• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2083
  • Last Modified:

FWSM Failover Issue

I have 2 Cat 6509 with FWSM module.  Failover was configured and status is normal at the beginning.  Decide to test failover.

1. Power off Switch 1, failover works, standby takeover.
2. Power on Switch 1.
3. Power off Switch 2, and on, everything works.
4. Power off Switch 1 again, failover fails.
5. Power of Switch 1 again.

Until now, both are working in active status and cannot detect Mate. Here is "sh failover" output on the primary.


Failover On
Failover unit Primary
Failover LAN Interface: intfailover Vlan 999 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 6 of 250 maximum
Config sync: active
Version: Ours 3.2(2), Mate Unknown
Last Failover at: 04:13:02 UTC Feb 13 2009
        This host: Primary - Active
                Active time: 21528 (sec)
                FWIContext1 Interface outside ( Normal (Waiting)
                FWContext1 Interface inside ( Normal (Waiting)
        Other host: Secondary - Failed
                Active time: 0 (sec)
                FWContext1 Interface outside ( Unknown (Waiting)
                FWContext1 Interface inside ( Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : intfailover Vlan 999 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        AAA tbl         0          0          0          0
        DACL            0          0          0          0

Executed "diagnostic start module 2 test complete" on the switch: Result:

19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestPortASICLoopback{ID=1}
19:15:01: SP: komodo_plus_test_loopback [2]: On-Demand test is not allowed
19:15:01: %DIAG-SP-3-TEST_SKIPPED: Module 2: TestPortASICLoopback{ID=1} is skipp
19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestPCLoopback{ID=2} ...
19:15:01: SP: komodo_plus_test_loopback [2]: On-Demand test is not allowed
19:15:01: %DIAG-SP-3-TEST_SKIPPED: Module 2: TestPCLoopback{ID=2} is skipped
19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestNetflowInlineRewrite{ID
=3} ...
19:15:01: %DIAG-SP-3-TEST_SKIPPED: Module 2: TestNetflowInlineRewrite{ID=3} is s
19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestFirmwareDiagStatus{ID=6
} ...
19:15:01: %DIAG-SP-6-TEST_OK: Module 2: TestFirmwareDiagStatus{ID=6} has complet
ed successfully

Anyone seen such issue before?  Thanks in advance for any advice.
1 Solution
Did you wait long enough between powering on switch2 and powering off switch 1 again?  I would power off both switches and then power on switch1 and wait until the FWSM is fully up and running.  Then, power on switch2 and see if it comes up in standby state.  Could be a bug in the code you are running or the sequence in which you powered off/on things.
irmandoAuthor Commented:
Hi JFrederick29,

I can try as you suggested.  But wouldn't doing a "no failover" and then "failover" start the FWSM trying to detect it's mate again?

Well, yeah that should work too.  Try that first and if it doesn't work, try what I first suggested.  You can ping the other FWSM's failover IP, right?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

When you turn the primary back on, they should automatically sync up and do a failback. Post a running config.
irmandoAuthor Commented:
Sorry for the not responding earlier. The cause of the earlier issue was not known but somehow this was resolved.  Thanks for the time taken for the suggestion.  As this was tested in the remote office, it was difficult for me to give more details on what was done during the actual test and the sequence it was done.
please doublecheck that firewall vlan-group commands are excately the same on both 6509,s and thet all the vlans are configured on both switches. If the vlan config is not the same on both sides you'll get this situation, then the secondary will go into seudo standby active. when it fails over, and it will not be able to fail back.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now