Thank you for the swift reply, I had a doubt regarding the same. I have installed  4.0.4 image on cf:4 and cf:5, is there any way to delete what i installed on cf:5.

Hi.

You can't delete the software on a partition. you can only install another one in place of the current one.

Regards,

Fadi.

One more doubt. I have implemented VSS with 12.2sxi4a and FWSM 4-1-3. The doubt regarding this is whether the configuration on active FWSM will be replicated on to the standby fwsm on standby chasis. I have not deployed failover between FWSM's and i have done a VSS FWSM integration with standlone FWSM.

Yes. It sure will.  That is what failover is all about.

Any command that you add to the active unit's configuration it will get replicated over to the standby unit via the failover vlan.

You can see sample configs here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/exampl_f.html#wp1049436

If this answers your question pls. mark this thread answered.

Thanks,

Kureli

Thanks poonguzhali for the reply, But

my doubt is that , i am deploying FWSM in VSS with prescribed

IOS and fwsm software, according to the link : http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/white_paper_c11_513360.html

if i am deploying Fwsm's in standalone mode in vss and publishing the vlan groups for both chasis as below

firewall switch 1 module 5 vlan-group 5

firewall switch 2 module 5 vlan-group 5

whether i could achieve fwsm failover with out giving below mentioned command in fwsm. Please note this is FWSM VSS integration scenerio.

failover lan interface faillink vlan 10

failover link statelink vlan 11

failover lan unit primary

failover preempt 5

failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2

failover interface ip statelink 192.168.253.5 255.255.255.252 standby 192.168.253.6

failover interface-policy 50%

failover replication http

failover

I am thinking in this way:  In VSS if i am putting FWSM on the primary 6509 and FWSM on seconday 6509 (using ios :12.2(33)SXI and 4.1.3), The fwsm's will act just like putting 2 FWSM's on a singe 6509 chasis. Please correct if i am wrong

...

Sreekanth,

You do need to configure failover between the two FWSMs if you want to achieve failover.

Otherwise there is no mechanism to sync config between the two FWSMs when config changes on one unit.

-KS

Thanks Poonguzhali, It was my confusion which lead to these doubts on VSS-FWSM integration.

Hi poonguzhali,

I have one  doublt regarding FWSM 4.1 ,We used to copy the access list and other configuration to fwsm using Telnet console to FWSM via session slot command from 6500 Switch, I have seen that when copying more than 5 access-list at a time to any context ,the telnet session as well  the connectivity is lost for more that 5 minutes and the switch port on which i connected my laptop is not able ping the Switch SVI. Also the commands i copied are not reflected in the context configuration.I found this in both  4.0 and 4.1. What might be wrong.

Sreekanth,

Next time it would be nice if you would spin up a new thread for each new issue. This one started off with "restore to factory default" then touched on vss stand alone and failover now, you are talking about access-list copy paste and losing connectivity.

Also, pls. consider rating/marking the post answered when your initial query is answered.

Well I believe the ACL optimization is taking some time to complete.

Could you try to take all the acl and put them on a text file and then upload the file via tftp to the disk: and then "copy disk:/acess-list.txt run"?

You you have access-list optimization enabled? If so disable that and try it again.

Look for the command "ACCESS-LIST OPTIMIZATION ENABLED".

Here is the command ref: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/a1.html#wp1622153

-KS

Sorry fot that. I will make a new  thread for it . Thanks poonguzahli for the help.