Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
1
Replies

FWSM not working please help

NAVIN PARWAL
Level 2
Level 2

‎07-28-2009 08:47 AM - edited ‎03-11-2019 09:00 AM

Folks,

I am configuring inter chassis, failover which I have gotten to work many times, but today for some reason I am unable to work. Please help me, vlan 30 is failover vlan whis is passing netween the 2 swicthes, but for some reason the FWSM disables failover whenever I enable it, very stange?????

Switch

------

!

!

no aaa new-model

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 1

firewall vlan-group 1 30,40,211,311,411

ip subnet-zero

!

!

FWSM#

-----

FWSM# show run

: Saved

:

FWSM Version 3.2(2)

!

hostname FWSM

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan30

description LAN Failover Interface

!

interface Vlan211

nameif inside

security-level 100

ip address 172.16.11.2 255.255.255.0 standby 172.16.11.222

!

interface Vlan411

nameif outside

security-level 0

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.111

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu inside 1500

FWSM# show failover

Failover Off

Failover unit Primary

Failover LAN Interface: failover Vlan 30 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

FWSM# conf t

FWSM(config)# fail

FWSM(config)# failover

FWSM(config)# end

FWSM# show fail

FWSM# show failover

Failover Off

Failover unit Primary

Failover LAN Interface: failover Vlan 30 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

FWSM#

Labels:
0 Helpful
1 Reply 1

hadbou
Level 5
Level 5

‎08-04-2009 03:05 PM

The problem might be the mismatch VLAN assignment across the firewall (FWSMs and supervisors). For example, in the Firewall vlan-group 1 statement, the same number of VLANs assigned on each switch to the firewall can vary. This might cause the issue. If you assign the same number of VLANs in the firewall, then failover will work.

In order to avoid getting a VLAN configuration mismatch error, the show vlan command output must be identical on both FWSMs. This error message only occurs when you modify or load the failover configuration on the FWSM. For example, when a FWSM boots it loads the startup-config from the flash and attempts to initialize failover. At this time, it checks to make sure both modules are receiving the correct VLANs. If the VLANs do not match, the error message is displayed and failover remains disabled.

Note: For failover to work, the FWSM requires identical configurations and port assignments. It is possible to do inter-chassis failover, but each VLAN assigned to the firewall must be in the trunk between the two chassis.

FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces. Assigning VLANs to the FWSM is similar to assigning a VLAN to a switch port. The FWSM includes an internal interface to the Switch Fabric Module (if present) or the shared bus.

Be aware that the VLAN mapping can get modified during a working FWSM setup and will fail during next boot.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card