Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8617
Views
10
Helpful
13
Replies

FWSM : Failover Off (pseudo-Standby)

Go to solution
yogesh.suryawanshi
Level 1
Level 1

‎11-04-2008 02:19 AM

Hello !!!!,

We are running FWSM Firewall Version 3.2(1). In multi context mode with Interchassie (2 boxes of 6509 ) failover

I have FWSM Failover problem.

Primary Box sh failover output

****

This context: Active

Peer context: Failed

Secondary Box shows

*******

Failover Off (pseudo-Standby)

Failover unit Secondary

Failover LAN Interface: faillink Vlan x (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 4

Monitored Interfaces 46 of 250 maximum

failover replication http

Can some one please guide with the

1. reason behind Failover got off on secondary box

2. What can be done to recover from this state.

3 What are the impact of this if not recovered.

Thanks in Advance

Regards

Yogesh

India

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to yogesh.suryawanshi

‎11-05-2008 05:54 AM

Yes do a 'write mem'. It seems you are missing an IP on the nattest interface and also you are missing vlans Safeco and Bizco on the secondary core switch.

Do a show vlan on the secondary switch and see if these vlans exists and are ACTIVE!

Regards

Farrukh

View solution in original post

13 Replies 13

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎11-04-2008 03:02 AM

Mostly you have a VLAN mismatch between thet two FWSMs, have a look at this:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080965dec.shtml#vlan

Regards

Farrukh

0 Helpful

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Farrukh Haroon

‎11-04-2008 03:09 AM

Thanks Farrukh for reply,

Have checked & gone through the config & firewall group on core switch.

Vlan config is not mismatch...

Have tried "write standby" on primary box but no use...

please advice

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to yogesh.suryawanshi

‎11-04-2008 04:00 AM

Please check the trunk between the two switches to make sure all these vlans are allowed.

Can you post 'show failover' from both ends?

Regards

Farrukh

0 Helpful

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Farrukh Haroon

‎11-04-2008 04:59 AM

Hi,

Etherchannel between both boxes has indentical vlan.

Please find the attached sh fail for both FWSM

Thanks

Yogesh

Preview file
8 KB
0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to yogesh.suryawanshi

‎11-04-2008 05:24 AM

Your failover is disabled on the secondary unit. It seems you have done some misconfiguration for these two vlans:

project Interface Safeco (10.33.56.15): No Link (Waiting)

project Interface Bizzapps (10.33.60.15): Unknown (Waiting)

They should be 'Normal' if you VLANS are ocnfigured properly.

Also put 'failover' command on secondar box if its not already there.

Regards

Farrukh

0 Helpful

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Farrukh Haroon

‎11-05-2008 02:25 AM

Thanks for your valuable inputs.

Now it is sure where the problem is , with above 2 interfaces...

I have gone through configuration of the above mention interfaces & Vlan. Vlan configuration is perfectly right....

Noticed one thing : On Primary FWSM (Admin context)interfaces of the above 2 interface are exist....but if i look in the admin context of Secondary FWSM i do not see those interfaces.....it may be because of why it has status of no link & Unknown...

but wondering how it has like this...vlan's assigned on to both box ,Vlan groups are identical...above interfaces host are accessing resources using FWSM...means interface in Primary providing service & it is working...

Appreciate if you will help me to dig out this issue...

Thanks

Yogesh

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to yogesh.suryawanshi

‎11-05-2008 03:39 AM

Is it possible to post the configuration for the secondary box? and also the

"show run | inc firewall" from both switches. Also make sure the VLANs are created on both switches and the relevant SVIs exist on the firewall.

Regards

Farrukh

0 Helpful

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Farrukh Haroon

‎11-05-2008 04:35 AM

Hi,

Yes same have checked about vlan's and SVI ..it looks ok.

Today also i have created new interface on Primary..but it is not replicated to secondary...

Pl find attached output requested.

Regards

Yogesh

Preview file
5 KB
0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to yogesh.suryawanshi

‎11-05-2008 05:39 AM

Please go to the secondary unit and enter the following commands:

no failover

failover

Regards

Farrukh

0 Helpful

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Farrukh Haroon

‎11-05-2008 05:51 AM

Hi Farrukh,

This option looks fine.

Does these commands are service affecting?

Do i have run write standby command after executing above mention commands.

Thanks

Yogesh

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to yogesh.suryawanshi

‎11-05-2008 05:54 AM

Yes do a 'write mem'. It seems you are missing an IP on the nattest interface and also you are missing vlans Safeco and Bizco on the secondary core switch.

Do a show vlan on the secondary switch and see if these vlans exists and are ACTIVE!

Regards

Farrukh

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Farrukh Haroon

‎11-21-2008 02:20 AM

Hello Farrukh ,

Soluation provided by you is worked & failover started sucessfully without any cause to network.......

Manay Many thanks for advice...

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to yogesh.suryawanshi

‎11-21-2008 03:36 AM

No problem at all. I'm glad its working now :)

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents