Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
0
Helpful
1
Replies

fwsm on both 6513 switches problem??

Ru Song Fu
Level 1
Level 1

‎11-26-2006 08:53 AM - edited ‎03-11-2019 02:00 AM

in 6513 switch fwsm moudls and do five vitual context,vitual context work in transparent module ,after the

synchronization end of the two context(show failover is Normal ), the Duplicate address happen in switch console logging. the switch cpu percent is full.6513 is high cpu,that time can't telnet to FWSM.If shutdowm fwsm.cpu immediately change to lower.

When I use single fwsm modul,it only running few minut's(5-6 min's) after reset FWSM.console no any prompt.can't telnet fwsm.But show modul is OK.FWSM_A & FWSM_B is same.

Below 6513 config :

clock timezone PDT -7

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 1

firewall vlan-group 1 2-9,11,12,20,30,40,50,60,70,80,90

analysis module 2 management-port access-vlan 8

ip subnet-zero

!

spanning-tree mode rapid-pvst

!

interface Port-channel1 #port-channell To SwitchB

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

!

interface GigabitEthernet10/46

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

channel-group 1 mode desirable non-silent

Below is trade context config:

ZJRCU-FWSM/trade# sh run

: Saved

:

FWSM Version 3.1(3) <context>

!

firewall transparent

hostname trade

enable password xxx

names

!

interface Vlan2

nameif outside

bridge-group 2

security-level 0

!

interface Vlan20

nameif inside

bridge-group 2

security-level 100

!

interface BVI2

ip address 10.233.2.250 255.255.255.0 standby 10.233.2.251

!

passwd 2KFQnbNIdI.2KYOU encrypted

access-list test extended permit ip any any

access-list eth ethertype permit bpdu

pager lines 24

mtu outside 1500

mtu inside 1500

monitor-interface outside

monitor-interface inside

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group eth in interface outside

access-group test in interface outside

access-group eth in interface inside

access-group test in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

!

ZJRCU-FWSM/trade# sh fa

Failover On

Last Failover at: 13:49:27 UTC Nov 24 2006

This context: Standby Ready

Active time: 0 (sec)

Interface outside (10.233.2.251): Normal

Interface inside (10.233.2.251): Normal

Peer context: Active

Active time: 469 (sec)

Interface outside (10.233.2.250): Normal

Interface inside (10.233.2.250): Normal

Stateful Failover Logical Update Statistics

Status: Configured.

Stateful Obj xmit xerr rcv rerr

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 2 0

L2BRIDGE Tbl 0 0 15 0

Xlate_Timeout 0 0 0 0

ZJRCU-FWSM/trade#

Labels:
0 Helpful
1 Reply 1

Ru Song Fu
Level 1
Level 1

‎11-26-2006 09:06 AM

I make sure this is loop occur.when i deny any any in interface inside and outside.6513 switch system is normally,cpu is 0%.why i permit ethertype BPDU to avoid loop.it still happen.how to avoid???

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card