Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FWSM Interfaces in Normal (waiting) and Unknown (waiting)

The problem started with connections flapping to all VLANs resources in FWSM. As both FWSM modules are running on active-standby mode and it will swing to standby unit should the active node fail.

l do "show failover" when the problem occurs on the active unit and it shows all VLAN interface status in "Waiting" mode. l did few times - reboot on both units and everytime when l tried reinitialise the failover from the standby unit it prompts the error message as below:

"

Detect Active Mate

VLAN configuration mismatch

Failover will be disabled."

Currently, l have switched off the standby unit in order to stabilize the situation.

11 REPLIES

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

Hi .. the config seems Ok .. the only thing I suggest you is to make sure VLAN 700 and VLAN 800 are not being used for any other purpose apart from link and state full failover.

"The failover link uses a special VLAN interface that you do not configure as a normal networking

interface; rather, it exists only for failover communications. This VLAN should only be used for the

failover link (and optionally for the state link). Sharing the failover link VLAN with any other VLANs

can cause intermittent traffic problems and ping and ARP failures."

I hope it helps .... please rate it if it does !!!

New Member

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

If I getthe config of the Cat 6500 would that help?

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

yes .. and make sure to also send the VLAN information too

New Member

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

Hi there,

Since the configs look ok, have you checked to see if you have the same firewall-group applied to both modules??..

Your VLAN mismatch isn't normal.

just my 5c .

Regards

New Member

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

CAT 6500 configs for both CAT 6500 each housing one FWSM module.

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

I have noticed that your VTP mode on both cats is set to transparent mode. This setting could explain the VLANs mismatches issues. Perhaps the FWSMs are not fully aware of each other's VLANs. I suggest you to review this and also have a look at the attached document.

I hope it helps ... please rate it itf it does !!!

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1142744

New Member

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

But doesn't transparent mean that one can create VLANs in each switch. If this is right, then the VLANs have been configured on both switches manually. So why do we need to make one CAT 6500 switch VTP Server and the other VTP client.

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

Yes it is correct but because you have one FWSM on each CAT6500 then you need to have the firewall vlan-group 1 configured the same on both switches .. which from what I could see is not the case.. for example if you look at the firewall vlan-group 1 in one of your switches VLAN 202 is missing. ..

anyway .. that was a suggestion for you look at ...

New Member

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

Now we have the firewall vlan-group 1 exactly the same on both CAT 6500 units and I have still have the same symptom as what I had before.

New Member

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

Can you please post the ouput of the following commands

debug fover cable

debug fover fail

debug fover switch

show vlan on ACTIVE

show vlan on STDBY

Also can you please check your STP status for each of the VLANS and see which of your switches is inforwarding state for each of the VLAN's attached to FWSM

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_ref/df.htm#wp1025316

Can you also verify if you

New Member

Re: FWSM Interfaces in Normal (waiting) and Unknown (waiting)

Hello,

After a few copy+ paste:

Primary_Galactip -> 10-14,16-18,128,129,131,132,134,136-138,200-204,210,211

252,255,700,777,800,888,2530-2532

Secondary_galactis-> 10-14,16-18,128,129,131,132,134,136-138,200,201,203,204

210,211,252,255,700,777,800,888,2530-2532

You miss to configure VLAN 202 in the secondary firewall vlan-group.

This can be the issue that is causing that failover situation.

Your 6500 trunk it's ok, so the traffic should flow naturally, but u have missed that vlan in the firewall group, and it is created in the secondary switch.

Add it and let us know how is it going!!

Regards

893
Views
9
Helpful
11
Replies
CreatePlease to create content