FWSM module flapping on 6509 backplane
I have a 6509 with an active FWSM in slot 3 and failover (standby) in slot 4.
I noticed today that a message appeared in my switch log that the module in slot 3 was seemingly flapping between the port-channels on the backplane. Po307 should be the active FWSM and as far as I know, Po308 should be the failover/standby.
The message was
%MAC_MOVE-SP-4-NOTIF: Host 0016.c782.eb80 in vlan 307 is flapping between port po308 and po307
And a bunch of vlans are listed in this error, which represent the firewalled vlans on the FWSM.
When I check to see if there was a failover event on the FWSM, it does not indicate that there was.
What might be going on here?
Hi,
The switch has its normal vibrations and over time those vibrations can cause a module to slightly come away from the backplane. When this happens, the supervisors keepalive polling does not receive a response from the module within the allotted time and the supervisor reboots the module in order to try to gain a better connection to it. If the module still does not respond to the polls, the supervisor continuously reboots the module, and eventually puts it into error disable and does not allow any power to reach this module.
A simple reseat of the module corrects this issue 90 percent of the time. If you reseat the module, it realigns the switch fabric and ensures a firm connection to the backplane.
Also refer this post
HTH
"Please rate helpful posts"
Similar Messages
-
Replacing Faulty FWSM module in Cluster
Hi,
We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
Can one of you please explain me the steps and if an link to an article which explains this will be great
Thanks,
ChandruHi Bro
Firstly, insert the newly purchased refurnished Cisco FWSM module into the slot, where the fault Cisco FWSM module was originally located. Second, paste into the configuration from the working unit to this newly purchased refurnished Cisco FWSM module. Note: Please do ensure under the failover commands, one side is primary and the other side is secondary. Lastly, issue the command show failover, to ensure the failover status i.e. NORMAL, is in good working condition.
I’ve done this countless times, you should do just fine. This is easy.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html
Regards,
Ram -
Hi ALL,
We have two switches and TWo FWSM module is inserted into the Two switches .Can I add the FWSM as a separate device instead of module because i can't telnet the fwsm from Switch.Customer is not ready to configure the telnet option.FWSM module is working as a active and active mode..so virtual single ip is configured....How can i add the FWSM module in this network.You can use as the separate device. For the further description the following URL for the configuration for the FWSM will help you
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/context.html -
IDS Links are flapping in 6509
Hi...
IDSM sensing interfaces are flapping in 6509 switch, and log shipping will also stop's intermediatly. Can any one help...
Jun 27 13:51:02.716 IST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet2/8, changed state to down
Jun 27 13:51:03.484 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/8, changed state to up
Jun 27 13:51:02.764 IST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/8, changed state to down
Jun 27 13:51:03.268 IST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/7, changed state to upHi Gangadhar,
It is normal to see the promiscuous interfaces go up and down.
Another scenario is during configuration changes. When signature updates are installed, configuration changes made, or when signature tunings are performed, it is expected to have the interface go down and then back up again.
Apart from the above two cases, this issue is seen if the sensor is oversubscribed or extremely busy and moved to bypass mode.
Hope this answers your query.
Thulasi Shankar -
Eq 8080 commands not being entered on FWSM module
Hi There,
I'm having an issue with some Firewalls in my network. I have several firewall modules (WS-SVC-FWM-1) in 6509s,
FWSM Firewall Version 2.3(3) <system>
FWSM Device Manager Version 4.1(3)
I'm trying to enter the following rules
access-list ACL-IN extended permit ip host X.X.X.0 X.X.X.0 255.255.255.0 eq 8080
access-list ACL-IN extended permit ip host X.X.X.1 X.X.X.0 255.255.255.0 eq 8080
access-list ACL-IN extended permit ip host X.X.X.2 X.X.X.0 255.255.255.0 eq 8080
access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.0 eq 8080
access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.1 eq 8080
access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.2 eq 8080
What happens is, these commands don't go into the configuration, and I don't get an error, but any rule after it also does not get copied into the config when I copy and paste a list of commands. All the commands before it go in no problem.
Does it not like eq 8080? Can I not do 'permit ip' with an eq command? Do I have to use 'permit tcp' to enter the command?
Thanks.If you are going to specify a port you need to use the TCP or UDP protocol. You are specifying IP so you will get an error because of this.
-
6500 has IDSM-2 and FWSM modules
i got a task to configure Catalyst 6509 supervisor engin sup720-10g-3c and has FWSM and IDSM-2 service modules .
what consideration should i take and is there is any configuration example for both
thank you for your helpThey are many posts on this forum on this subject, did you try using the search function?
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml
Regards
Farrukh -
Cisco 6516 FWSM Module problem
Hi
We have a 6513 cisco FW with 2 FWSM Active /Standby Failover , When The primery module is in active state the users sessions is suddenly disconnected while the ping is OK (no request time packet ) now we have to work with only one module , what should we do.
Thankx
DaliaHello Dalia,
Could you explain the issue a litle further???
Are you saying that when having both FWSM in active/standby and with the primary in active state all of the sessions are dropped except ICMP?
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
ACE10-6500-K9 module in catalyst 6509 gives this error
Hello
I have a module ACE10-6500-K9 inserted en module 8 of a catalyst 6509 that gave me this error yesterday.
The workaround is to manually reset the slot ¿ok? I try to reload and the problem persists ¿is neccesary hardware reset to solve this probem?
Is due to a bug o hardware problem?
%C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Module not responding to Keep Alive polling)
Thanks you very muchHi, a.serrano
The meaning of the message is as it says. Sup, to be specific, Switch Processor of Sup sent continual keepalives through EOBC path and
did not hear back for keepalives from ACE in slot 8. So the Sup reset the ACE blade in slot 8.
I can only say that it could be h/w related or s/w related or due to slack inserted blade with the message.
If it is h/w related, whichever chassis slot, chassis eobc path, ACE blade, the first thing you need to check out is that
failures in generic on-line diagnostic (GOLD) from Sup side.
Let's see what diagnostic is running on ACE blade.
Router#show diagnostic content module 1
Module 1: Application Control Engine Module
Diagnostics test suite attributes:
M/C/* - Minimal bootup level test / Complete bootup level test / NA
B/* - Basic ondemand test / NA
P/V/* - Per port test / Per device test / NA
D/N/* - Disruptive test / Non-disruptive test / NA
S/* - Only applicable to standby unit / NA
X/* - Not a health monitoring test / NA
F/* - Fixed monitoring interval test / NA
E/* - Always enabled monitoring test / NA
A/I - Monitoring is active / Monitoring is inactive
R/* - Power-down line cards and need reload supervisor / NA
K/* - Require resetting the line card after the test has completed / NA
T/* - Shut down all ports and need reload supervisor / NA
Test Interval Thre-
ID Test Name Attributes day hh:mm:ss.ms shold
==== ================================== ============ =============== =====
1) TestEobcStressPing --------------> ***D*X**I*** not configured n/a
2) TestFirmwareDiagStatus ----------> M**N****I*** 000 00:00:15.00 10
3) TestAsicSync --------------------> ***N****A*** 000 00:00:15.00 10
With ACE blade, "3) TestAsicSync" has "A" flag which means "Monitoring is active".
SP of Sup is sending polling packets at a certain interval to check health of an Asic on ACE blade.
Now let's see failure count of that.
Router#show diagnostic result module 1 detail
3) TestAsicSync --------------------> .
Error code ------------------> 0 (DIAG_SUCCESS)
Total run count -------------> 47297
Last test execution time ----> Feb 17 2011 05:52:34
First test failure time -----> n/a
Last test failure time ------> n/a
Last test pass time ---------> Feb 17 2011 05:52:34
Total failure count ---------> 0
Consecutive failure count ---> 0
If you see failure counters incremented, check the same thing with other blades inserted in the chassis to know
if it is specific to slot 8 or seen with multiple slots. (different type of blade has different type of diagnostic contents)
Also, check dropped and retry counters SCP as below.
Router#remote command switch show scp status
Rx 22492903, Tx 11717042, scp_my_addr 0x5
Id Sap Channel name current/peak/retry/dropped/total time(queue/process/ack)
0 20 SCP Unsolicited:20 0/ 0/ 0/ 0/ 0 0/ 0/ 0
1 0 SCP Unsolicited:0 0/ 3/ 0/ 0/8179027 0/ 0/10036
2 2 SCP Unsolicited:2 0/ 2/ 0/ 0/8205700 0/ 0/ 0
3 21 SCP Unsolicited:21 0/ 0/ 0/ 0/ 0 0/ 0/ 0
4 1 SCP Unsolicited:1 0/ 2/ 0/ 0/109393 0/ 0/ 252
5 18 SCP Unsolicited:18 0/ 0/ 0/ 0/ 0 0/ 0/ 0
6 17 SCP Unsolicited:17 0/ 0/ 0/ 0/ 0 0/ 0/ 0
7 16 SCP Unsolicited:16 0/ 0/ 0/ 0/ 0 0/ 0/ 0
8 33 SCP async: LCP#6 0/ 37/ 0/ 0/1779208 172/ 240/ 28
9 32 SCP async: LCP#4 0/ 24/ 0/ 0/2234291 296/ 604/ 236
10 37 SCP async: LCP#5 0/ 61/ 0/ 0/1381933 1040/ 716/ 236
11 36 SCP async: LCP#1 0/ 1008/ 0/ 0/455925 1192/1184/ 236
12 39 SCP async: LCP#2 0/ 150/ 0/ 0/252763 696/ 456/ 224
Router#
LCP# means that "Line Card Processor of slot #".
If you see counters mentioned above incremented continualy with the ACE blade in slot 8,
try removing / re-inserting the blade. If it persists, consider moving the ACE blade to other slot.
Even it persists after that, now consider h/w replace.
If moving slot or h/w replace do not fix the reset due to keepalive failure, or those counters incrementing,
it might be s/w related issue.
I do not know what s/w version you use, however we always recommend to take the latest
version to have bug fixes and enhancements.
Actually we had control plane issue with ACE that could cause not responding to keepalive
some times ago.
Let's isolate possibility of bad chassis and slack inserted blade, then try s/w upgrading.
If all those effort fails, pls consider h/w replace.
If s/w upgrade is not easy option for you, try replacing ACE blade instead of s/w upgrade
and keep s/w upgrade as the last option based on your environment.
Regards,
Kim -
We picked up a strange problem on the FWSM . DNS Queries sent to UDP 53 for the DNS services hosted on a Linux server failed to work .
DNS INSPECT on the Firewalls had to be turned off & DNS tests were fired again to get this working . Is this a know problem or do we have a workaround instead of disabling the INSPECT feature .With the introduction of DNSsecurity large DNS requests would require authentication. This was first introduced in version 8.2 of the ASA firewall when we changed from the fixed size of 512 Bytes to Auto.
The FWSM was left behind because it was either way going to be replaced by the ASA-SM.
I remember this issue when the Windows Server 2008 came out.
I would rather check exactly why the packet is being dropped with the logs rather than doing any suggestions.
Mike -
Updating two FWSM in active/passive state
Hi,
I have two FWSM modules on two 6509 switches. Last night I updated the active FWSM, but I don't know how to update the passive one! One solution that came up to my mind was to change the active one, to act in passive state, and then change the passive one, which doesn't have the update, and then update it. But I guess there should be some other ways to do so without using failover. Any help?
ThanksPerfect Jouni.
1) on the active unit's system context, execute "write mem all" (if multiple context otherwise just "wr mem")
2) copy the new image to the standby unit
3) reload the standby unit which will come back as standby and running
the new code
4) on the standby execute "failover active", it is now the active unit
5) on the unit that is now standby, copy the new image to it
6) reload the standby unit
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/swcnfg_f.html#wp1064232
-Kureli
Pls. take a few minutes to fill out this poll and help me tailor the content for the breakout session on ASA-CX, Cisco Live Orlando 2013.
https://supportforums.cisco.com/polls/1232 -
FWSM release 3.1(7)
Hi,
I am installing a FWSM module on a 6509 catalyst with a 720/MSFC3 supervisor, I am actually running 12.2(17d)SXB11a version in the supervisor and I would like to install the 3.1 software version on my FWSM (specifically the 3.1(7) release).
According to the documentation I should upgrade the IOS of the supervisor to the 12.2(18)SXF release or higher. I did some tests with the 12.2(17d)SXB11a and the FWSM module running 3.1(5) release and it seems to work fine.
Do I really need to upgrade the IOS in the supervisor?
RegardsI have successfully tested some basic features on FWSM 3.1(x) on Cat 6509 running codes earlier to 12.2(18)SXF. All the testing were in lab and worked fine. But, we upgraded the chassis to 12.2(18)SXF before deploying in production.
The main reason we upgraded the chassis is to make sure that we dont run into any surprises in production or get any push back from TAC if something goes wrong.
I hope it helps.
Regards,
Arul -
FWSM configuration design in a 6509
Hi All,
I am a newbie with respect to firewalls and we have a customer that purchased the a 6509 with two fwsm modules.
Now from reading the manuals for configuration of the fwsm its very difficult to decide which one of the modes is better to use.
The customer have external firewall for their internet traffic and dmz so the fwsm will only be scanning internal traffic. There intent is to segment and locked down traffic between the vlans.
I was thinking to have the MSFC do the routing and have the FWSM work in transparent mode but do you think this is a good design? Any words of advice based on experience if the routed mode would be better?Hi.
Transparent mode would be the easiest to implement in an existing network as no re-addressing is needed, and since it acts like a bridge. you can also control non-ip based traffic (which routed mode can't).
Routed mode however has some more features which don't exist in transparent (like multicast routing, routing protocols etc...). so if you don't need any routed-mode only specific feature, stay with transparent.
With transparent you have to be carefull how to implement it so as not to cause layer 2 loops.
However since the cat6k routing features are a lot more advanced than the FWSM, i'd say keep the routing to the msfc, and let the fwsm just do firewalling. so best to use FWSM in transparent mode.
The fwsm config guide section about the 2 modes, explains the difference between both, so i recommend you read it and based on your requirements implement what you want:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html
Regards,
Fadi. -
Missinf FWSM in Catalyst 6509 switch
I have a problem with a Catalyst 6509 switch.The problem initially I had was loggin into the switch.I was always sent to the rommon> anytime I tried logging into the switch until I was told to enter "boot bootflash:". I was able to enter the switch but could not find the FWSM module.The module was there until we tried upgrading the IOS of the MSFC.
When I enter "show module" it does not show the FWSM module.
Is there something anybody can please show me to do other to access the Firewall module.Thanks for your post.
Below is the result of a sh version and sho module of the switch as well as a report that comes up upon bootup using the "boot bootflash:"
core02>en
Password:
core02#sh ver
Cisco Internetwork Operating System Software
IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(12c)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 14-Oct-02 12:37 by hqluong
Image text-base: 0x40008980, data-base: 0x41598000
ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)
BOOTLDR: c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(12c)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
core02 uptime is 4 minutes
System returned to ROM by power-on (SP by power-on)
System image file is "sup-bootflash:c6sup22-psv-mz.121-12c.E4.bin"
cisco Catalyst 6000 (R7000) processor with 227328K/34816K bytes of memory.
Processor board ID SAL08144260
R7000 CPU at 300Mhz, Implementation 39, Rev 3.3, 256KB L2, 1024KB L3 Cache
Last reset from power-on
X.25 software, Version 3.0.0.
Bridging software.
8 Ethernet/IEEE 802.3 interface(s)
--More-- 6 Virtual Ethernet/IEEE 802.3 interface(s)
26 Gigabit Ethernet/IEEE 802.3 interface(s)
381K bytes of non-volatile configuration memory.
32768K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
core02#sh module
Mod Ports Card Type Model Serial No.
1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAL08154S4S
2 8 unknown FRU type (major = 0x6003, mino WS-XSVC-K+BB-2 SAD081203ZV
3 16 16 port GE RJ45 WS-X6316-GE-TX SAD08140999
4 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAL081555Q1
Mod MAC addresses Hw Fw Sw Status
1 000f.8f9d.3510 to 000f.8f9d.3511 5.0 6.1(3) 7.2(0.90) Ok
2 000f.8f5b.bd62 to 000f.8f5b.bd69 2.0 Unknown Unknown PwrDowo 0003.feae.f137 1.3 5.4(2) 7.2(0.90) Ok
4 000f.f716.8dd0 to 000f.f716.8dd7 3.1 5.4(2) 7.2(0.90) Ok
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 14-Oct-02 13:00 by hqluong
00:00:54: %SNMP-5-COLDSTART: SNMP agent on host core02 is undergoing a cold star
t
00:00:56: %C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 2, power not allo
wed: Unknown Card Type.
00:00:56: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
00:00:57: %C6KPWR-SP-4-ENABLED: power to module in slot 4 set on
00:00:56: %C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 2, power not allo
wed: Unknown Card Type.
00:00:56: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
00:00:57: %C6KPWR-SP-4-ENABLED: power to module in slot 4 set on
00:01:10: %DIAG-SP-6-RUN_MINIMUM: Module 1: Running Minimum Online Diagnostics..
00:01:14: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online Diagnostics
00:01:14: %OIR-SP-6-INSCARD: Card inserted in slot 1, interfaces are now online
00:01:25: %DIAG-SP-6-RUN_MINIMUM: Module 3: Running Minimum Online Diagnostics..
00:01:28: %DIAG-SP-6-DIAG_OK: Module 3: Passed Online Diagnostics
00:01:28: %OIR-SP-6-INSCARD: Card inserted in slot 3, interfaces are now online
00:01:56: %DIAG-SP-6-RUN_MINIMUM: Module 4: Running Minimum Online Diagnostics..
00:01:57: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
00:01:57: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
Mod Sub-Module Model Serial -
Migrating from FWSM to ASA Service Module (ASASM)
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM -
FWSM and CSM (Load Balance) in the same chassi
Folks,
Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?
PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ
PATH:
(outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM
My main doubts:
1) FWSM using multi-context, Is there any integration problem with CSM ?
2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?
3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?
Cisco Says:
"The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,
Cisco recommends forcing the FWSM to operate in bus mode using the
fabric switching-mode force bus command. When service modules such as the CSM and the FWSM
operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."
In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.
Tks !!!Luis-
You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP. On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.
Regards,
Chris
Maybe you are looking for
-
Hi, Can you help me I am running an iMac 10.7.5 and iPad 6.0.1 and a macair10.8.2. iCloud is syncing emails and notes but not photos. Photo streaming is switched on on the iMac. what do I need to do to stream photos?
-
I am having a problem w/ my Itunes working correctly, after accidentally running Itunes through my troubleshooter to, Run Programs Made For PreviousVersions of Windows. It keeps popping up that the Compatibility Version is on, to make sure it's of
-
How do I print a photo in a particular size?
Just got my mac about 6 weeks ago and I'm having my first "i want to rip my hair out" experience. On my PC, this happened once a week, so progress at least. Here's the question: I want to print a photo in a much smaller size than it is imported into
-
Hi, My scenario has the input X12 files mapped to orders idocs. We are using Seeburger conversion modules in the File Adapter to transform the X12 files. When there is any error in the conversion of the X12 file, it throws an exception. Is there any
-
Hi, Just got one of the new Mac minis and it's a cracking wee machine. One small question, however. I re-installed OS X and under devices as well as under Computer I have a cd icon saying 'Remote Disc'. I understand that this is for installing OS X a