[c-nsp] FWSM failover question...

Randy randy_94108 at yahoo.com
Sat Oct 15 21:49:58 EDT 2011


Do you have the following in your FWSM config:
icmp permit any INSIDE

That is ; assuming you have the *appropriate* acl on the INSIDE int.
The dafault is deny all!

The same applies wrt *management* : identical to ASAs:
 
management-access INSIDE

and specify hosts:
ssh <a.b.c.c> 255.255.255.255 INSIDE
ssh <e.f.g.h> 255.255.255.255 INSIDE

HTH
./Randy
--- On Fri, 10/14/11, Jeff Kell <jeff-kell at utc.edu> wrote:

> From: Jeff Kell <jeff-kell at utc.edu>
> Subject: [c-nsp] FWSM failover question...
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Friday, October 14, 2011, 4:44 PM
> Just finished
> configuration/installation of a secondary FWSM for
> failover (active/standby), but it is not behaving as
> expected (I have
> ASAs in similar configurations).  There are standby
> IPs configured on
> the vlans, and they respond to pings from the 6500 itself,
> but not
> otherwise.
> 
> The ARPs show up properly, but on the "show mac address"
> lists the
> primary MAC on each of the firewall-group vlans, but the
> secondary MAC
> only appears for the failover vlan.
> 
> Is this normal?  The ASAs answer on either address,
> and the MACs
> populate all their vlans.  But not the FWSM.
> 
> Jeff
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list