FWSM failover

Guys,
I have a dought about failover with FWSM.
I have 2 Cisco 6500 with FWSM board. They work with Active (Primary) /Standby (Standby).
This days, I had a problem with Active,  then, the Standby was changed to Active, ok.
When the Primary returned, I checked that the Secondary FWSM configuration had a line: "no failover"
I didn't understood  why the Secondary changed this line, because before of problem this line was "failover".
So, i had to change this line putting: failover and them normalize.
Someone knows why the Secondary FWSM changed the line failover to no failover?  Is normal? I could to configure it to don't change?
Thank you!
Anderson.

Hi Anderson,
The most common cause of this is if you have a different set of VLANs passed to the FWSMs. Check the output of 'show run | i firewall' on both 6500s and make sure the output matches exactly on both sides.
-Mike

Similar Messages

  • Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

    With Prashanth Goutham R.
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 
    Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
    Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
    Remember to use the rating system to let Prashanth know if you have received an adequate response. 
    Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    Hello John,
    This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
    access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one   class-map Tunnel_Policy2     match access-list tunnel_two   class-map Tunnel_Policy3     match access-list tunnel_three   class-map Tunnel_Policy4     match access-list tunnel_four  policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000   policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400   policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
    You might want to watch out for the following changes in values:
    HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000    
    HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
    The Final outputs of the configured values were :
        Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps
    Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
    Hope that helps..

  • Fwsm failover times in real crash

    Hi,
    I have got two cat6k vss and two servis modelu FWSM
    How fast FWSM will be switch over to back up Firewall, after active-fw crash/down power?
    Sent from Cisco Technical Support iPad App

    Hi,
    The initial 15 seconds detection time can be reduced to 3 seconds, by tuning failover polltime and holdtime to the following:
    "failover polltime unit 1 holdtime 3"
    Also keep in mind after  switchover new active will establish nbr relation with nbr router. At any point of time standby does  not participate in OSPF process.  so in short new active have to  re-establish adjacencies.
    Hope that helps.
    Thanks,
    Varun

  • FWSM Failover - Possible with different hardware versions?

    Hi, I need to replace a FWSM module currently running as the primary unit in a failover configuration installed in two 6509s. The replacement FWSM module is a newer hardware version than the current module it is to replace. Obviously I will ensure the same IOS and licenses are installed on the new module but will having a difference in the hardware versions affect the failover configuration?
    The faulty module being replaced has the following hardware config:
    HW 3.0
    FW 7.2(1)
    The replacement module has the following config:
    HW 4.2
    FW 7.2(1)
    Thanks in advance for any help..

    Daniel, this is a good question for TAC. I do not see any ducumentation on FWSM requiering to be same Hardware version, the failover requires same code and you are correct on that one. I don't think hardware version diferences may affect failover, I would suggest to have it cleared by TAC.
    Jorge

  • SW-6509-FWSM failover Troubleshooting First aid

    Fault Description:
    (1)
    active  FWSM and standby FWSM  inside interface Between,ping fails。
    on side FWSM---active: ping 172.17.1.50 -------OK,ping 172.17.1.49------ping fails;
    on side FWSM---standby: ping 172.17.1.49--------OK,ping 172.17.1.50-------ping fails;
    but,active  FWSM and standby FWSM  outside interface between,ping OK。
    on side FWSM---active:ping 172.17.1.36  、  ping 172.17.1.37、ping 172.17.1.35/33/34/、ping www.baidu.com -----------All OK;
    on side FWSM---standby:ping 172.17.1.36 、  ping 172.17.1.37 、ping 172.17.1.35/33/34/、ping www.baidu.com-----------All OK;
    (2)
    Another problem:
    active  FWSM and standby FWSM  inside interface,ping  7706-------All fails。
    Summary:May be caused fwsm。
    Topology :Attachment
    FWSM :
    FWSM#                       show failover state
    ====My State===
    Primary | Active |
    ====Other State===
    Secondary | Standby |
    ====Configuration State===
        Interface config Syncing - STANDBY
        Sync Done
    ====Communication State===
        Mac set
    =========Failed Reason==============
    My Fail Reason:
        Ifc Failure
    Other Fail Reason:
        Comm Failure
    FWSM# show failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: lan Vlan 997 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 15 seconds
    Interface Policy 50%
    Monitored Interfaces 42 of 250 maximum
    Config sync: active
    Version: Ours 4.0(13), Mate 4.0(13)
    Last Failover at: 19:08:24 Beijing Dec 2 2013
        This host: Primary - Active
            Active time: 358944 (sec)
        Interface outside (172.17.1.36): Normal
        Interface inside (172.17.1.49): Normal (Not-Monitored)
        Other host: Secondary - Standby Ready
            Active time: 0 (sec)
        Interface outside (172.17.1.37): Normal
        Interface inside (172.17.1.50): Normal (Not-Monitored)
    (Not-Monitored) -----------------??????

    That's what I thought but the again, from the 6500 config prompt I actually get echo replys(!) from the FWCTX, with capture enabled as:
         access-list CAP permit ip any any
         capture mgmt access-list CAP interface MGMT packet-length 1500 circular-buffer
    But it shows blank and no hit counts. Same happens usind RTMonitor in ASDM (6.2.(2f)) some packets that are permited and routed correctly aren't actually noticed. I don't get any logging for the missing/dropped/denied echo replies from the FWCTX to the 6500 MSFC nor for the successful replies from the 6500 to the FWCTX withh ASDM Debugging logging on.

  • FWSM Failover configuration - One Context

    Hi,
    Is it possible to configure only one context in H.A. in FWSM? , yesterday  I tried to configure this but I can´t .
    Please check my configuration and tell me your opinon, or not is possible ,  maybe I have to configure all context in H.A.
    This message appears in the console when I active the FAILOVER
    Nov 23 2011 19:20:04: %FWSM-1-105002: (Secondary) Enabling failover.
    Nov 23 2011 19:20:08: %FWSM-1-105038: (Secondary) Interface count mismatch
    Nov 23 2011 19:20:08: %FWSM-1-104002: (Secondary) Switching to STNDBY - Other unit has different set of vlans configured
    Nov 23 2011 19:20:11: %FWSM-1-105001: (Secondary) Disabling failover.
    Nov 23 2011 19:23:58: %FWSM-6-302010: 0 in use, 46069 most used
    FWSM-Primario# show failover
    Failover On
    Failover unit PrimaryFailover LAN Interface: FAILLINK Vlan 1100 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 15 seconds
    Interface Policy 50%
    Monitored Interfaces 1 of 250 maximum
    failover replication http
    Config sync: active
    Version: Ours 4.1(5), Mate 4.1(5)
    Last Failover at: 19:18:35 UTC Nov 23 2011
            This host: Primary - Active
                    Active time: 1125 (sec)
                    admin Interface inside (10.1.1.1): Normal (Not-Monitored)
                    admin Interface outside (20.1.1.1): No Link (Not-Monitored)
                    FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.36): Normal (Waiting)
                    GESTION-WAS Interface OUTSIDE (10.116.20.22): Normal (Not-Monitored)
                    GESTION-WAS Interface U2000 (10.123.20.1): Normal (Not-Monitored)
            Other host: Secondary - Cold Standby
                    Active time: 0 (sec)
                    admin Interface inside (0.0.0.0): Unknown (Not-Monitored)
                    admin Interface outside (0.0.0.0): Unknown (Not-Monitored)
                    FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.37): Unknown (Waiting)
                    GESTION-WAS Interface OUTSIDE (0.0.0.0): Unknown (Not-Monitored)
                    GESTION-WAS Interface U2000 (0.0.0.0): Unknown (Not-Monitored)
    Stateful Failover Logical Update Statistics
            Link : STATELINK Vlan 1101 (up)
            Stateful Obj    xmit       xerr       rcv        rerr     
            General         0          0          0          0       
            sys cmd         0          0          0          0       
            up time         0          0          0          0       
            RPC services    0          0          0          0       
            TCP conn        0          0          0          0       
            UDP conn        0          0          0          0       
            ARP tbl         0          0          0          0       
            Xlate_Timeout   0          0          0          0       
            AAA tbl         0          0          0          0       
            DACL            0          0          0          0       
            Acl optimization        0          0          0          0       
            OSPF Area SeqNo         0          0          0          0       
            Mamba stats msg         0          0          0          0       
            Logical Update Queue Information
                            Cur     Max     Total
            Recv Q:         0       0       0
            Xmit Q:         0       0       0
    FWSM-Primario# 
    FWSM-Primario#
    The configuration in the SW-6500
    SW-PRIMARY#sh run | in fire
    firewall multiple-vlan-interfaces
    firewall module 3 vlan-group 1,2
    firewall vlan-group 1  10,20,25,400,1709
    firewall vlan-group 2  1100,1101,1111,1112
    SW-SECUNDARY#sh run | in fire
    firewall multiple-vlan-interfaces
    firewall module 3 vlan-group 1,2
    firewall vlan-group 1  900,1709
    firewall vlan-group 2  1100,1101,1111,1112
    ip subnet-zero
    FWSM-Primario(config)# sh run
    : Saved
    FWSM Version 4.1(5) <system>
    resource acl-partition 12
    hostname FWSM-Primario
    hostname secondary FWSM-Secundario
    domain-name cisco.com
    enable password 8Ry2YjIyt7RRXU24 encrypted
    interface Vlan10
    interface Vlan29
    shutdown
    interface Vlan400
    interface Vlan1100
    description LAN Failover Interface
    interface Vlan1101
    description STATE Failover Interface
    interface Vlan1111
    description FWSW_7200_GoB_Fija
    interface Vlan1112
    description FWSW_7200_GoB_BA
    interface Vlan1709
    passwd 2KFQnbNIdI.2KYOU encrypted
    class default
      limit-resource IPSec 5
      limit-resource Mac-addresses 65535
      limit-resource ASDM 5
      limit-resource SSH 5
      limit-resource Telnet 5
      limit-resource All 0
    ftp mode passive
    pager lines 24
    failover
    failover lan unit primary
    failover lan interface FAILLINK Vlan1100
    failover replication http
    failover link STATELINK Vlan1101
    failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
    failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
    failover group 1
      preempt
      replication http
    no asdm history enable
    arp timeout 14400
    console timeout 0
    admin-context admin
    context admin
      allocate-interface Vlan10
      allocate-interface Vlan29
      config-url disk:/admin.cfg
    context GESTION-WAS
      allocate-interface Vlan1709
      allocate-interface Vlan400
      config-url disk:/GESTION-WAS
    context FW-GoB-Fija
      allocate-interface Vlan1111
      allocate-interface Vlan1112
      config-url disk:/FW-GoB-Fija.cfg
      join-failover-group 1
    prompt hostname context
    Cryptochecksum:8b5fabc676745cfbafd6569c623a98b1
    : end
    SECUNDARY FIREWALL.
    FWSM# sh run
    : Saved
    FWSM Version 4.1(5) <system>
    resource acl-partition 12
    hostname FWSM
    domain-name cisco.com
    enable password S13FcA2URRiGrTIN encrypted
    interface Vlan100
    shutdown
    interface Vlan900
    interface Vlan1100
    description LAN Failover Interface
    interface Vlan1101
    description STATE Failover Interface
    interface Vlan1111
    interface Vlan1112
    interface Vlan1709
    passwd 2KFQnbNIdI.2KYOU encrypted
    class default
      limit-resource IPSec 5
      limit-resource Mac-addresses 65535
      limit-resource ASDM 5
      limit-resource SSH 5
      limit-resource Telnet 5
      limit-resource All 0
    ftp mode passive
    pager lines 24
    no failover
    failover lan unit secondary
    failover lan interface FAILLINK Vlan1100
    failover replication http
    failover link STATELINK Vlan1101
    failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
    failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
    failover group 1
      preempt
      replication http
    no asdm history enable
    arp timeout 14400
    console timeout 0
    admin-context PCBA-NAT
    context PCBA-NAT
      allocate-interface Vlan1709
      allocate-interface Vlan900
      config-url disk:/PCBA-NAT
    context FW-GoB-Fija
      allocate-interface Vlan1111
      allocate-interface Vlan1112
      config-url disk:/FW-GoB-Fija
      join-failover-group 1
    prompt hostname context
    Cryptochecksum:c7529707b6d10d02c296a57253a925b2
    : end
    FWSM#
    I WILL APRECIATE YOUR COMMENTS, BECAUSE IT´S IMPORTANT , THE FWSM SUPPORT FOR DEFAULT 3 CONTEXT.
    Regards,
    Robert Soto.

    Hi Robert,
    Unfortunately no, this is not possible.
    Since you enable failover at the system level, all contexts will particpate in failover and there is no way to change this.
    Additionally, both firewalls in the failover pair must have identical licenses, VLANs, and software versions in order for failover to work properly.
    -Mike

  • FWSM Failover times

    Hi Folks
    I have 2 6509's with fwsm in them. They are xconfigured in active standby failover.... default values
    the 6500's are OSPF routers also. Everything is redundant HSRP, FWSM etc.
    when we reboot one of the 6500's it takes approximately 45 seconds for the standby FWSM to become active.
    Is this normal? can the time be shortened?
    any comments appreciated.

    Hi,
    The initial 15 seconds detection time can be reduced to 3 seconds, by tuning failover polltime and holdtime to the following:
    "failover polltime unit 1 holdtime 3"
    Also keep in mind after  switchover new active will establish nbr relation with nbr router. At any point of time standby does  not participate in OSPF process.  so in short new active have to  re-establish adjacencies.
    Hope that helps.
    Thanks,
    Varun

  • FWSM failover 6500

    Hi Folks,
    Firstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.
    I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?
    Thanks,
    Netter

    Hi Jennifer,
    Great, yes we have a group 1 and a group 2 and some contexts live on each 6500. I cannot failover the whole group as its operational and I just want to failover the test context I am working on.
    So I will have to move the context from one failover group to the next as you suggested. What is the best way to do this? Which admin context do I change it on first or does it matter? Should I change it on the context where it is currently live and then hop on the other 6500 and change it there?
    do I need to do a no command first like this?
    no join-failover-group 2
    then
    join-failover-group 1
    on both admin contexts.

  • FWSM Failover configuration

    Dear,
    I have  two FWSM  and we want to install  the failover in the two FWSM, My FWSM has 20 interfaces are monitoring but We want only  put 9 nine interfaces VLAN with standby IP address  the Other NO, I check the configuration the guideconfiguration and see  for all interfaces VLAN has a Standby IP , Can I install my FWSM  olny for nine interfaces with standby IP or  must configuration all interfaces with standby IP.?
    I will apreciate your answer.
    Thanks,
    Robert Soto

    Hi Robert,
    better would be this message to be posted in the Security section https://supportforums.cisco.com/community/netpro/security/firewall.
    As to your question you can have the FWSM with some interfaces configured with the standby IP address and some other without. However in the process of detecting if the mate is really down only the interfaces with the standby IP address will be used.
    Moreover I expect the interfaces with no standby IP address not to swap the MAC addresses after the failover.
    HTH
    Alessandro
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • FWSM Failover Pair Upgrade

    I was told that it was necessary to completely disable a failover configuration before seperately reloading the pair to boot into the new software.
    However, I'm not seeing that in any of the documentation...which simply says to install the software, make the secondary active, reload the primary, etc.
    Is this correct that the failover has to be disabled?
    Thanks.

    My experience is that the Cisco documentation is correct (i.e., it is NOT necessary to disable failover).
    I (carefully) followed the procedure described here successfully.

  • Upgrading FWSMs in Failover Pair

    Due to bug, we are upgrading our Dual Chassis FWSM Failover pair from 1.1.2 to 1.1.4. I want to minimize downtime, can anyone point me to some documentation or briefly explain the best process. From 2.2 documentation it appears I can upgrade between maintenance release while maintaining failover capabilities, was this the case with 1.1? Or is the "Replacement of Failover Unit after Hardware Failure" the best process to failover eventhough one unit has not failed?

    The doc in FWSM 2.2 for the faulty module replacement can serve as guideline.
    http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_tech_note09186a0080531753.shtml
    But as stated in FWSM FAQ -failover for ver 1.1 (http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item0900aecd800fa578.shtml), this might be your case. FWSM running ver2.2 provide more flexibility and minimize downtime with the 'online upgrade' features. This feature is not available in code 1.1.x.
    Therefore, when performing the upgrade. rebooting both FWSM modules are inevitable, but at least with a very minimum downtime (time taken for the module to get online and working).
    What you can do is to 'break' the standby FWSM from the failover process, and perform the upgrade. Repeat the same process for both blades. See attachment for details instruction.
    HTH
    AK

  • FWSM interface monitoring and best practices documentation.

    Hello everyone
     I have a couple of questions regarding vlan interface monitoring and best practices specifically for this service module.
     I couldn’t find a suggestion or guideline as for how to define a VLAN interface on a management station. The FWSM total throughput is 5.5gbs and the interfaces are mapped to vlans carried on trunks over 10gb etherchannels. Is there a common practice, or past experience, to set some physical parameters to logical interfaces? "show interface" command states BW as unknown.
     Additionally, do any of you have a document addressing best practices for FWSM? I have this for other platforms and general recommendations based on newer ASA versions but nothing related to FWSM.
    Thanks a lot!
    Regards
    Guido

    Hi,
    If you are looking for some more command to check for the throughput through the module:-
    show firewall module <number> traffic
    Also , I think as this is End of life , you might have to check for some old documentation from Cisco on the best practices.
    http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/prod_white_paper0900aecd805457cc.html
    https://supportforums.cisco.com/discussion/11540181/ask-expertconfiguring-troubleshooting-best-practices-asa-fwsm-failover
    Thanks and Regards,
    Vibhor Amrodia

  • FWSM system space does not replicate part of configuration

                       Hi
    I have FWSM failover pair, Active/Active configuration, admin and another 4 context, few context active on first FWSM, other on second FWSM.
    I needed to add  VLANs 51 and 52 to FWSM
    I created VLANs on both Cat6500, created firewall vlan-group 3 a and put "firewall module1 vlan-group 3" on both cat6500
    Then I log in in system space on primary FWSM and created interface VLAN.
    Created VLANs automatically occured in system space on  Secondary FWSM.
    Then I wanted allocate VLAN 51 and 52 to context XY, so I went to part of configuration for context XY and "allocate-interface Vlan51" and  "allocate-interface Vlan52".
    But this part did not replicate to system space on Secondary FWSM, i do not know why.
    I tried for expample shutdown inteface101 in system space on Primary FWSM. This action was replicated.
    pnfkepolsa17# sh failover state
    ====My State===
    Primary | Active |
    ====Other State===
    Secondary | Standby |
    ====Configuration State===
           Interface config Syncing - STANDBY
           Sync Done - STANDBY
    ====Communication State===
           Mac set
    =========Failed Reason==============
    My Fail Reason:
    Other Fail Reason:
    pnfkepolsa17#
    pnfkepolsa17# sh failover state
    ====My State===
    Secondary | Standby |
    ====Other State===
    Primary | Active |
    ====Configuration State===
           Interface config Syncing - STANDBY
           Sync Done
           Sync Done - STANDBY
    ====Communication State===
           Mac set
    =========Failed Reason==============
    My Fail Reason:
    Other Fail Reason:
           Comm Failure
    pnfkepolsa17#
    I found this message in logg of Cat6500
    000160: Jun 11 20:34:22.405: %SVCLC-5-SVCLCMULTI: Group 3 being tied to more than one module
    Why is this problem?
    Peter

    I found explanation:
    Error Message    %SVCLC-5-SVCLCMULTI: Group [dec] being tied to more than one module
    Explanation    The specified group is tied to multiple service modules. A group should not be associated with more than one service module unless a failover configuration is being used.
    Recommended Action    If a failover configuration is in use, no action is required. Otherwise enter the show svclc module command to find out which group is being tied to more than one module. Then remove multiple associations by entering the no svclc module mod vlan-group group command.
    I want to use vlan-group 3 for FWSM and for ACE module too.
    which kind of failover was mentioned?
    Peter

  • Security context

    In our project we have 2 WL6.0 sp1 servers. One server as webserver which has all
    presentation logic. Another is EJB server. On the EJB server custom RDBMS realm
    is installed.
    In order to have the same users and groups on the webserver I need some kind of
    proxy realm which delegates all calls to the EJB server. My question it possible
    to do that in some easest way ? Like clustering ..

    Hello,
    The procedure can be found here:
    For a single FWSM:
    http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/swcnfg_f.html#wp1048072
    For a FWSM failover pair:
    http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/swcnfg_f.html#wp1073518
    Hope that helps.
    -Mike

  • How do I use Cisco MARS to monitor two FWSMs in two Cat6500 in failover ?

    Hello,
    I understad that I can add both Catalysts to MARS and that I can add primary FWSM as a module to primary catalyst as well. But how can I add secondary FWSM.
    Any ideas appreciated
    Thanks

    If you have already configured the primary, you don't have to configure the secondary. No need to configure the secondary as it is not recommended to do so, In case of a failover the secondary firewall will automatically take over the active configuration( EX: IP address) of the primary so the source of the syslogs will remain the same

Maybe you are looking for

  • Automatic PO creation at the time of GR

    Dear Sap gurs, My client reqirement is that when we will post goods receipt that time purchase order has to ceate automaticaly.What settings we need to do .Please help me its very urjent requrement. Thanks & regards, Kirti

  • Authorization on windows?

    How do i authorize my computer to play purchased things on itunes? the information on it from tech support did not help at all.

  • Detecting TextAlignment in a Library based text Object

    Hi All, I have several text field objects that are shared (linked) to create a growing group text and button objects that are created at runtime. Oh, TLFtextField's are only being used, but that probably doesn't matter for the this set of issues. I t

  • Ora-01405

    I want to get something clear: Is it for oracle 10g still true that it is best to use indicator variables in order to prevent oracle error ora-01405 ? Or is there another, smarter way to handle null values in columns. Also, I don't see this error mes

  • Audio Clips de-normalizing after program shutdown

    Recently I have been having trouble with my audio files in Adobe Premiere CS6. I will normalize all of the audio clips in my track(s) and everything will be fine. I will then close the project and come back to it at a later time to find that most, if