Cisco Firewall :: FWSM For 6506 / 6509 Is Supported In VSS Environment?

May 29, 2012

Does the FWSM for a 6506/6509 is supported in a VSS environment?Also, does the FWSM work with the 2T supervisor module? 

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: FWSM (in 6509) Is Not Coming Up?

Oct 29, 2012

our FWSM (in 6509) is not coming up, when tried to sesssion up using "Session slot 1 proc 1" command,It is giving error , "Tyring 127.0.0.11 .....connection timed out remote host not responding".
 
In "show mod" command output at Switch in IOS console:  under Card Type Section:  it is showing Model & Serial Number correctly,  Under MAC address sectino: displaying some MAC address But in Online Diag Status, it showing "Unknown" for Module 1.
 
We tried re-seating in other slots, but of no use. Giving same error. Some of other forms are saying it is the issue with 128 Mb CF image problem, FWSM is no more reachable from 6509 IOS console. We even tried using FWSM console (using PC-Conse & LCP Console) but FWSM is not contactable. 

View 1 Replies View Related

Cisco Firewall :: 6509 - FWSM Log Messages

Jul 16, 2011

I think I got a strange behavior on a context of my WS-SVC-FWM-1 (on a Catalyst 6509 running IOS 12.2(18)SXF17a) that is running FWSM Firewall Version 4.1(3). This context sends these log messages every ten minutes:
 
Jul 17 2011 23:31:16: %FWSM-6-302010: 0 in use, 0 most used
Jul 17 2011 23:31:17: %FWSM-6-302010: 2245 in use, 107133 most used
[code]...
 
If I issue the "show conn" three seconds later the log message, the output I got is: FWSM#   sh conn 1041 in use, 107133 most used
 
In another context on the same FWSM the log message sent every ten minutes is just this one:
 
Jul 17 2011 23:31:17: %FWSM-6-302010: 1358 in use, 72503 most used
Jul 17 2011 23:41:22: %FWSM-6-302010: 1590 in use, 72503 most used
 
In this case there is no the log message where the "in use" field and "most used" field are 0 (zero). why does the context send the message with the "in use" field and "most used" field 0 (zero).

View 1 Replies View Related

Cisco Firewall :: 6509 / 2811 - NAT At FWSM

May 17, 2011

I have attached a drawing of our network.  We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns. I am trying to get one side up and running before I worry about redundancy and so forth.  For this reason I have set all the HSRP priorities to 110 on the left 6509.  I have HSRP running between the ISP routers and V LAN 101 of the 6509's.  This works as I can ping yahoo and Google just fine from the 6509 switch.  I can't get from my laptop connected to V LAN 23 to the internet. 

It doesn't even attempt to NAT as there are no translations.  I have public address assigned by my ISP configured between the ISP routers and my 6509 on V LAN 101.  I then have the public address assigned to V LAN 100.  I configured V LAN 100 on the switch and V LAN 100 on the FWSM with the IP address in the drawing.  I have my NAT statements and route in my FWSM according to the drawing as well.  On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers.  I can reach anything on the inside of my network, including the old network addresses from V LAN 23.  
 
1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers?  
2. If I have to configure NAT at the FWSM, does this requires me to extend the public network down to the FWSM? 
3. I'll take any examples you may have as I am stuck.

View 2 Replies View Related

Cisco Firewall :: 6509 / High Connections On FWSM?

Oct 19, 2011

I am having issues trying to track down what is causing a high number of connection on our FWSM in our core 6509 switch. I recently upgraded my FWSM to 3.1(20) and I'm looking for a tool to be able to find the culprit. When I receive these messages I try to get onto the firewall in time to be able to get information regarding this issue but by the time I do the device recovers. Is there a way to tweat the threshold of the SNMP trap for high connections? Is there any way I can retreive this information via SNMP? Is there are command that will allow me to extract the local IP making the most connections?

View 1 Replies View Related

Cisco Firewall :: 6509 - FWSM With Packets Dropped

Jun 9, 2013

I happen to noticed the FWSM was dropping packets at about 387 packets every 5 minutes. My outside FWSM is WAN facing and has a 1gig link (35% utilized) my inside facing has about 100 downstream switches to the closets. I do not see my 6509's back plane is being over utilized and my understanding of the FWSM show be go for 5 gig so it isn't oversubscribe. Why i am seeing packets dropped?

[Code] ......

View 2 Replies View Related

Cisco Firewall :: 6509 FWSM Configuration With Shared Interface

Jul 2, 2011

I have attached a pdf of an example of a FWSM configuration with shared interfaces. Now what I dont get is (please refer to the link) url...Is there any difference between the natting that they have done on page B-4 on Context A.as opposed to configuring a static NAT for processing traffic to correct context nat(inside,outside) 209.165.201.0 10.1.2.0.The other question is on page B-2 (diagram) Context A has a customer A network linked to the inside interface. Is it possible to put a default route towards that "Network 2" cloud and restrict traffic from the 6509 switch towards the context A?

View 5 Replies View Related

Cisco Firewall :: 6509-E / Traffic Coming From GRE Interface And Going Further Through FWSM?

Oct 4, 2011

I have problem with traffic coming from GRE interface and going further through FWSM on the same 6509-E chassis.It's very interesting and confusing. If packets are fragmented, I can go through, however, if I use normal packets (usual ping for example) traffic goes from outside to inside and stops on it's way back.
 
Here is the detailed info:
WS-C6509-E with WS-SUP720-3B
FWSM HW 4.0,  SW 4.1(4) 
 
GRE is done in hardware (source is loopback interface - only one loopback per GRE tunnel).

View 5 Replies View Related

Cisco Firewall :: 6509 / Configure VPN In FWSM (4.0.4) Multiple Context?

Jan 8, 2012

i have 6509+FWSM(4.0.4)  now i wanna use stite to stite  and ez vpn in the fwsm (multiple context) multiple context mode in fwsm support ipsec vpn?

View 2 Replies View Related

Cisco Firewall :: 6509 - Management Access To FWSM Using CA Ssl Certificate

Mar 6, 2011

I need to enable Management access to FWSM using CA ssl certificate.
 
FWSM Version 3.2(5) in Cisco 6509 switch.
 
Got to know how to generate, import and export certificate but my query is how to get it applied to the management ip do i need to apply in the management interface.

View 1 Replies View Related

Cisco Firewall :: 6509 - FWSM To ASASM Object Conversion

Nov 4, 2012

We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
 
On the FWSM I would see the following under Network Objects:
 
Network Objects
- JQ-Test
- JQ-Test2
- JQ-Test3
 
Network Object Group
+ JQ Group
      - JQ-Test
      - JQ-Test2
      - JQ-Test3
 
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
 
Network Objects
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
 
Network Object Group
+ JQ Group
     - 10.1.1.1
     - 10.2.2.2
     - 10.3.3.3
 
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
 
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?

View 1 Replies View Related

Cisco Firewall :: 6509 - Standby FWSM Stuck In Sync After Reload

May 8, 2011

We have a setup of FWSMs configured in single mode in 6509 chassis. Both 6509 are configured in VSS. Recently I have upgraded the firmwre from 4.0(3) to 4.1(3).....before upgradation config sync was not having any problem.
 
After upgradation...If any one of the FWSM reload..while coming up it gets stuck in config sync and no command we can run on any of the unit and get the error as..
Configuration update in progress by another process. Also on stannby fwsm no running-config displays.
 
If we used # failover suspend-config on primary and then reloads the standby fwsm...standby boots up with startup config and when  # no failover suspend-config command runs on active fwsm..the sync started and completing succssfully within 15 sec..
 
Also failover works well..with #no failover active..

View 3 Replies View Related

Cisco Firewall :: 6509 -Creating FWSM Intra-Chassis Redundancy

Oct 27, 2011

Currently we have two inter-chassis FWSM redundancy. I would like to configure them for intra-chassis.
 
Both FWSM's are in slot 7 of 6509 switches and i want to take secondary out from one of the 6509 switch and insert in the slot 3 of primary switch.
 
I addedd the following commands in my primary switch.
 
There were commands already present for FWSM in primary switch
 
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
firewall vlan-group 1  2,3,777
 
to create intra-chassis redundancy i addedd the following command also there.
 
firewall module 3 vlan-group 1
 
after adding that, my firewalls worked fine but there was a issue with site loading. People from outside were able to access inside but from inside, we were not able to go outside.
 
do we need to clear arp from both FWSM's ? is there any other precautionary step, which we need to follow while working on it.

View 1 Replies View Related

Cisco Firewall :: 6509 - Replacing Faulty FWSM Module In Cluster

Apr 15, 2013

We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
 
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
 
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.

View 1 Replies View Related

Cisco Firewall :: 6509 / Interface VLAN Stop Responding On FWSM Automatically

Aug 8, 2012

i  have been facing strange issue on FWSM (6509 switch). we have created a  vlan inteface for  server farm on fwsm and its stop responding  automatically and we need to give shut/ no shut command under that  interface to back into normal .

View 11 Replies View Related

Cisco Firewall :: 6509 / FWSM VLAN Configuration Mismatch And Some VLAN Deleted

Aug 12, 2012

We  have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level.  All VLAN Gateways are configured in context level.
 
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During  migration of devices from one Dc to a new DC  we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC  and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
 
During the activity ( Primary switch movement )We powered off the Primary switch  and mean time before shifting into new Data center  We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
 
Later  we had moved  Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE  and  primary device was not responding and devices  went off network and immediatly we  removed the VSL link and brought up  primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original  VLAN  ip 10.200.112.1 has become  10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
 
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.

View 1 Replies View Related

Cisco Switching/Routing :: Upgrade 6509-Chassis In VSS-Environment?

May 1, 2013

we have some pairs of 6509-VSS, which partially have old (no more officially supported) 6509-Chassis.All linecards in the VSS are the same (Sup 720-10GE-3C, 67XX).
 
We now bought some new 6509-E-Chassis and want to change the old chassis by the new ones in a ISSU manner, that means:
 
1. putting the partner, which chassis changes, in redundancy mode, switch it off, exchange chassis (old "Catalyst 6509", new "Catalyst 6509-E")

2. inserting the line-cards exactly in the same slots and connecting all cables

3. switch on the new chassis, witing to come up in VSS
 
I'm not sure of having to set the switch number for VSS (is that in the Sup?; configuration? or part of the chassis-memory?)
 
I've looked up cisco for some hints, but don't found anything.

View 5 Replies View Related

Cisco Switching/Routing :: 6506 / 6509 - Compatibility Matrix

Mar 28, 2012

Will a WS-X6748-GE-TX work with a Sup 32 in a 6506/6509?

View 2 Replies View Related

Cisco WAN :: Slow Performance With FWSM In Different DMZ 6509

Aug 8, 2012

i am feeling an issue related to 2 x 6509 with fwsm.
 
Mod Ports Card Type                              Model              --- ----- -------------------------------------- ------------------ -----------  1    6  Firewall Module                                                 WS-SVC-FWM-1        2   48  CEF720 48 port 1000mb SFP                            WS-X6748-SFP        3   48  CEF720 48 port 10/100/1000mb Ethernet            WS-X6748-GE-TX      4   48  CEF720 48 port 10/100/1000mb Ethernet            WS-X6748-GE-TX     5    5  Supervisor Engine 720 10GE (Active)                   VS-S720-10G     
 
Hw    Fw           Sw           Status ------------ ------------ ------- 4.3   7.2(1)       4.1(2)       Ok 1.12  12.2(14r)S5  12.2(33)SXH3 Ok 3.0   12.2(18r)S1  12.2(33)SXH3 Ok 3.0   12.2(18r)S1  12.2(33)SXH3 Ok 2.1   8.5(2)       12.2(33)SXH3 Ok
 
on fwsm we have different dmz for different application. mostly of Oracle (1521 port) to application means seperate one. problem is oracle people reported the slow performace when exporting dump from once vlan to another. before that they are using 3com technology (network) and on this its ok. time difference is double from old to new.
 
i had sniffed the traffic also and found alot of TCP OUT OF ORDERS errors. i read that this is the bug which is resolved in 4.0.

View 10 Replies View Related

Cisco Switching/Routing :: 6509 - Unable To Ping IP In FWSM

Nov 17, 2012

I have a vlan defined in FWSM for server farm there is a one server with two IP addresses and teaming has done on it how ever from FWSM i am able to ping both IP addresses but from core 6509 switch i am only able to ping one ip address. from FWSM show ARP command displays the same virtual mac addresses against both IPS of the same server.

View 2 Replies View Related

Cisco Switching/Routing :: 6509 Supervisor Upgrade With FWSM?

Oct 8, 2012

We are planning to upgrade the IOS on our two 6509E supervisors in the next few weeks. We currently run IOS 12.2(33) SXI1 and are upgrading to 12.2(33) SXJ3. At the moment the two supervisors are in SSO mode and after reading many articles it says that when the images are different on the two supervisors they are in RPR mode. When you then reload the active supervisor it will reboot all the line cards.
 
1. Is above correct? Will my line card reload?

2. We also have a FWSM installed, When/If the line cards are rebooted does the FWSM also reboot?

View 1 Replies View Related

Cisco Switching/Routing :: 6509 FWSM VLANs Do Not Show Up

Feb 7, 2012

Configuring FWSM in a 6509.  When I set "firewall vlan-group 40  40-42,251", it results in: "No more than one svi is allowed. Command rejected.". 
 
I had "firewall multiple-vlan-interfaces" set for a previous use of this module, but took that off with the "no" command.  Suspect that is the issue, but do not see how to resolve.  Seems similar to bug CSCsr48563, but I am at the fixed code for that bug.

View 1 Replies View Related

Cisco WAN :: 6509 Says Not Supported Due To Hardware

Feb 6, 2011

I have a 6509 and a 6506- same IOS version and flavor, same hardware, etc.  One supports rate limiting on the VLAN interfaces, the 6509 says "not supported due to hardware".  What is the difference here?  Im very confused on this since I was under the impression the chassis were the same- just in size.

View 1 Replies View Related

Cisco WAN :: 6509 Fwsm Multiple Subnets Routed On One Port From 3750

Dec 20, 2010

We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN).  We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall.  The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.
 
I.E.
static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0

[Code]....

because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work?  Do I have to reconfigure my network and access-list?  Do I need to add more ports between the 6509 and 3750?  I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.
 
I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access.

View 4 Replies View Related

Cisco Switching/Routing :: 6509 - VSS Active Chassis Both FWSM And VSS Failover

Sep 25, 2012

Any have experience on triggered failover on VSS deployment with 1 VS-720-10G-3C in each chassis? I tried using "redundancy force-switchover" but after that the 20G VSL is flapping up & down and cannot be up normally, we got 1 FWSM in each chassis, any configuration need to fit in this kind deployment? BTW, if I shutdown the power source of VSS active chassis, both FWSM & VSS can failover normally.

View 3 Replies View Related

Cisco Switching/Routing :: SFP+ Supported On 6509-E?

Nov 16, 2011

We are trying to migrate from 1g to 10G, couldn't find any module on 6509-E which supports 10G on SFP+ ...I can see X2 and Xenpacks .. but not SFP + .what exactly this Xenpack means ?

View 3 Replies View Related

Cisco Switching/Routing :: 6509 (HA) And FWSM (active / Standby) System Upgrade?

Sep 30, 2012

I have 2 6509 chasis with one SUP720-3B in each and current IOS is s72033-ipservicesk9_wan-mz.122-18.SXF4 and 2 FWSM with version is 3.3.1 I need to upgrade FWSM system software to 4.1, after checking FWSM 4.1 release notes, I thought of upgrading IOS to latest version  to 12.2(33)SXJ.I got new 2 CF of 512MB and downloaded the new IOS on them and need to upgrade 6509 IOS first to meet the requirement for FWSM upgrade.

View 1 Replies View Related

Cisco WAN :: 6509 Match Vlan Is Not Supported For Interface

Mar 13, 2013

I have a 10Mbps connection link which I will like to reduce to 5Mbps on a 6509 switch as indicated in the config below. [code] After applying the service policy on the vlan interface, i got this "match vlan is not supported for this interface". I actually tried the rate limit command but I cant see the effect using the speedtest.

View 2 Replies View Related

Cisco Switching/Routing :: Is WS-SUP720-BASE Supported In 6509-E Chassis

Nov 29, 2010

I have a heck of a time finding this kind of information on the cisco site...Is the WS-SUP720-BASE line card a fully supported module in the 6509-E chassis?

View 4 Replies View Related

Cisco Switching/Routing :: 6509-E Supported Switch Modules With Latest Stable IOS 12.(33)

Oct 14, 2012

I recently ran an upgrade on my 6509-E's and when the first switch came back up, 3 of the 10/100 switches that were in the chassis did not power on. After further investigation, these models are not supported by this latest IOS version. The module # is : WS-X6248-RJ-45
 
We have one WS-X6348-RJ-45 and since it was a few weeks ago I did this I can't remember for sure but I believe this one came up.
 
Where can I found the information regarding this being unsupported but I know it is out there and any page that showed me that this was unsupported with the latest stable IOS of 12.(33).
 
In addition to this question, I have approval to purchase some newer gigabit switches that will be supported by this new IOS version and hopefully at least the next few over the next few years. Which specific gig models are currently and hopefully should be supported for the next few years? I don't need PoE or anything spectacular, just regular switches that are attached to either servers or virtual hosts. I've been looking at the lists of what is out there and it seems like there are hundreds of different models and it is becoming difficult to determine what is what.

View 1 Replies View Related

Cisco Switching/Routing :: Sup32 Upgrade On 6509 - Priority Command Not Supported In Output Direction For This Interface

Nov 15, 2012

I have 1x Cisco 6509 with Sup2 and MSFC2 and it is running on IOS (c6k222-jk9sv-mz.122-17d.SXB11). I have following policy map :
 
Policy Map VOIP
Class IP PHONE
priority percent 75
 
and the following command on each interface: service-policy output VOIP those configuration are working fine on SUP2 with MSFC2 but last week I tried to upgrade the SUP2 to SUP32 on the switch and upgrade the IOS to the latest version (s3223-adventerprisek9-mz.122-33.SXJ4) but when I try to put service-policy output VOIP on each physical interface I am getting the following error: 
 
"Priority command is not supported in output direction for this interface" and when I try to add service-policy output VOIP on a V LAN interface I am getting following error:
 
MQC features are not supported in output direction for this interface. Will I need to change something after upgrading to SUP32..

View 3 Replies View Related

Cisco Firewall :: To Replace Sonicwall NSA240 In SME Environment?

Oct 17, 2011

I am looking for a Cisco firewall to replace a Sonicwall NSA240 firewall in SME environment?

View 3 Replies View Related

Cisco Firewall :: 6500 - FWSM - Not Passing Traffic Through Firewall

May 3, 2011

We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
 
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved