I am currently trying to set up a pair of FWSMs on 2 peered 6509s as a failover (active/standby) pair.
The 2 chassis have a ten gig link trunked between them with 3 VLANs on the trunk - outside (which routes to the MSFC on the 6509), state, and failover. I got the failover commands on the primary and enabled failover. I put the skeleton config on my failover unit and it saw the active unit and started the config download. Unfortunately, it failed on that 2 times with this message:
Config Sync Error: Following command could not be executed on
access-list Inside_acl commit-status committed line 25 extended permit
tcp any object-group SFC_NTP_Servers eq 123
******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE,
TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION,
THE STANDBY UNIT WILL NOW REBOOT*******
If the sync fails, is that something in the configuration that causes sync failures or is that a physical connectivity issue? I don't have that much experience with the FWSM failover yet (I've only done this with the PIX 500 series previously).
Well, looks like something rather simple. A coworker reviewed the troubleshooting doc. It turns out that our inside interfaces (which are all layer 2 ports on the 6509) must be set up on the trunk between the 2 6509s. It can not rely on the layer 2 connection to the common switch which the FWSMs are providing routing for.
Once we applied that change, the configuration on each unit replicated without issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...