cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1346
Views
0
Helpful
2
Replies

FWSM maintenance mode - vlan 1

Mel Popple
Level 1
Level 1

Hi,

A client has had their FWSM fail, when you try to start the module the switch eventually disables the power to that slot (%C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Module  Failed SCP dnld)). I have turned off diagnostics with 'no diagnostic boot level' and then use 'boot device module 4 cf:1' to bring the FWSM up into maintenance mode. I can then session up from the switch and log in to the FWSM as root.

After inputting all the necessary IP info I can't ping anything on vlan 1 as I would expect, I have set the FWSM as 192.168.1.2 and a FTP/TFTP server as 192.168.1.1

I have removed the firewall vlan groups and tried to put them back with just vlan 1 but this isn't accepted (the reasons are covered in other posts on the forum). What am I doing wrong as the instruction say that vlan 1 is the only vlan that is accessable whilst the FWSM is in maintenance mode.

I can create an int vlan 1 in the switch and ping my ftp server so know that the switchport is set up correctly, I can also see that Po308 is formed and when the module boots I can see the Gi4/xx interfaces come up (FWSM is in slot 4).

Any ideas of what to try next?

............and they aren't covered by maintenance agreements

FWSM

Maintenance image version: 2.1(4)

root@fwsm.localdomain#show images
Device name             Partition#              Image name
-----------             ----------               ----------
Compact flash(cf)       4                       c6svc-fwm-k9.3-1-4-0.bin

Switch

SWITCH# sh ver
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Mon 18-Jul-11 05:49 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)

Regards

Mel

2 Replies 2

dynamicv
Level 1
Level 1

I'd also appreciate an answer to this.  Our host 6509-E switch is running 12.2(33)SXJ3.  FWSM is bootable into maintenance mode and all IP settings are taken, but it cannot ping out.

Results of "show firewall module 1 state" command (as shown below) show that VLAN 1 is extended up to the module, also proven by turning up a temporary SVI for VLAN1 which goes offline when the FWSM module is powered off (we don't use that VLAN elsewhere).  Yet SVI cannot ping FWSM nor vice versa.

Firewall module 1:

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: 1

Pruning VLANs Enabled: 2-1001

Vlans allowed on trunk: 1

Vlans allowed and active in management domain: 1

Vlans in spanning tree forwarding state and not pruned:

   1

So, Cisco, why doesn't this work?  Is the FWSM broken or is this a software bug in maintenance software 2.1(4)? 

Recently i met the same problem.
When installing FWSM board on the Catalyst 6509 there is not communication access via vlan1 in the maintenance partition.
Moreover, the FWSM works properly in the aplication partition(cf:4).


Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH8, RELEASE SOFTWARE (fc1)
System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)

Mod Ports Card Type                              Model             
--- ----- -------------------------------------- ------------------
  1   48  48-port 10/100/1000 RJ45 EtherModule   WS-X6148A-GE-TX   
  4    6  Firewall Module                        WS-SVC-FWM-1      
  5    2  Supervisor Engine 720 (Active)         WS-SUP720-3BXL    
  8    5  Communication Media Module             WS-SVC-CMM        

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  1  001b.d41a.8360 to 001b.d41a.838f   1.5   8.4(1)       8.7(0.22)BUB Ok
  4  0003.fead.962e to 0003.fead.9635   3.0   7.2(1)       4.1(14)      Ok
  5  0017.9444.c3ec to 0017.9444.c3ef   5.4   8.5(2)       12.2(33)SXH8 Ok
  8  0017.0ee2.13cc to 0017.0ee2.13d5   2.8   12.4(25c),   12.4(25c),   Ok

FWSM versions
FWSM Firewall Version 3.2(20)
Device Manager Version 5.0(3)F


Not possible to verify the switch is in the service.
I guess the reason is likely next.
FWSM supports only untagged packets on the vlan1. By default catalyst 6500 not tagged native vlan1.
In my case globally enabled tagging  in the native vlan.
#sh vlan dot1q tag native
dot1q native vlan tagging is enabled globally

sh vlan dot1q tag native
dot1q native vlan tagging is enabled globally

Per Port Native Vlan Tagging State:
-------------------------------------------

Port    Operational          Native VLAN
           Mode               Tagging State
-------------------------------------------
Gi1/2   trunk                 enabled
Gi1/8   trunk                 enabled
Gi1/13  trunk                 enabled
Gi1/14  trunk                 enabled
Gi1/17  trunk                 enabled
Gi1/18  trunk                 enabled
Gi1/21  trunk                 enabled
Gi1/27  trunk                 enabled
Gi1/30  trunk                 enabled
Gi1/32  trunk                 enabled
Gi1/38  trunk                 enabled
Gi1/42  trunk                 enabled
Gi1/43  trunk                 enabled
Gi1/44  trunk                 enabled
Gi1/46  trunk                 enabled
Gi5/2   trunk                 enabled
Po2     trunk                 enabled
Po308   trunk                 enabled

Review Cisco Networking for a $25 gift card