Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM sync failure

Hello,

I am currently trying to set up a pair of FWSMs on 2 peered 6509s as a failover (active/standby) pair.

The 2 chassis have a ten gig link trunked between them with 3 VLANs on the trunk - outside (which routes to the MSFC on the 6509), state, and failover. I got the failover commands on the primary and enabled failover. I put the skeleton config on my failover unit and it saw the active unit and started the config download. Unfortunately, it failed on that 2 times with this message:

Config Sync Error: Following command could not be executed on

standby

access-list Inside_acl commit-status committed line 25 extended permit

tcp any object-group SFC_NTP_Servers eq 123

Context: single_vf

******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE,

TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION,

THE STANDBY UNIT WILL NOW REBOOT*******

If the sync fails, is that something in the configuration that causes sync failures or is that a physical connectivity issue? I don't have that much experience with the FWSM failover yet (I've only done this with the PIX 500 series previously).

Any help or suggestions would be appreciated.

Thanks.

1 REPLY
New Member

Re: FWSM sync failure

Well, looks like something rather simple. A coworker reviewed the troubleshooting doc. It turns out that our inside interfaces (which are all layer 2 ports on the 6509) must be set up on the trunk between the 2 6509s. It can not rely on the layer 2 connection to the common switch which the FWSMs are providing routing for.

Once we applied that change, the configuration on each unit replicated without issue.

418
Views
0
Helpful
1
Replies