Solved: VLAN not coming up on passive FWSM

Beat.Traber · ‎03-10-2011

I use an active/passive configuration which consists of two WS-C6509-E and FWSM. It's licensed for 50 contexts but only 31 are in use. So far everything works fine!
When I try to add another context, I run into problems. As soon as I add the VLAN on the 6509 (before configuring anything on the FWSM), I get the following message in the FWSM:

        Vlan configuration mismatch between peers.
        Please correct the condition as soon as possible
        in order to avoid a possible disabling of failover.

The VLANs for the new context are 923 (inside) and 3923 (outside).
On both 6509 the VLAN is active and I see an active spanning-tree instance which is in forwarding status on the interface Po308 (which is the FWSM).
I've compared the configuration to other contexts and their VLANs; they look the same (no wonder since I use templates whenever I create a new context).

On the active FWSM I see the following VLANs:
10-12, 433, 451, 758, 811-812 , 815, 825, 845, 849, 900-904 , 906-907 , 909-910 , 913-916 , 918-919 , 921-923 , 925, 998, 1695-1698 , 2495, 2498, 2505, 2508, 2512, 2517, 3815, 3825, 3838, 3845, 3849, 3900-3910 , 3912-3919 , 3921-3923 , 3925, 3998

whereas on the passive FWSM I see:
10-12, 433, 451, 758, 811-812 , 815, 825, 845, 849, 900-904 , 906-907 , 909-910 , 913-916 , 918-919 , 921-922 , 925, 998, 1695-1698 , 2495, 2498, 2505, 2508, 2512, 2517, 3815, 3825, 3838, 3845, 3849, 3900-3910 , 3912-3919 , 3921-3922 , 3925, 3998

The difference lies in VLAN 923 and 3923. This is unlike any of the other contexts.

When I configure the system context and allocate the interfaces, these two VLANs are still not available on the passive FWSM. As a result, the interfaces vlan 923 and 3923 remain in status DOWN on the passive side whereas they become UP on the active side. I can't go on from here since this jeopardizes failover!

The funny thing is: I've configured the same context in our second datacenter and it works just fine. (Same Cat6509, same FWSM, same versions).
The only difference I see at the moment is, that in our second datacenter are less contexts configured (28 instead of 31). Do I run into some sort of allocation bottleneck? There are only 67 VLANs.

I've searched this forum but have come to no result...

Configuration of system:
interface Vlan923
interface Vlan3923
context 923-SSZ-P-DA-DirectoryServ
allocate-interface Vlan3923
allocate-interface Vlan923
allocate-acl-partition 1
config-url disk:/923-SSZ-P-DA-DirectoryServ.cfg
exit

Configuration of 6509:
firewall multiple-vlan-interfaces
firewall vlan-group 1 10,433,451,758,811,815,825,845,849,900-904,906,907
firewall vlan-group 1 909-911,913-916,918-923,925,998
firewall vlan-group 2 812,1695-1698,3815,3825,3838,3845,3849,3900-3923,3925,3998

Any suggestions would be appreciated

Beat

mirober2 · ‎03-11-2011

Hi Beat,

What version of code is running on the 6500s? This might be caused by this bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm89104
CSCsm89104 - New VLANs are not being passed/seen by the FWSM

The workaround for that bug is to reload the entire chassis, though this might not be viable in your environment.

-Mike

View solution in original post

mirober2 · ‎03-10-2011

Hi Beat,

There are a couple of things you'll want to check:

1. The L2 VLANs for 923 and 3923 are created on the 6500 where the Standby FWSM resides (check 'show vlan' on the switch).

2. If you added the VLANs to the 'firewall vlan-group' before they were actually created on the switch, they will show as down on the FWSM. To fix this, simply remove the VLANs from the 'firewall vlan-group' and then re-add them:

no firewall vlan-group 1 923

firewall vlan-group 1 923

no firewall vlan-group 2 3923

firewall vlan-group 2 3923

Hope that helps.

-Mike

Beat.Traber · ‎03-10-2011

Hello Mike

Thanks for your suggestions.

1. Yes, I've created the VLANs 923 and 3923 on both my 6500s before I started configuration on the FWSM. They're active (otherwise there wouldn't be an active spanning-tree instance).

2. I've removed and added the VLANs to the firewall vlan-group several times already. Makes no difference to the state on the passive FWSM. Even worse: on the passive FWSM they do not appear when using the show vlan command, whereas on the active FWSM they appear immediately which leads to the vlan configuration mismatch message which in turn endangers failover. Looks to me as if these VLANs never actually reach the passive FWSM, although ther're configured.

I even removed all of the configuration for my new context on the FWSM, which didn't change anything.

So at the moment I'm stuck with both VLANs removed from the firewall vlan-group. Next desperate step will be to remove all of the configuration in connection with the VLANs 923 and 3923 and start all over again.

Beat

mirober2 · ‎03-11-2011

Hi Beat,

What version of code is running on the 6500s? This might be caused by this bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm89104
CSCsm89104 - New VLANs are not being passed/seen by the FWSM

The workaround for that bug is to reload the entire chassis, though this might not be viable in your environment.

-Mike

Beat.Traber · ‎03-11-2011

Hello Mike

looks like you saved my day!! The description matches exactly my problem.

We still run Version 12.2(33)SXH2, looks like we're in for an upgrade or at least a chassis reload.

Thanks very much

Beat