Problem between fwsm and hsrp standby ip

pd.politiet.no · ‎05-23-2011

Hi,

I'm having problem with the HSRP standby VIP address configured on Vlan699 between a 6509 switch and FWSM (in slot 8 in the same 6509).

If I connect a pc in Vlan699, I can ping 6509 Vlan699 SVI ip address, and also the HSRP standby VIP address. The pc can also ping the FWSM.

PC, 6509 SVI Vlan699 and FWSM are all in the same subnet.

From the FWSM I can ping the 6509 SVI Vlan699 ip address, but not the HSRP standby VIP address. Ping from FWSM to HSRP standby VIP only shows ????? (5 questionsmarks).

Config for vlan 699 on the 6509 switch:

interface Vlan699
description vlan til FWSM admin
ip address 10.10.97.157 255.255.255.248
standby 101 ip 10.10.97.155

"sh standby brief" gives the following output:

Vl699 101 110 P Active local unknown 10.10.97.155

But this is ok, since the other 6509 is not connected.

6509#sh ip arp vrf admin
Protocol Address        Age (min) Hardware Addr   Type   Interface
Internet 10.10.97.156          0   0012.7956.eef8 ARPA   Vlan699
Internet 10.10.97.157          -   0008.e3ff.fc04 ARPA   Vlan699
Internet 10.10.97.153         38   0013.c42a.1b00 ARPA   Vlan699
Internet 10.10.97.155          -   0000.0c07.ac65 ARPA   Vlan699

153 is the fwsm

156 is the pc

157 is the ip address for vlan 699

155 is the standby ip address vlan 699

FWSM/datacenter# sh arp
admin 10.10.97.156 0012.7956.eef8
admin 10.10.97.157 0008.e3ff.fc04

no arp for the 156-address...

Any ideas what to look for?

Br

Geir

pd.politiet.no · ‎05-23-2011

Did a fast drawing of the problem.

Geir

pd.politiet.no · ‎05-23-2011

Could this be a IOS issue between fwsm and 6509?

6509 is running Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXJ, RELEASE SOFTWARE (fc3)
FWSM is running FWSM Firewall Version 4.0(8) (Device Manager Version 6.1(5)F)

Br

Geir

pd.politiet.no · ‎05-24-2011

Did an upgrade to 4.1.5 for the FWSM , and also tried 12.2.33SXI4 for the 6509. No changes.

The strange thing is that this works fine in the production environment. The only difference are the 2 6509 running HSRP for Vlan699, showing one active an one standby. In test I only have one 6509.

This makes me think that a failure for one of the 6509 in production, will cause problems between the one 6509 and FWSM.

Br

Geir

pd.politiet.no · ‎05-25-2011

Ok an update, it seems that the FWSM are logging arp request for standby VIP 10.10.97.155, but show interface does not show any increase in output packets.

Doing a ping to SVI Vlan699 10.10.97.157, with replies, it shows increase in output packet.

FWSM: Unable to send ARP request

looks like an earlier bug in FWSM (CSCsc33624), but fixed way back in time.

We keep digging into the problem...

Do need to enter "Running activation key" for the FWSM?

Geir

pd.politiet.no · ‎05-29-2011

Ok, I found the problem. I run FWSM in multiple context's. System, Admin and one security context. I've been working with the security context, not figuring out why it didn't work. The Admin context works, since I've been using it for upgrading the software. But the System context i haven't looked much into. The I took a closer look. The system context is configured for failover. Using 2 vlans (680 and 681). These vlans where not created on the switch. Creating those vlans, and then it all works. Still I don't understand the function of the system context for this, but it works, and I guess the system context is importent for the whole fwsm to work properly So case closed.

Br

Geir