There are some conditions that can lead fwsm failover pair to go to the pseudo-Standby state. This is caused because there is a vlan mismatch between the 2 fwsm in failover mode.
In the pseudo-standby blade, you will find when you try to activate the standby unit with the command:
failover
you get:
Detected an Active mate
Vlan configuration mismatch
Failover will be disabled
After checking the configuration on context system, verifying the firewall vlan-group on both supervisors, all the configurations are exactly the same.
The problem can only be seen if you type "show vlan" in the system context. This command will show you exactly which interfaces are used by the fwsm. You will find any inconsistence by comparing the output of "show vlan" in both system contexts.
To fix the problem, remove the vlan from the supervisor and add it again.
For example, if the inconsistence is with the vlan 10, do the following on both modules:
no firewall vlan-group 1 10
firewall vlan-group 1 10
After this compare again the "show vlan" command and verify that the inconsistence is gone.
Now , type the following command in the pseudo-standby one:
failover
You will see it syncing config.
The status will change in this sequence in the "show failover" (this happened in the primary unit):
This host: Primary - Cold Standby
..
This host: Primary - Sync Config
..
End configuration replication from mate.
..
This host: Primary - Bulk Sync
..
This host: Primary - Standby Ready
Good luck! :)
Wednesday, November 5, 2008
Saturday, November 1, 2008
ASA Virtualization context configuration
ASA licensing will allow you or not to use virtual contexts.
In order to use them, will will have first to change the mode of the firewall:
firewall(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] yes
After the reboot, just create your admin-context
firewall(config)#
firewall(config)# admin-context admin
Creating context 'admin'... Done. (13)
Alocating interfaces:
firewall(config)# context admin
firewall(config-ctx)# allocate-interface GigabitEthernet0/0.101
firewall(config-ctx)# allocate-interface GigabitEthernet0/1.102
firewall(config-ctx)# allocate-interface Management0/0
firewall(config-ctx)# config-url disk0:/admin.cfg
in FWSM you can add Vlans L3 as interfaces:
fwsm(config)# context Internet
fwsm(config-ctx)# allocate-interface Vlan1000
fwsm(config-ctx)# allocate-interface Vlan1001
fwsm(config-ctx)# config-url disk0:/internet.cfg
In order to use them, will will have first to change the mode of the firewall:
firewall(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] yes
After the reboot, just create your admin-context
firewall(config)#
firewall(config)# admin-context admin
Creating context 'admin'... Done. (13)
Alocating interfaces:
firewall(config)# context admin
firewall(config-ctx)# allocate-interface GigabitEthernet0/0.101
firewall(config-ctx)# allocate-interface GigabitEthernet0/1.102
firewall(config-ctx)# allocate-interface Management0/0
firewall(config-ctx)# config-url disk0:/admin.cfg
in FWSM you can add Vlans L3 as interfaces:
fwsm(config)# context Internet
fwsm(config-ctx)# allocate-interface Vlan1000
fwsm(config-ctx)# allocate-interface Vlan1001
fwsm(config-ctx)# config-url disk0:/internet.cfg
Subscribe to:
Posts (Atom)