FWSM failover
Guys,
I have a dought about failover with FWSM.
I have 2 Cisco 6500 with FWSM board. They work with Active (Primary) /Standby (Standby).
This days, I had a problem with Active, then, the Standby was changed to Active, ok.
When the Primary returned, I checked that the Secondary FWSM configuration had a line: "no failover"
I didn't understood why the Secondary changed this line, because before of problem this line was "failover".
So, i had to change this line putting: failover and them normalize.
Someone knows why the Secondary FWSM changed the line failover to no failover? Is normal? I could to configure it to don't change?
Thank you!
Anderson.
Hi Anderson,
The most common cause of this is if you have a different set of VLANs passed to the FWSMs. Check the output of 'show run | i firewall' on both 6500s and make sure the output matches exactly on both sides.
-Mike
Similar Messages
-
Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover
With Prashanth Goutham R.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.
Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
Remember to use the rating system to let Prashanth know if you have received an adequate response.
Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.Hello John,
This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0 class-map Tunnel_Policy1 match access-list tunnel_one class-map Tunnel_Policy2 match access-list tunnel_two class-map Tunnel_Policy3 match access-list tunnel_three class-map Tunnel_Policy4 match access-list tunnel_four policy-map tunnel_traffic_limit class Tunnel_Policy1 police output 4096000 policy-map tunnel_traffic_limit class Tunnel_Policy2 police output 5734400 policy-map tunnel_traffic_limit class Tunnel_Policy3 police output 2457600 policy-map tunnel_traffic_limit class Tunnel_Policy4 police output 4915200service-policy tunnel_traffic_limit interface outside
You might want to watch out for the following changes in values:
HTTS-SEC-R2-7-ASA5510-02(config-cmap)# policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)# policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)# class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)# police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
The Final outputs of the configured values were :
Class-map: Tunnel_Policy1 Output police Interface outside: cir 4096000 bps, bc 128000 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: Tunnel_Policy2 Output police Interface outside: cir 5734000 bps, bc 179187 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: Tunnel_Policy3 Output police Interface outside: cir 2457500 bps, bc 76796 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Class-map: Tunnel_Policy4 Output police Interface outside: cir 4915000 bps, bc 153593 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps
Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
Hope that helps.. -
Fwsm failover times in real crash
Hi,
I have got two cat6k vss and two servis modelu FWSM
How fast FWSM will be switch over to back up Firewall, after active-fw crash/down power?
Sent from Cisco Technical Support iPad AppHi,
The initial 15 seconds detection time can be reduced to 3 seconds, by tuning failover polltime and holdtime to the following:
"failover polltime unit 1 holdtime 3"
Also keep in mind after switchover new active will establish nbr relation with nbr router. At any point of time standby does not participate in OSPF process. so in short new active have to re-establish adjacencies.
Hope that helps.
Thanks,
Varun -
FWSM Failover - Possible with different hardware versions?
Hi, I need to replace a FWSM module currently running as the primary unit in a failover configuration installed in two 6509s. The replacement FWSM module is a newer hardware version than the current module it is to replace. Obviously I will ensure the same IOS and licenses are installed on the new module but will having a difference in the hardware versions affect the failover configuration?
The faulty module being replaced has the following hardware config:
HW 3.0
FW 7.2(1)
The replacement module has the following config:
HW 4.2
FW 7.2(1)
Thanks in advance for any help..Daniel, this is a good question for TAC. I do not see any ducumentation on FWSM requiering to be same Hardware version, the failover requires same code and you are correct on that one. I don't think hardware version diferences may affect failover, I would suggest to have it cleared by TAC.
Jorge -
SW-6509-FWSM failover Troubleshooting First aid
Fault Description:
(1)
active FWSM and standby FWSM inside interface Between,ping fails。
on side FWSM---active: ping 172.17.1.50 -------OK,ping 172.17.1.49------ping fails;
on side FWSM---standby: ping 172.17.1.49--------OK,ping 172.17.1.50-------ping fails;
but,active FWSM and standby FWSM outside interface between,ping OK。
on side FWSM---active:ping 172.17.1.36 、 ping 172.17.1.37、ping 172.17.1.35/33/34/、ping www.baidu.com -----------All OK;
on side FWSM---standby:ping 172.17.1.36 、 ping 172.17.1.37 、ping 172.17.1.35/33/34/、ping www.baidu.com-----------All OK;
(2)
Another problem:
active FWSM and standby FWSM inside interface,ping 7706-------All fails。
Summary:May be caused fwsm。
Topology :Attachment
FWSM :
FWSM# show failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
Interface config Syncing - STANDBY
Sync Done
====Communication State===
Mac set
=========Failed Reason==============
My Fail Reason:
Ifc Failure
Other Fail Reason:
Comm Failure
FWSM# show failover
Failover On
Failover unit Primary
Failover LAN Interface: lan Vlan 997 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 42 of 250 maximum
Config sync: active
Version: Ours 4.0(13), Mate 4.0(13)
Last Failover at: 19:08:24 Beijing Dec 2 2013
This host: Primary - Active
Active time: 358944 (sec)
Interface outside (172.17.1.36): Normal
Interface inside (172.17.1.49): Normal (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (172.17.1.37): Normal
Interface inside (172.17.1.50): Normal (Not-Monitored)
(Not-Monitored) -----------------??????That's what I thought but the again, from the 6500 config prompt I actually get echo replys(!) from the FWCTX, with capture enabled as:
access-list CAP permit ip any any
capture mgmt access-list CAP interface MGMT packet-length 1500 circular-buffer
But it shows blank and no hit counts. Same happens usind RTMonitor in ASDM (6.2.(2f)) some packets that are permited and routed correctly aren't actually noticed. I don't get any logging for the missing/dropped/denied echo replies from the FWCTX to the 6500 MSFC nor for the successful replies from the 6500 to the FWCTX withh ASDM Debugging logging on. -
FWSM Failover configuration - One Context
Hi,
Is it possible to configure only one context in H.A. in FWSM? , yesterday I tried to configure this but I can´t .
Please check my configuration and tell me your opinon, or not is possible , maybe I have to configure all context in H.A.
This message appears in the console when I active the FAILOVER
Nov 23 2011 19:20:04: %FWSM-1-105002: (Secondary) Enabling failover.
Nov 23 2011 19:20:08: %FWSM-1-105038: (Secondary) Interface count mismatch
Nov 23 2011 19:20:08: %FWSM-1-104002: (Secondary) Switching to STNDBY - Other unit has different set of vlans configured
Nov 23 2011 19:20:11: %FWSM-1-105001: (Secondary) Disabling failover.
Nov 23 2011 19:23:58: %FWSM-6-302010: 0 in use, 46069 most used
FWSM-Primario# show failover
Failover On
Failover unit PrimaryFailover LAN Interface: FAILLINK Vlan 1100 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 1 of 250 maximum
failover replication http
Config sync: active
Version: Ours 4.1(5), Mate 4.1(5)
Last Failover at: 19:18:35 UTC Nov 23 2011
This host: Primary - Active
Active time: 1125 (sec)
admin Interface inside (10.1.1.1): Normal (Not-Monitored)
admin Interface outside (20.1.1.1): No Link (Not-Monitored)
FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.36): Normal (Waiting)
GESTION-WAS Interface OUTSIDE (10.116.20.22): Normal (Not-Monitored)
GESTION-WAS Interface U2000 (10.123.20.1): Normal (Not-Monitored)
Other host: Secondary - Cold Standby
Active time: 0 (sec)
admin Interface inside (0.0.0.0): Unknown (Not-Monitored)
admin Interface outside (0.0.0.0): Unknown (Not-Monitored)
FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.37): Unknown (Waiting)
GESTION-WAS Interface OUTSIDE (0.0.0.0): Unknown (Not-Monitored)
GESTION-WAS Interface U2000 (0.0.0.0): Unknown (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : STATELINK Vlan 1101 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
AAA tbl 0 0 0 0
DACL 0 0 0 0
Acl optimization 0 0 0 0
OSPF Area SeqNo 0 0 0 0
Mamba stats msg 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
FWSM-Primario#
FWSM-Primario#
The configuration in the SW-6500
SW-PRIMARY#sh run | in fire
firewall multiple-vlan-interfaces
firewall module 3 vlan-group 1,2
firewall vlan-group 1 10,20,25,400,1709
firewall vlan-group 2 1100,1101,1111,1112
SW-SECUNDARY#sh run | in fire
firewall multiple-vlan-interfaces
firewall module 3 vlan-group 1,2
firewall vlan-group 1 900,1709
firewall vlan-group 2 1100,1101,1111,1112
ip subnet-zero
FWSM-Primario(config)# sh run
: Saved
FWSM Version 4.1(5) <system>
resource acl-partition 12
hostname FWSM-Primario
hostname secondary FWSM-Secundario
domain-name cisco.com
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan10
interface Vlan29
shutdown
interface Vlan400
interface Vlan1100
description LAN Failover Interface
interface Vlan1101
description STATE Failover Interface
interface Vlan1111
description FWSW_7200_GoB_Fija
interface Vlan1112
description FWSW_7200_GoB_BA
interface Vlan1709
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FAILLINK Vlan1100
failover replication http
failover link STATELINK Vlan1101
failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
failover group 1
preempt
replication http
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
allocate-interface Vlan10
allocate-interface Vlan29
config-url disk:/admin.cfg
context GESTION-WAS
allocate-interface Vlan1709
allocate-interface Vlan400
config-url disk:/GESTION-WAS
context FW-GoB-Fija
allocate-interface Vlan1111
allocate-interface Vlan1112
config-url disk:/FW-GoB-Fija.cfg
join-failover-group 1
prompt hostname context
Cryptochecksum:8b5fabc676745cfbafd6569c623a98b1
: end
SECUNDARY FIREWALL.
FWSM# sh run
: Saved
FWSM Version 4.1(5) <system>
resource acl-partition 12
hostname FWSM
domain-name cisco.com
enable password S13FcA2URRiGrTIN encrypted
interface Vlan100
shutdown
interface Vlan900
interface Vlan1100
description LAN Failover Interface
interface Vlan1101
description STATE Failover Interface
interface Vlan1111
interface Vlan1112
interface Vlan1709
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
no failover
failover lan unit secondary
failover lan interface FAILLINK Vlan1100
failover replication http
failover link STATELINK Vlan1101
failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
failover group 1
preempt
replication http
no asdm history enable
arp timeout 14400
console timeout 0
admin-context PCBA-NAT
context PCBA-NAT
allocate-interface Vlan1709
allocate-interface Vlan900
config-url disk:/PCBA-NAT
context FW-GoB-Fija
allocate-interface Vlan1111
allocate-interface Vlan1112
config-url disk:/FW-GoB-Fija
join-failover-group 1
prompt hostname context
Cryptochecksum:c7529707b6d10d02c296a57253a925b2
: end
FWSM#
I WILL APRECIATE YOUR COMMENTS, BECAUSE IT´S IMPORTANT , THE FWSM SUPPORT FOR DEFAULT 3 CONTEXT.
Regards,
Robert Soto.Hi Robert,
Unfortunately no, this is not possible.
Since you enable failover at the system level, all contexts will particpate in failover and there is no way to change this.
Additionally, both firewalls in the failover pair must have identical licenses, VLANs, and software versions in order for failover to work properly.
-Mike -
Hi Folks
I have 2 6509's with fwsm in them. They are xconfigured in active standby failover.... default values
the 6500's are OSPF routers also. Everything is redundant HSRP, FWSM etc.
when we reboot one of the 6500's it takes approximately 45 seconds for the standby FWSM to become active.
Is this normal? can the time be shortened?
any comments appreciated.Hi,
The initial 15 seconds detection time can be reduced to 3 seconds, by tuning failover polltime and holdtime to the following:
"failover polltime unit 1 holdtime 3"
Also keep in mind after switchover new active will establish nbr relation with nbr router. At any point of time standby does not participate in OSPF process. so in short new active have to re-establish adjacencies.
Hope that helps.
Thanks,
Varun -
Hi Folks,
Firstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.
I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?
Thanks,
NetterHi Jennifer,
Great, yes we have a group 1 and a group 2 and some contexts live on each 6500. I cannot failover the whole group as its operational and I just want to failover the test context I am working on.
So I will have to move the context from one failover group to the next as you suggested. What is the best way to do this? Which admin context do I change it on first or does it matter? Should I change it on the context where it is currently live and then hop on the other 6500 and change it there?
do I need to do a no command first like this?
no join-failover-group 2
then
join-failover-group 1
on both admin contexts. -
Dear,
I have two FWSM and we want to install the failover in the two FWSM, My FWSM has 20 interfaces are monitoring but We want only put 9 nine interfaces VLAN with standby IP address the Other NO, I check the configuration the guideconfiguration and see for all interfaces VLAN has a Standby IP , Can I install my FWSM olny for nine interfaces with standby IP or must configuration all interfaces with standby IP.?
I will apreciate your answer.
Thanks,
Robert SotoHi Robert,
better would be this message to be posted in the Security section https://supportforums.cisco.com/community/netpro/security/firewall.
As to your question you can have the FWSM with some interfaces configured with the standby IP address and some other without. However in the process of detecting if the mate is really down only the interfaces with the standby IP address will be used.
Moreover I expect the interfaces with no standby IP address not to swap the MAC addresses after the failover.
HTH
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
I was told that it was necessary to completely disable a failover configuration before seperately reloading the pair to boot into the new software.
However, I'm not seeing that in any of the documentation...which simply says to install the software, make the secondary active, reload the primary, etc.
Is this correct that the failover has to be disabled?
Thanks.My experience is that the Cisco documentation is correct (i.e., it is NOT necessary to disable failover).
I (carefully) followed the procedure described here successfully. -
Upgrading FWSMs in Failover Pair
Due to bug, we are upgrading our Dual Chassis FWSM Failover pair from 1.1.2 to 1.1.4. I want to minimize downtime, can anyone point me to some documentation or briefly explain the best process. From 2.2 documentation it appears I can upgrade between maintenance release while maintaining failover capabilities, was this the case with 1.1? Or is the "Replacement of Failover Unit after Hardware Failure" the best process to failover eventhough one unit has not failed?
The doc in FWSM 2.2 for the faulty module replacement can serve as guideline.
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_tech_note09186a0080531753.shtml
But as stated in FWSM FAQ -failover for ver 1.1 (http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item0900aecd800fa578.shtml), this might be your case. FWSM running ver2.2 provide more flexibility and minimize downtime with the 'online upgrade' features. This feature is not available in code 1.1.x.
Therefore, when performing the upgrade. rebooting both FWSM modules are inevitable, but at least with a very minimum downtime (time taken for the module to get online and working).
What you can do is to 'break' the standby FWSM from the failover process, and perform the upgrade. Repeat the same process for both blades. See attachment for details instruction.
HTH
AK -
FWSM interface monitoring and best practices documentation.
Hello everyone
I have a couple of questions regarding vlan interface monitoring and best practices specifically for this service module.
I couldn’t find a suggestion or guideline as for how to define a VLAN interface on a management station. The FWSM total throughput is 5.5gbs and the interfaces are mapped to vlans carried on trunks over 10gb etherchannels. Is there a common practice, or past experience, to set some physical parameters to logical interfaces? "show interface" command states BW as unknown.
Additionally, do any of you have a document addressing best practices for FWSM? I have this for other platforms and general recommendations based on newer ASA versions but nothing related to FWSM.
Thanks a lot!
Regards
GuidoHi,
If you are looking for some more command to check for the throughput through the module:-
show firewall module <number> traffic
Also , I think as this is End of life , you might have to check for some old documentation from Cisco on the best practices.
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/prod_white_paper0900aecd805457cc.html
https://supportforums.cisco.com/discussion/11540181/ask-expertconfiguring-troubleshooting-best-practices-asa-fwsm-failover
Thanks and Regards,
Vibhor Amrodia -
FWSM system space does not replicate part of configuration
Hi
I have FWSM failover pair, Active/Active configuration, admin and another 4 context, few context active on first FWSM, other on second FWSM.
I needed to add VLANs 51 and 52 to FWSM
I created VLANs on both Cat6500, created firewall vlan-group 3 a and put "firewall module1 vlan-group 3" on both cat6500
Then I log in in system space on primary FWSM and created interface VLAN.
Created VLANs automatically occured in system space on Secondary FWSM.
Then I wanted allocate VLAN 51 and 52 to context XY, so I went to part of configuration for context XY and "allocate-interface Vlan51" and "allocate-interface Vlan52".
But this part did not replicate to system space on Secondary FWSM, i do not know why.
I tried for expample shutdown inteface101 in system space on Primary FWSM. This action was replicated.
pnfkepolsa17# sh failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
Interface config Syncing - STANDBY
Sync Done - STANDBY
====Communication State===
Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
pnfkepolsa17#
pnfkepolsa17# sh failover state
====My State===
Secondary | Standby |
====Other State===
Primary | Active |
====Configuration State===
Interface config Syncing - STANDBY
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
Comm Failure
pnfkepolsa17#
I found this message in logg of Cat6500
000160: Jun 11 20:34:22.405: %SVCLC-5-SVCLCMULTI: Group 3 being tied to more than one module
Why is this problem?
PeterI found explanation:
Error Message %SVCLC-5-SVCLCMULTI: Group [dec] being tied to more than one module
Explanation The specified group is tied to multiple service modules. A group should not be associated with more than one service module unless a failover configuration is being used.
Recommended Action If a failover configuration is in use, no action is required. Otherwise enter the show svclc module command to find out which group is being tied to more than one module. Then remove multiple associations by entering the no svclc module mod vlan-group group command.
I want to use vlan-group 3 for FWSM and for ACE module too.
which kind of failover was mentioned?
Peter -
In our project we have 2 WL6.0 sp1 servers. One server as webserver which has all
presentation logic. Another is EJB server. On the EJB server custom RDBMS realm
is installed.
In order to have the same users and groups on the webserver I need some kind of
proxy realm which delegates all calls to the EJB server. My question it possible
to do that in some easest way ? Like clustering ..Hello,
The procedure can be found here:
For a single FWSM:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/swcnfg_f.html#wp1048072
For a FWSM failover pair:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/swcnfg_f.html#wp1073518
Hope that helps.
-Mike -
How do I use Cisco MARS to monitor two FWSMs in two Cat6500 in failover ?
Hello,
I understad that I can add both Catalysts to MARS and that I can add primary FWSM as a module to primary catalyst as well. But how can I add secondary FWSM.
Any ideas appreciated
ThanksIf you have already configured the primary, you don't have to configure the secondary. No need to configure the secondary as it is not recommended to do so, In case of a failover the secondary firewall will automatically take over the active configuration( EX: IP address) of the primary so the source of the syslogs will remain the same
Maybe you are looking for
-
Automatic PO creation at the time of GR
Dear Sap gurs, My client reqirement is that when we will post goods receipt that time purchase order has to ceate automaticaly.What settings we need to do .Please help me its very urjent requrement. Thanks & regards, Kirti
-
Authorization on windows?
How do i authorize my computer to play purchased things on itunes? the information on it from tech support did not help at all.
-
Detecting TextAlignment in a Library based text Object
Hi All, I have several text field objects that are shared (linked) to create a growing group text and button objects that are created at runtime. Oh, TLFtextField's are only being used, but that probably doesn't matter for the this set of issues. I t
-
I want to get something clear: Is it for oracle 10g still true that it is best to use indicator variables in order to prevent oracle error ora-01405 ? Or is there another, smarter way to handle null values in columns. Also, I don't see this error mes
-
Audio Clips de-normalizing after program shutdown
Recently I have been having trouble with my audio files in Adobe Premiere CS6. I will normalize all of the audio clips in my track(s) and everything will be fine. I will then close the project and come back to it at a later time to find that most, if