FWSM module flapping on 6509 backplane

Similar Messages

• Replacing Faulty FWSM module in Cluster

  Hi,
  We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
  We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
  What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
  Can one of you please explain me the steps and if an link to an article which explains this will be great
  Thanks,
  Chandru

  Hi Bro
  Firstly, insert the newly purchased refurnished Cisco FWSM module into the slot, where the fault Cisco FWSM module was originally located. Second, paste into the configuration from the working unit to this newly purchased refurnished Cisco FWSM module. Note: Please do ensure under the failover commands, one side is primary and the other side is secondary. Lastly, issue the command show failover, to ensure the failover status i.e. NORMAL, is in good working condition.
  I’ve done this countless times, you should do just fine. This is easy.
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html
  Regards,
  Ram

• Two FWSM module act as Single

  Hi ALL,
  We have two switches and TWo FWSM module is inserted into the Two switches .Can I add the FWSM as a separate device instead of module because i can't telnet the fwsm from Switch.Customer is not ready to configure the telnet option.FWSM module is working as a active and active mode..so virtual single ip is configured....How can i add the FWSM module in this network.

  You can use as the separate device. For the further description the following URL for the configuration for the FWSM will help you
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/context.html

• IDS Links are flapping in 6509

  Hi...
            IDSM sensing interfaces are flapping in 6509 switch, and log shipping will also stop's intermediatly. Can any one help...
  Jun 27 13:51:02.716 IST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet2/8, changed state to down
  Jun 27 13:51:03.484 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/8, changed state to up
  Jun 27 13:51:02.764 IST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/8, changed state to down
  Jun 27 13:51:03.268 IST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/7, changed state to up

  Hi Gangadhar,
  It is normal to see the promiscuous interfaces go up and down.
  Another scenario is during configuration changes. When signature updates are installed, configuration changes made, or when signature tunings are performed, it is expected to have the interface go down and then back up again.
  Apart from the above two cases, this issue is seen if the sensor is oversubscribed or extremely busy and moved to bypass mode.
  Hope this answers your query.
  Thulasi Shankar

• Eq 8080 commands not being entered on FWSM module

  Hi There,
     I'm having an issue with some Firewalls in my network. I have several firewall modules (WS-SVC-FWM-1) in 6509s,
  FWSM Firewall Version 2.3(3) <system>
  FWSM Device Manager Version 4.1(3)
  I'm trying to enter the following rules
  access-list ACL-IN extended permit ip host X.X.X.0 X.X.X.0 255.255.255.0 eq 8080
  access-list ACL-IN extended permit ip host X.X.X.1 X.X.X.0 255.255.255.0 eq 8080
  access-list ACL-IN extended permit ip host X.X.X.2 X.X.X.0 255.255.255.0 eq 8080
  access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.0 eq 8080
  access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.1 eq 8080
  access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.2 eq 8080
  What happens is, these commands don't go into the configuration, and I don't get an error, but any rule after it also does not get copied into the config when I copy and paste a list of commands. All the commands before it go in no problem.
  Does it not like eq 8080? Can I not do 'permit ip' with an eq command? Do I have to use 'permit tcp' to enter the command?
  Thanks.

  If you are going to specify a port you need to use the TCP or UDP protocol.  You are specifying IP so you will get an error because of this.

• 6500 has IDSM-2 and FWSM modules

  i got a task to configure Catalyst 6509 supervisor engin sup720-10g-3c  and has FWSM and IDSM-2 service modules .
  what consideration should i take  and is  there is any configuration example for both
  thank you for your help

  They are many posts on this forum on this subject, did you try using the search function?
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml
  Regards
  Farrukh

• Cisco 6516 FWSM Module problem

  Hi
  We have a 6513 cisco FW with 2 FWSM Active /Standby Failover , When The primery module is in active state the users sessions is suddenly  disconnected while the ping is OK (no request time packet ) now we have to work with only one module , what should we do.
  Thankx
  Dalia

  Hello Dalia,
  Could you explain the issue a litle further???
  Are you saying that when having both FWSM in active/standby and with the primary in active state all of the sessions are dropped except ICMP?
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• ACE10-6500-K9 module in catalyst 6509 gives this error

  Hello
  I have a module ACE10-6500-K9  inserted en module 8 of a catalyst 6509 that gave me this error yesterday.
  The workaround is to manually reset the slot ¿ok? I try to reload and the problem persists ¿is neccesary  hardware reset to solve this probem?
  Is due to a bug o hardware problem?
  %C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Module not responding to Keep Alive polling)
  Thanks you very much

  Hi, a.serrano
  The meaning of the message is as it says. Sup, to be specific,  Switch Processor of Sup sent continual keepalives through EOBC path and
  did  not hear back for keepalives from ACE in slot 8. So the Sup reset the  ACE blade in slot 8.
  I can only say that it could be h/w related or s/w related or due to  slack inserted blade with the message.
  If it is h/w related, whichever chassis slot, chassis eobc  path, ACE blade,  the first thing you need to check out is that
  failures  in generic on-line diagnostic (GOLD) from Sup side.
  Let's  see what diagnostic is running on ACE blade.
  Router#show  diagnostic content module 1
  Module 1: Application Control Engine Module
    Diagnostics test suite attributes:
       M/C/* - Minimal bootup level test / Complete bootup level test / NA
         B/* - Basic ondemand test / NA
       P/V/* - Per port test / Per device test / NA
       D/N/* - Disruptive test / Non-disruptive test / NA
         S/* - Only applicable to standby unit / NA
         X/* - Not a health monitoring test / NA
         F/* - Fixed monitoring interval test / NA
         E/* - Always enabled monitoring test / NA
         A/I - Monitoring is active / Monitoring is inactive
         R/* - Power-down line cards and need reload supervisor / NA
         K/* - Require resetting the line card after the test has completed  / NA
         T/* - Shut down all ports and need reload supervisor / NA
                                                            Test  Interval   Thre-
     ID   Test Name                          Attributes      day  hh:mm:ss.ms shold
     ==== ================================== ============     =============== =====
       1) TestEobcStressPing --------------> ***D*X**I***    not  configured  n/a
       2) TestFirmwareDiagStatus ----------> M**N****I***    000  00:00:15.00 10
       3) TestAsicSync --------------------> ***N****A***    000  00:00:15.00 10
  With ACE blade, "3) TestAsicSync" has "A" flag which means  "Monitoring is active".
  SP of Sup is sending  polling packets at a certain interval to check health of an Asic on ACE  blade.
  Now let's see failure count of that.
  Router#show diagnostic result module 1 detail
      3) TestAsicSync --------------------> .
            Error code ------------------> 0 (DIAG_SUCCESS)
             Total run count -------------> 47297
             Last test execution time ----> Feb 17 2011 05:52:34
             First test failure time -----> n/a
             Last test failure time ------> n/a
             Last test pass time ---------> Feb 17 2011 05:52:34
             Total failure count ---------> 0
             Consecutive failure count ---> 0
  If you see failure counters incremented,  check the same thing with other blades inserted in the chassis to know
  if  it is specific to slot 8 or seen with multiple slots. (different type  of blade has different type of diagnostic contents)
  Also, check  dropped and retry counters SCP as below.
  Router#remote  command switch show scp status
  Rx 22492903,  Tx 11717042,  scp_my_addr 0x5
  Id Sap      Channel name    current/peak/retry/dropped/total   time(queue/process/ack)
  0  20   SCP Unsolicited:20      0/    0/    0/      0/    0      0/    0/   0
  1  0    SCP Unsolicited:0       0/    3/    0/      0/8179027      0/    0/10036
  2  2    SCP Unsolicited:2       0/    2/    0/      0/8205700      0/    0/   0
  3  21   SCP Unsolicited:21      0/    0/    0/      0/    0      0/    0/   0
  4  1    SCP Unsolicited:1       0/    2/    0/      0/109393      0/    0/ 252
  5  18   SCP Unsolicited:18      0/    0/    0/      0/    0      0/    0/   0
  6  17   SCP Unsolicited:17      0/    0/    0/      0/    0      0/    0/   0
  7  16   SCP Unsolicited:16      0/    0/    0/      0/    0      0/    0/   0
  8  33   SCP async: LCP#6        0/   37/    0/      0/1779208    172/  240/  28
  9  32   SCP async: LCP#4        0/   24/    0/      0/2234291    296/  604/ 236
  10 37   SCP async: LCP#5        0/   61/    0/      0/1381933   1040/  716/ 236
  11 36   SCP async: LCP#1        0/ 1008/    0/      0/455925    1192/1184/ 236
  12 39   SCP async: LCP#2        0/  150/    0/      0/252763    696/  456/ 224
  Router#
  LCP# means that  "Line Card Processor of slot  #".
  If you see counters mentioned above incremented  continualy with the ACE blade in slot 8,
  try removing /  re-inserting the blade. If it persists, consider moving the ACE blade to  other slot.
  Even it persists after that, now consider h/w  replace.
  If moving slot or h/w replace do not fix the reset due to keepalive failure, or those counters incrementing,
  it might be s/w related issue.
  I do not know what  s/w version you use, however we always recommend to take the latest
  version  to have bug fixes and enhancements.
  Actually we had control plane  issue with ACE that could cause not responding to keepalive
  some  times ago.
  Let's isolate possibility of bad chassis and slack  inserted blade, then try s/w upgrading.
  If all those effort fails, pls consider h/w replace.
  If s/w upgrade is not easy option for you, try replacing ACE blade instead of s/w upgrade
  and keep s/w upgrade as the last option based on your environment.
  Regards,
  Kim

• DNS Inspect on FWSM module

  We picked up a strange problem on the FWSM . DNS Queries sent to UDP 53 for the DNS services hosted on a Linux server failed to work .
  DNS INSPECT on the Firewalls had to be turned off & DNS tests were fired again to get this working .  Is this a know problem or do we have a workaround instead of disabling the INSPECT feature .

  With the introduction of DNSsecurity large DNS requests would require authentication. This was first introduced in version 8.2 of the ASA firewall when we changed from the fixed size of 512 Bytes to Auto.
  The FWSM was left behind because it was either way going to be replaced by the ASA-SM.
  I remember this issue when the Windows Server 2008 came out.
  I would rather check exactly why the packet is being dropped with the logs rather than doing any suggestions.
  Mike

• Updating two FWSM in active/passive state

  Hi,
  I have two FWSM modules on two 6509 switches. Last night I updated the active FWSM, but I don't know how to update the passive one! One solution that came up to my mind was to change the active one, to act in passive state, and then change the passive one, which doesn't have the update, and then update it. But I guess there should be some other ways to do so without using failover. Any help?
  Thanks

  Perfect Jouni.
  1) on the active unit's system context, execute "write mem all" (if multiple context otherwise just "wr mem")
  2) copy the new image to the standby unit
  3) reload the standby unit which will come back as standby and running
  the new code
  4) on the standby execute "failover active", it is now the active unit
  5) on the unit that is now standby, copy the new image to it
  6) reload the standby unit
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/swcnfg_f.html#wp1064232
  -Kureli
  Pls. take a few minutes to fill out this poll and help me tailor the content for the breakout session on ASA-CX, Cisco Live Orlando 2013.
  https://supportforums.cisco.com/polls/1232

• FWSM release 3.1(7)

  Hi,
  I am installing a FWSM module on a 6509 catalyst with a 720/MSFC3 supervisor, I am actually running 12.2(17d)SXB11a version in the supervisor and I would like to install the 3.1 software version on my FWSM (specifically the 3.1(7) release).
  According to the documentation I should upgrade the IOS of the supervisor to the 12.2(18)SXF release or higher. I did some tests with the 12.2(17d)SXB11a and the FWSM module running 3.1(5) release and it seems to work fine.
  Do I really need to upgrade the IOS in the supervisor?
  Regards

  I have successfully tested some basic features on FWSM 3.1(x) on Cat 6509 running codes earlier to 12.2(18)SXF. All the testing were in lab and worked fine. But, we upgraded the chassis to 12.2(18)SXF before deploying in production.
  The main reason we upgraded the chassis is to make sure that we dont run into any surprises in production or get any push back from TAC if something goes wrong.
  I hope it helps.
  Regards,
  Arul

• FWSM configuration design in a 6509

  Hi All,
  I am a newbie with respect to firewalls and we have a customer that purchased the a 6509 with two fwsm modules.
  Now from reading the manuals for configuration of the fwsm its very difficult to decide which one of the modes is better to use.
  The customer have external firewall for their internet traffic and dmz so the fwsm will only be scanning internal traffic. There intent is to segment and locked down traffic between the vlans.
  I was thinking to have the MSFC do the routing and have the FWSM work in transparent mode but do you think this is a good design? Any words of advice based on experience if the routed mode would be better?

  Hi.
  Transparent mode would be the easiest to implement in an existing network as no re-addressing is needed, and since it acts like a bridge. you can also control non-ip based traffic (which routed mode can't).
  Routed mode however has some more features which don't exist in transparent (like multicast routing, routing protocols etc...). so if you don't need any routed-mode only specific feature, stay with transparent.
  With transparent you have to be carefull how to implement it so as not to cause layer 2 loops.
  However since the cat6k routing features are a lot more advanced than the FWSM, i'd say keep the routing to the msfc, and let the fwsm just do firewalling. so best to use FWSM in transparent mode.
  The fwsm config guide section about the 2 modes, explains the difference between both, so i recommend you read it and based on your requirements implement what you want:
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html
  Regards,
  Fadi.

• Missinf FWSM in Catalyst 6509 switch

  I have a problem with a Catalyst 6509 switch.The problem initially I had was loggin into the switch.I was always sent to the rommon> anytime I tried logging into the switch until I was told to enter "boot bootflash:". I was able to enter the switch but could not find the FWSM module.The module was there until we tried upgrading the IOS of the MSFC.
  When I enter "show module" it does not show the FWSM module.
  Is there something anybody can please show me to do other to access the Firewall module.

  Thanks for your post.
  Below is the result of a sh version and sho module of the switch as well as a report that comes up upon bootup using the "boot bootflash:"
  core02>en
  Password:
  core02#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(12c)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2002 by cisco Systems, Inc.
  Compiled Mon 14-Oct-02 12:37 by hqluong
  Image text-base: 0x40008980, data-base: 0x41598000
  ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)
  BOOTLDR: c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(12c)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  core02 uptime is 4 minutes
  System returned to ROM by power-on (SP by power-on)
  System image file is "sup-bootflash:c6sup22-psv-mz.121-12c.E4.bin"
  cisco Catalyst 6000 (R7000) processor with 227328K/34816K bytes of memory.
  Processor board ID SAL08144260
  R7000 CPU at 300Mhz, Implementation 39, Rev 3.3, 256KB L2, 1024KB L3 Cache
  Last reset from power-on
  X.25 software, Version 3.0.0.
  Bridging software.
  8 Ethernet/IEEE 802.3 interface(s)
  --More-- 6 Virtual Ethernet/IEEE 802.3 interface(s)
  26 Gigabit Ethernet/IEEE 802.3 interface(s)
  381K bytes of non-volatile configuration memory.
  32768K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  core02#sh module
  Mod Ports Card Type Model Serial No.
  1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAL08154S4S
  2 8 unknown FRU type (major = 0x6003, mino WS-XSVC-K+BB-2 SAD081203ZV
  3 16 16 port GE RJ45 WS-X6316-GE-TX SAD08140999
  4 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAL081555Q1
  Mod MAC addresses Hw Fw Sw Status
  1 000f.8f9d.3510 to 000f.8f9d.3511 5.0 6.1(3) 7.2(0.90) Ok
  2 000f.8f5b.bd62 to 000f.8f5b.bd69 2.0 Unknown Unknown PwrDowo 0003.feae.f137 1.3 5.4(2) 7.2(0.90) Ok
  4 000f.f716.8dd0 to 000f.f716.8dd7 3.1 5.4(2) 7.2(0.90) Ok
  Copyright (c) 1986-2002 by cisco Systems, Inc.
  Compiled Mon 14-Oct-02 13:00 by hqluong
  00:00:54: %SNMP-5-COLDSTART: SNMP agent on host core02 is undergoing a cold star
  t
  00:00:56: %C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 2, power not allo
  wed: Unknown Card Type.
  00:00:56: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
  00:00:57: %C6KPWR-SP-4-ENABLED: power to module in slot 4 set on
  00:00:56: %C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 2, power not allo
  wed: Unknown Card Type.
  00:00:56: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
  00:00:57: %C6KPWR-SP-4-ENABLED: power to module in slot 4 set on
  00:01:10: %DIAG-SP-6-RUN_MINIMUM: Module 1: Running Minimum Online Diagnostics..
  00:01:14: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online Diagnostics
  00:01:14: %OIR-SP-6-INSCARD: Card inserted in slot 1, interfaces are now online
  00:01:25: %DIAG-SP-6-RUN_MINIMUM: Module 3: Running Minimum Online Diagnostics..
  00:01:28: %DIAG-SP-6-DIAG_OK: Module 3: Passed Online Diagnostics
  00:01:28: %OIR-SP-6-INSCARD: Card inserted in slot 3, interfaces are now online
  00:01:56: %DIAG-SP-6-RUN_MINIMUM: Module 4: Running Minimum Online Diagnostics..
  00:01:57: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
  00:01:57: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
  Mod Sub-Module Model Serial

• Migrating from FWSM to ASA Service Module (ASASM)

  I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
  With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
  In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
  Thanks in advance.

  So long as the chassis has enough power to power these modules you are good.
  Upto 4 FWSMs can be installed in a chassis.
  Upto 4 ASA-SM modules can be installed in a chassis.
  FWSM:
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
  • Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
  ASA-SM
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
  Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
  A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
  -Kureli
  Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
  BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA 
  Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

• FWSM and CSM (Load Balance) in the same chassi

  Folks,
  Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?
  PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ
  PATH:
  (outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM  , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM
  My main doubts:
  1) FWSM using multi-context, Is there any integration problem with CSM ?
  2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?
  3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?
  Cisco Says:
  "The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,
  Cisco recommends forcing the FWSM to operate in bus mode using the
  fabric switching-mode force bus command. When service modules such as the CSM and the FWSM
  operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."
  In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.
  Tks !!!

  Luis-
  You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP.  On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.
  Regards,
  Chris