04-11-2012 06:55 AM - edited 03-11-2019 03:52 PM
Hi,
A client has had their FWSM fail, when you try to start the module the switch eventually disables the power to that slot (%C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Module Failed SCP dnld)). I have turned off diagnostics with 'no diagnostic boot level' and then use 'boot device module 4 cf:1' to bring the FWSM up into maintenance mode. I can then session up from the switch and log in to the FWSM as root.
After inputting all the necessary IP info I can't ping anything on vlan 1 as I would expect, I have set the FWSM as 192.168.1.2 and a FTP/TFTP server as 192.168.1.1
I have removed the firewall vlan groups and tried to put them back with just vlan 1 but this isn't accepted (the reasons are covered in other posts on the forum). What am I doing wrong as the instruction say that vlan 1 is the only vlan that is accessable whilst the FWSM is in maintenance mode.
I can create an int vlan 1 in the switch and ping my ftp server so know that the switchport is set up correctly, I can also see that Po308 is formed and when the module boots I can see the Gi4/xx interfaces come up (FWSM is in slot 4).
Any ideas of what to try next?
............and they aren't covered by maintenance agreements
FWSM
Maintenance image version: 2.1(4)
root@fwsm.localdomain#show images
Device name Partition# Image name
----------- ---------- ----------
Compact flash(cf) 4 c6svc-fwm-k9.3-1-4-0.bin
Switch
SWITCH# sh ver
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Mon 18-Jul-11 05:49 by prod_rel_team
ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)
Regards
Mel
09-25-2013 08:39 AM
I'd also appreciate an answer to this. Our host 6509-E switch is running 12.2(33)SXJ3. FWSM is bootable into maintenance mode and all IP settings are taken, but it cannot ping out.
Results of "show firewall module 1 state" command (as shown below) show that VLAN 1 is extended up to the module, also proven by turning up a temporary SVI for VLAN1 which goes offline when the FWSM module is powered off (we don't use that VLAN elsewhere). Yet SVI cannot ping FWSM nor vice versa.
Firewall module 1:
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 1
Pruning VLANs Enabled: 2-1001
Vlans allowed on trunk: 1
Vlans allowed and active in management domain: 1
Vlans in spanning tree forwarding state and not pruned:
1
So, Cisco, why doesn't this work? Is the FWSM broken or is this a software bug in maintenance software 2.1(4)?
12-10-2013 11:49 PM
Recently i met the same problem.
When installing FWSM board on the Catalyst 6509 there is not communication access via vlan1 in the maintenance partition.
Moreover, the FWSM works properly in the aplication partition(cf:4).
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH8, RELEASE SOFTWARE (fc1)
System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
Mod Ports Card Type Model
--- ----- -------------------------------------- ------------------
1 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX
4 6 Firewall Module WS-SVC-FWM-1
5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL
8 5 Communication Media Module WS-SVC-CMM
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 001b.d41a.8360 to 001b.d41a.838f 1.5 8.4(1) 8.7(0.22)BUB Ok
4 0003.fead.962e to 0003.fead.9635 3.0 7.2(1) 4.1(14) Ok
5 0017.9444.c3ec to 0017.9444.c3ef 5.4 8.5(2) 12.2(33)SXH8 Ok
8 0017.0ee2.13cc to 0017.0ee2.13d5 2.8 12.4(25c), 12.4(25c), Ok
FWSM versions
FWSM Firewall Version 3.2(20)
Device Manager Version 5.0(3)F
Not possible to verify the switch is in the service.
I guess the reason is likely next.
FWSM supports only untagged packets on the vlan1. By default catalyst 6500 not tagged native vlan1.
In my case globally enabled tagging in the native vlan.
#sh vlan dot1q tag native
dot1q native vlan tagging is enabled globally
sh vlan dot1q tag native
dot1q native vlan tagging is enabled globally
Per Port Native Vlan Tagging State:
-------------------------------------------
Port Operational Native VLAN
Mode Tagging State
-------------------------------------------
Gi1/2 trunk enabled
Gi1/8 trunk enabled
Gi1/13 trunk enabled
Gi1/14 trunk enabled
Gi1/17 trunk enabled
Gi1/18 trunk enabled
Gi1/21 trunk enabled
Gi1/27 trunk enabled
Gi1/30 trunk enabled
Gi1/32 trunk enabled
Gi1/38 trunk enabled
Gi1/42 trunk enabled
Gi1/43 trunk enabled
Gi1/44 trunk enabled
Gi1/46 trunk enabled
Gi5/2 trunk enabled
Po2 trunk enabled
Po308 trunk enabled
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide