04-23-2007 12:18 AM - edited 03-11-2019 03:02 AM
Hi,
We've noticed that Active/Standby Failover does not function anymore.
(Lucky for us the FWSM is runnig very solid)
After restarting either one of the two units in the failover configuration, the already active unit becomes totally unavailable.
In this state the unit cannot be reached (neither directly by SSH nor from within the chassis via the 'session slot...' and 'telnet 127.0.0.X' commands) and is carrying no traffic.
(We've noticed this problem before when configuring Multicast on the FWSM. After removal of the MC configuration all seemed to work fine, but now we have the same problem back again.)
Configuration
- two FWSM modules in active/standby failover
- two Cat6500 chassis, each containing one FWSM, and two Supervisor Engine 720 in RPR+
- software version FWSMs: version 3.1.3 of 3.1.1
- software version Supervisor Engine 720s: s72033-advipservicesk9_wan-mz.122-18.SXF4.bin
- Chassis interconnected by two times 10Gb/s trunks, both carrying statelink and failover over separate VLANs
Show version:
f01/sec/act# sh ver
FWSM Firewall Version 3.1(3)
Detected an old ASDM version.
You will need to upgrade it before using ASDM.
Compiled on Thu 06-Jul-06 12:44 by dalecki
f01 up 2 days 20 hours
Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash SanDisk SDCFB-128 @ 0xc321, 20MB
0: Int: Not licensed : irq 5
1: Int: Not licensed : irq 7
2: Int: Not licensed : irq 11
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Maximum Interfaces : 256
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
Serial Number: SAD0637022V
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
Configuration last modified by enable_1 at 14:46:39.980 MET Fri Apr 20 2007
Could it be we lost the activation key along the upgradin' way?
In that case, isn't it strange that we cannot reach the failed unit, even with 'session slot' command?
Please see attachement.
Erik
04-23-2007 08:57 AM
The FWSM does not have an activation key; it is normal for it to be all 0's. It would help if we had a show fail output...
04-23-2007 11:19 PM
Thanks for your reply.
The output of the 'sh fail' command is already included in the attachement.
According to Cisco for certain options it does need an activation key:
"Managing Licenses
When you install the software, the existing activation key is extracted from the original image and stored in a file in the FWSM file system. This section includes the following topics:
? Obtaining an Activation Key
? Entering a New Activation Key
Obtaining an Activation Key
To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps:
--------------------------------------------------------------------------------
Step 1 Obtain the serial number for your FWSM by entering the following command:
hostname> show version | include Number
Enter the pipe character (|) as part of the command.
Step 2 Connect a web browser to one of the following websites (the URLs are case-sensitive):
Use the following website if you are a registered user of Cisco.com:
http://www.cisco.com/go/license
Use the following website if you are not a registered user of Cisco.com:
http://www.cisco.com/go/license/public
Step 3 Enter the following information, when prompted:
?Your Product Authorization Key
?The serial number of your FWSM.
?Your e-mail address.
The activation key will be automatically generated and sent to the e-mail address that you provide.
--------------------------------------------------------------------------------
Entering a New Activation Key
To enter the activation key, enter the following command:
hostname(config)# activation-key key
The key is a four-element hexadecimal string with one space between each element. For example, a key in the correct form might look like the following key:
0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
The leading 0x specifier is optional; all values are assumed to be hexadecimal.
If you are already in multiple context mode, enter this command in the system execution space. "
Etc.....
04-24-2007 12:04 AM
Hi Erik
It's probably a long shot as the symptoms are not exactly the same as the ones i have seen but whenever i get issues with failover it's because a vlan has been allocated to one switch that hasn't been added to the other.
Coudl you check the 6500 config and ensure that you have allocated the same vlans to the FWSM's on both chassis.
HTH
Jon
04-24-2007 12:18 AM
Hi Jon,
Checked that out and all seems ok.
Strange thing is that the failing unit is not even reachable from within the switch (session slot1 proc 1 command)
11-25-2008 02:06 AM
Hi Jon
I was just looking at your issue as I am just having the same issue with the FWSM running 3.1(4) code, was your issue a configuration issue or software.
Many thanks MJ
11-25-2008 02:21 AM
Hi MJ
Problem was resolved after upgrade to 3.1(5).
Best regards,
Erik
11-25-2008 03:26 AM
Hi Erik
Many thanks for the response,
Regards MJ
11-25-2008 05:46 AM
Most likely it was a bug.
You should see the mac-addresses of the fwsm blade on the portchannel on the 6500.
sh mac-ad int po270.
Port-channel270 is the interface where the blade is connected to the 6500. If you don't see the mac-addresses on this portchannel you sgould upgrade. Beaware, it could be another portchannel beginnen po27x
Cheers
Jorg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide