Re: Unsuccessful failvoer of FWSM pair (two chassis)

anthonykahwati · ‎12-03-2010

Hello

I have a pair of 6509's with an fwsm in each.

FWSM in Switch 1 was active

FWSM in Switch 2 was standby

FWSM in switch 1 failed so fwsm in switch 2 became the active firewall, however, no traffic was being passed.

The status was as follows in the secondary (which is now active) fwsm

sh failover
Failover On
Last Failover at: 07:12:33 UTC Dec 3 2010
        This context: Active
                Active time: 5647 (sec)
                Interface inside (10.0.150.245): Normal (Waiting)
                Interface outside (10.0.150.245): Normal (Waiting)
        Peer context: Failed
                Active time: 106955607 (sec)
                Interface inside (10.0.150.246): Normal
                Interface outside (10.0.150.246): Normal

When I looked at the ASDM for the firewall pair the latest syslog messages constantly showed a mac address being moved from outside to inside, or, inside to outside.

If the device was working I should have seen source and destination IP addresses being denied.

Does anyone know what this might be, or what might have happenned?

It looks to me that when the active firewall failed the secondary went into an active role but did not fully assume the role. It was resolved by rebooting the failed firewall.

Thanks

Anthony

Jon Marshall · ‎12-03-2010

Anthony

Can we see the firewall configs and also the relevant 6500 swtitch config ie the "firewall vlan -group .." commands.

Jon

morrisbk1 · ‎01-20-2011

I have a concern: i have two fwsm's that i am configuring to fuction as active/stanby failover units. my concern is that have any body set this up and the stanby fwsm bringdown the active fwsm?

i am using router mode, so i do not anticipate any loops.

will my active fwsm change configuration informaton when the standby unit is faulty or not configure right?

thanks for your understand

Kureli Sankar · ‎01-20-2011

Hmm this is strange. If the vlans didn't get pushed down properly from the switch failover will not work and will go into pseudostandby mode.

Secondary unit shows normal (waiting). So, it is able to send failover hellos to the primary unit and primary unit is receiving it and also sending so, that shows normal. What does the "sh fail" show on the primary unit?

Need the following:

1. sh fail history (from both units)

2. syslogs from the syslog server 15 min before the problem. (specifically FWSM-1 messages)

3. sh fail output from the primary.

Oh wait. This is transparent firewall. BPDUs - are they allowed or do you have an ethertype acl applied on the interfaces?

-KS

morrisbk1 · ‎01-21-2011

i have not deploy the active/standby fwsms yet, i was just wondering if there has been cases where a standby fwsm brought down an active fwsm because of faulty configuration.

you mentioned transparent firewall, but the mode that shows up on both of mine is "Router" mode?

Kureli Sankar · ‎01-21-2011

This is active/active multiple mode transparent output that you have posted. inside and outside have the same ip address, that comes from the management address that you configure within the context.

There could be many reason why miss configuration could cause issues. If there a problem with your setup pls. post the outputs requested.

Regarding what could cause issue? You can read here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/failover.html#wp1109123

-KS