Showing results for 
Search instead for 
Did you mean: 

Ru Song Fu

fwsm on both 6513 switches problem??

in 6513 switch fwsm moudls and do five vitual context,vitual context work in transparent module ,after the

synchronization end of the two context(show failover is Normal ), the Duplicate address happen in switch console logging. the switch cpu percent is full.6513 is high cpu,that time can't telnet to FWSM.If shutdowm fwsm.cpu immediately change to lower.

When I use single fwsm modul,it only running few minut's(5-6 min's) after reset FWSM.console no any prompt.can't telnet fwsm.But show modul is OK.FWSM_A & FWSM_B is same.

Below 6513 config :

clock timezone PDT -7

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 1

firewall vlan-group 1 2-9,11,12,20,30,40,50,60,70,80,90

analysis module 2 management-port access-vlan 8

ip subnet-zero


spanning-tree mode rapid-pvst


interface Port-channel1 #port-channell To SwitchB


switchport trunk encapsulation dot1q

switchport mode trunk

no ip address



interface GigabitEthernet10/46


switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

channel-group 1 mode desirable non-silent

Below is trade context config:

ZJRCU-FWSM/trade# sh run

: Saved


FWSM Version 3.1(3) <context>


firewall transparent

hostname trade

enable password xxx



interface Vlan2

nameif outside

bridge-group 2

security-level 0


interface Vlan20

nameif inside

bridge-group 2

security-level 100


interface BVI2

ip address standby


passwd 2KFQnbNIdI.2KYOU encrypted

access-list test extended permit ip any any

access-list eth ethertype permit bpdu

pager lines 24

mtu outside 1500

mtu inside 1500

monitor-interface outside

monitor-interface inside

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group eth in interface outside

access-group test in interface outside

access-group eth in interface inside

access-group test in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5


ZJRCU-FWSM/trade# sh fa

Failover On

Last Failover at: 13:49:27 UTC Nov 24 2006

This context: Standby Ready

Active time: 0 (sec)

Interface outside ( Normal

Interface inside ( Normal

Peer context: Active

Active time: 469 (sec)

Interface outside ( Normal

Interface inside ( Normal

Stateful Failover Logical Update Statistics

Status: Configured.

Stateful Obj xmit xerr rcv rerr

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 2 0

L2BRIDGE Tbl 0 0 15 0

Xlate_Timeout 0 0 0 0


Ru Song Fu

I make sure this is loop occur.when i deny any any in interface inside and outside.6513 switch system is normally,cpu is 0%.why i permit ethertype BPDU to avoid still to avoid???