12-03-2010 03:48 AM - edited 03-11-2019 12:17 PM
Hello
I have a pair of 6509's with an fwsm in each.
FWSM in Switch 1 was active
FWSM in Switch 2 was standby
FWSM in switch 1 failed so fwsm in switch 2 became the active firewall, however, no traffic was being passed.
The status was as follows in the secondary (which is now active) fwsm
sh failover
Failover On
Last Failover at: 07:12:33 UTC Dec 3 2010
This context: Active
Active time: 5647 (sec)
Interface inside (10.0.150.245): Normal (Waiting)
Interface outside (10.0.150.245): Normal (Waiting)
Peer context: Failed
Active time: 106955607 (sec)
Interface inside (10.0.150.246): Normal
Interface outside (10.0.150.246): Normal
When I looked at the ASDM for the firewall pair the latest syslog messages constantly showed a mac address being moved from outside to inside, or, inside to outside.
If the device was working I should have seen source and destination IP addresses being denied.
Does anyone know what this might be, or what might have happenned?
It looks to me that when the active firewall failed the secondary went into an active role but did not fully assume the role. It was resolved by rebooting the failed firewall.
Thanks
Anthony
12-03-2010 05:37 AM
Anthony
Can we see the firewall configs and also the relevant 6500 swtitch config ie the "firewall vlan -group .." commands.
Jon
01-20-2011 11:55 AM
I have a concern: i have two fwsm's that i am configuring to fuction as active/stanby failover units. my concern is that have any body set this up and the stanby fwsm bringdown the active fwsm?
i am using router mode, so i do not anticipate any loops.
will my active fwsm change configuration informaton when the standby unit is faulty or not configure right?
thanks for your understand
01-20-2011 08:48 PM
Hmm this is strange. If the vlans didn't get pushed down properly from the switch failover will not work and will go into pseudostandby mode.
Secondary unit shows normal (waiting). So, it is able to send failover hellos to the primary unit and primary unit is receiving it and also sending so, that shows normal. What does the "sh fail" show on the primary unit?
Need the following:
1. sh fail history (from both units)
2. syslogs from the syslog server 15 min before the problem. (specifically FWSM-1 messages)
3. sh fail output from the primary.
Oh wait. This is transparent firewall. BPDUs - are they allowed or do you have an ethertype acl applied on the interfaces?
-KS
01-21-2011 08:13 AM
i have not deploy the active/standby fwsms yet, i was just wondering if there has been cases where a standby fwsm brought down an active fwsm because of faulty configuration.
you mentioned transparent firewall, but the mode that shows up on both of mine is "Router" mode?
01-21-2011 08:57 AM
This is active/active multiple mode transparent output that you have posted. inside and outside have the same ip address, that comes from the management address that you configure within the context.
There could be many reason why miss configuration could cause issues. If there a problem with your setup pls. post the outputs requested.
Regarding what could cause issue? You can read here:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/failover.html#wp1109123
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide