We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


FWSM Failover Issue

Medium Priority
Last Modified: 2012-05-06
I have 2 Cat 6509 with FWSM module.  Failover was configured and status is normal at the beginning.  Decide to test failover.

1. Power off Switch 1, failover works, standby takeover.
2. Power on Switch 1.
3. Power off Switch 2, and on, everything works.
4. Power off Switch 1 again, failover fails.
5. Power of Switch 1 again.

Until now, both are working in active status and cannot detect Mate. Here is "sh failover" output on the primary.


Failover On
Failover unit Primary
Failover LAN Interface: intfailover Vlan 999 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 6 of 250 maximum
Config sync: active
Version: Ours 3.2(2), Mate Unknown
Last Failover at: 04:13:02 UTC Feb 13 2009
        This host: Primary - Active
                Active time: 21528 (sec)
                FWIContext1 Interface outside ( Normal (Waiting)
                FWContext1 Interface inside ( Normal (Waiting)
        Other host: Secondary - Failed
                Active time: 0 (sec)
                FWContext1 Interface outside ( Unknown (Waiting)
                FWContext1 Interface inside ( Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : intfailover Vlan 999 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        AAA tbl         0          0          0          0
        DACL            0          0          0          0

Executed "diagnostic start module 2 test complete" on the switch: Result:

19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestPortASICLoopback{ID=1}
19:15:01: SP: komodo_plus_test_loopback [2]: On-Demand test is not allowed
19:15:01: %DIAG-SP-3-TEST_SKIPPED: Module 2: TestPortASICLoopback{ID=1} is skipp
19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestPCLoopback{ID=2} ...
19:15:01: SP: komodo_plus_test_loopback [2]: On-Demand test is not allowed
19:15:01: %DIAG-SP-3-TEST_SKIPPED: Module 2: TestPCLoopback{ID=2} is skipped
19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestNetflowInlineRewrite{ID
=3} ...
19:15:01: %DIAG-SP-3-TEST_SKIPPED: Module 2: TestNetflowInlineRewrite{ID=3} is s
19:15:01: %DIAG-SP-6-TEST_RUNNING: Module 2: Running TestFirmwareDiagStatus{ID=6
} ...
19:15:01: %DIAG-SP-6-TEST_OK: Module 2: TestFirmwareDiagStatus{ID=6} has complet
ed successfully

Anyone seen such issue before?  Thanks in advance for any advice.
Watch Question

Top Expert 2009
Did you wait long enough between powering on switch2 and powering off switch 1 again?  I would power off both switches and then power on switch1 and wait until the FWSM is fully up and running.  Then, power on switch2 and see if it comes up in standby state.  Could be a bug in the code you are running or the sequence in which you powered off/on things.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Hi JFrederick29,

I can try as you suggested.  But wouldn't doing a "no failover" and then "failover" start the FWSM trying to detect it's mate again?

Top Expert 2009

Well, yeah that should work too.  Try that first and if it doesn't work, try what I first suggested.  You can ping the other FWSM's failover IP, right?

When you turn the primary back on, they should automatically sync up and do a failback. Post a running config.


Sorry for the not responding earlier. The cause of the earlier issue was not known but somehow this was resolved.  Thanks for the time taken for the suggestion.  As this was tested in the remote office, it was difficult for me to give more details on what was done during the actual test and the sequence it was done.
please doublecheck that firewall vlan-group commands are excately the same on both 6509,s and thet all the vlans are configured on both switches. If the vlan config is not the same on both sides you'll get this situation, then the secondary will go into seudo standby active. when it fails over, and it will not be able to fail back.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.