is created in the secondary switch.
Add it and let us know how is it going!!