There are some conditions that can lead fwsm failover pair to go to the pseudo-Standby state. This is caused because there is a vlan mismatch between the 2 fwsm in failover mode.
In the pseudo-standby blade, you will find when you try to activate the standby unit with the command:
failover
you get:
Detected an Active mate
Vlan configuration mismatch
Failover will be disabled
After checking the configuration on context system, verifying the firewall vlan-group on both supervisors, all the configurations are exactly the same.
The problem can only be seen if you type "show vlan" in the system context. This command will show you exactly which interfaces are used by the fwsm. You will find any inconsistence by comparing the output of "show vlan" in both system contexts.
To fix the problem, remove the vlan from the supervisor and add it again.
For example, if the inconsistence is with the vlan 10, do the following on both modules:
no firewall vlan-group 1 10
firewall vlan-group 1 10
After this compare again the "show vlan" command and verify that the inconsistence is gone.
Now , type the following command in the pseudo-standby one:
failover
You will see it syncing config.
The status will change in this sequence in the "show failover" (this happened in the primary unit):
This host: Primary - Cold Standby
..
This host: Primary - Sync Config
..
End configuration replication from mate.
..
This host: Primary - Bulk Sync
..
This host: Primary - Standby Ready
Good luck! :)
No comments:
Post a Comment