Re: FWSM issue from Farrukh Haroon on 2010-03-19 (Ccielab archives 03/2010)

From: Farrukh Haroon <farrukhharoon_at_gmail.com>
Date: Fri, 19 Mar 2010 17:47:45 +0300

Charles this is a known bug, and was fixed in later FWSM versions (only
happens no reboot).

We faced it once too and learned it the same (hard) way :)

Fahad, please see 'show failover history' to know more about the reason for
the last failover (on both devices). It does not always help, but still...

On Fri, Mar 19, 2010 at 5:05 PM, <Charles.Henson_at_regions.com> wrote:

> I have also seen where the VLANs applied to the MSFC via the svclc group
> (or firewall vlan-group) do not get passed up to the FWSM. Say VLAN 11 is
> not active on chassis 2 but the other VLANs are. So the FWSM in chassis1
> and the FWSM in chassis2 have different VLANs. This can cause them to fail
> to sync and both go active. Learned this the hard way....
>
> Charles Henson
>
>
>
>
>
>
> From: Muhammad Anser Khan <manserkhan_at_gmail.com>
>
> To: Fahad Khan <fahad.khan_at_gmail.com>
>
> Cc: "Joseph L. Brunner" <joe_at_affirmedsystems.com>, "
> ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
>
> Date: 03/19/2010 06:06 AM
>
> Subject: Re: FWSM issue
>
>
>
>
>
>
> Here are some troubleshooting steps:
>
> 1- Make sure both FWSM must have same software version, license and in
> the same routed or transparent mode.
>
> 2- Same Vlans should be allowed on both FWSM trunks.
>
> 3- Enable "monitor-interface" on all interfaces.
>
> Did you see any logs when both FWSM became Active/Active?
>
> Regards,
> Anser
>
> On Fri, Mar 19, 2010 at 1:31 PM, Fahad Khan <fahad.khan_at_gmail.com> wrote:
> > version is quite old its 3.1(14)
> >
> > regards
> > Muhammad Fahad Khan
> > JNCIP - M/T # 834
> > IT Specialist
> > Global Technology Services, IBM
> > fahad_at_pk.ibm.com
> > +92-321-2370510
> > +92-301-8247638
> > Skype: fahad-ibm
> > http://www.linkedin.com/in/muhammadfahadkhan
> > http://fahad-internetworker.blogspot.com
> > http://www.visualcv.com/g46ptnd
> >
> >
> > On Fri, Mar 19, 2010 at 3:19 PM, Muhammad Anser Khan
> <manserkhan_at_gmail.com>
> > wrote:
> >>
> >> Can you post the failover configuration and the FWSM software version ?
> >>
> >> Regards,
> >> Anser
> >>
> >> On Fri, Mar 19, 2010 at 12:57 PM, swap m <ccie19804_at_gmail.com> wrote:
> >> > it'll happens if both FWSM dont see each other on enough monitored
> vlans
> >> > as
> >> > per the defined threshold, but both sides have their vlans UP....link
> >> > issues
> >> > on inter-chassis trunk, vlan missing on trunk, congestion etc. are the
> >> > major
> >> > reasons..
> >> >
> >> > secondly, it may happen if there is a configuration issue or
> congestion
> >> > on
> >> > the failover/stateful link...its recommended to use separate
> links/vlans
> >> > for
> >> > FO and stateful replication to avoid congestion.
> >> >
> >> > use firewall autostate messages to optimize failover timing.
> >> >
> >> > search the CCO for split brain situation, you should find few official
> >> > recommendations.
> >> >
> >> > Swap
> >> > #19804
> >> >
> >> > On Fri, Mar 19, 2010 at 11:28 AM, Joseph L. Brunner
> >> > <joe_at_affirmedsystems.com
> >> >> wrote:
> >> >
> >> >> Vlans not exist on trunk ???
> >> >>
> >> >> -----Original Message-----
> >> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> >> >> Fahad Khan
> >> >> Sent: Friday, March 19, 2010 3:07 AM
> >> >> To: ccielab_at_groupstudy.com
> >> >> Subject: FWSM issue
> >> >>
> >> >> HI experts
> >> >>
> >> >> I have two 6500 switches having FWSM running Active/Passive. suddenly
> I
> >> >> found the network break down. I found that both the FWSM firewalls
> went
> >> >> into
> >> >> Active mode. I rebooted them, then the problem resolved.
> >> >>
> >> >> can some body identify it, what would be reason for this happening??
> >> >> has
> >> >> any
> >> >> one face it before??
> >> >>
> >> >> regards,
> >> >>
> >> >> Muhammad Fahad Khan
> >> >> JNCIP - M/T # 834
> >> >> IT Specialist
> >> >> Global Technology Services, IBM
> >> >> fahad_at_pk.ibm.com
> >> >> +92-321-2370510
> >> >> +92-301-8247638
> >> >> Skype: fahad-ibm
> >> >> http://www.linkedin.com/in/muhammadfahadkhan
> >> >> http://fahad-internetworker.blogspot.com
> >> >> http://www.visualcv.com/g46ptnd
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 19 2010 - 17:47:45 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART