This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Monitoring Cisco FWSM

Hey all,

I have a couple of FWSMs in multiple context mode, in a redundant active/standby pair. I've added them to Orion and everything's fine. The problem is that FWSMs swap IPs when the active one goes down, and I'm trying to find a good way to tell Orion which one it's looking at. In other words, this is the scenario:

FWSM1(active) has an IP of, say, 1.1.1.1
FWSM2(standby) has an IP of 2.2.2.2

Orion is polling them using these IPs.

But then FWSM1(active) goes down for some reason, so FWSM2 becomes active. When it does, it changes its IP address to 1.1.1.1. This is what it will then look like:

FWSM1(standby) has an IP of 2.2.2.2
FWSM2(active) has an IP of 1.1.1.1 

If those IPs are still pingable then Orion won't have a clue that anything is wrong. Syslog messages and traps are sent when a standby unit changes status, so I'm not necessarily worried about missing the event. However, a more likely scenario is that unit 1 will go down in such a way that it's no longer pingable. At that point, unit 2 grabs the primary IP and drops the standby IP. From Orion's perspective, unit 2 has just gone down. There would be an alert saying that the standby unit had become active, but in the confusion of such an event it might not be noticed right away. NOC_Engineer_002 freaks out, sees that unit 2 is down (when it's really unit 1) and before you know it somebody's reloading that switch, resulting in a complete network outage.

I'm sure there are quite a few SW users with FWSMs in an active/standby pair...Has anybody come up with a way to handle this problem?

Thanks,
Josh 

  • This is one of those things I intend to implement when I have some spare cycles to research, but those spare cycles haven't appeared.

    If you want to do the research, start with OID 1.3.6.1.4.1.9.9.491

    For exploring Cisco MIBs, use this link:
    tools.cisco.com/.../BrowseOID.do

  • Well, the issue isn't the polling of the device, or even telling which one is active. The issue is having Orion know that it's actually looking at FWSM2 when it suddenly has the IP of FWSM1.

    I've pretty much come to the conclusion that it just can't be done. I changed the names in Orion from FWSM1 and 2 to FWSM(active) and (standby). Hopefully that will alleviate some of the confusion in the future. People will just have to remember that if Orion ever says the standby is down and the active is up then it really means the standby is up and the active is down. I'll lay the fault at Cisco's feet for designing it the way they did. I understand the reasoning behind designing redundancy the way they did, but it makes it as confusing as heck to monitor.