Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
4
Replies

Very weird issue with our FWSM

patoberli
VIP Alumni
VIP Alumni

‎06-22-2009 07:50 AM - edited ‎03-11-2019 08:46 AM

Hi all

We have a redundant Cat6500-E with Sup720-3B and FWSM setup.

Software releases:

Sup: 12.2(33)SHX2

FWSM: 3.2(6)

The issue, if I add several new VLANs to the Catalyst and then give them to the FWSM with the command:

firewall vlan-group 1 14-18,20,21,23...

The usualy appear on the FWSM of this Catalyst. Then I add them on the other Catalyst and there they also apear. But here starts the problem, they don't always do...

When they don't then this message appears on the FWSM:

FWSM#

Vlan configuration mismatch between peers.

Please correct the condition as soon as possible

in order to avoid a possible disabling of failover.

FWSM#

If I login then to this FWSM and make a show vlan, the vlan isn't shown on this FWSM, while on the other, idential configured Catalyst+FWSM it is.

The only solution to get the Vlan working on this FWSM, is to reboot the whole Catalyst. A reload of only the FWSM isn't enough.

Any ideas what this could be or how I could debug this?

Thanks,

Patrick

Labels:
0 Helpful
4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

‎06-22-2009 12:00 PM

Patrick

Seems like you have the FWSMs in active/standby failover setup.

Once you push the extra vlans to one module it will see more vlans than the other and that will break failover and the blades will go into a pseudo standby condition.

Now, you need to push the vlans to the modules at the same time from both the chassis.

sh vlan - should show the exact same vlans on both the FWSM in order for failover to work properly.

Also, make sure these vlans exist in the switch's vlan database as well prior to pushing them down to the FWSM.

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Kureli Sankar

‎06-22-2009 10:13 PM

Hi Kusankar

Thanks for your reply.

Can you explain me how I could acomplish to configure both chassis at the same second?

2-3 seconds delay didn't work last time.

The rest is done as you wrote.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to patoberli

‎06-23-2009 03:07 AM

In that case, failover will go into pseudo standby and once you see the same vlans in both the units you can always enable failover again.

Or you can try the following:

no failover --> in the standby unit

Wait for a few min.

Then push the extra vlans into the active unit and then to the standby unit that has no failover configured.

Make sure sh vlan shows the same vlans on both the units and then enable failover on the standby unit.

Let me know how that goes.

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Kureli Sankar

‎06-23-2009 03:54 AM

Thanks for your answer.

I'll try that, but it will probably take 1-4 months until I have the chance to. It's our core network and I can reboot only twice a year and the next one is in 4 weeks. After that, all VLANs should work (until I add new ones).

I'll try to keep this thread in mind when I add new ones next time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card