Failover on FWSM Disabled: License Incompatibility
Written by Boris Tulman // February 7, 2011 // Cisco // No comments
If you are configuring a failover between two Cisco Firewall Services Module (FWSM) and have not been successful, one of the things to check is the activation key on both units to make sure they have the same license. Here is an example when failover is being automatically disabled just because the license on both units doesn’t match. I have one of the units configured with ‘failover lan unit primary’ and another one with ‘failover lan unit secondary’. My primary one has valid configuration with the failover being enabled. I am now trying to enable the failover on the secondary unit, however it complains about them having different licenses and turns failover off.
FWSM(config)# failover Mate's license (Failover Enabled) is not compatible with my license (Failover Disabled). Failover will be disabled. Mate's license (20 Contexts) is not compatible with my license (2 Contexts). Failover will be disabled. Mate's license (20 Contexts) is not compatible with my license (0 Contexts). Failover will be disabled.
A quick check on activation key indeed shows the primary unit has a default license with 2 security contexts while the secondary firewall is licensed for 20 security contexts:
#Primary: FWSM# sho activation-key Serial Number: SAD082904ER Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 The Running Activation Key is not set, using default settings: Licensed features for this platform: Maximum Interfaces : 256 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 2 GTP/GPRS : Disabled BGP Stub : Disabled Service Acceleration : Disabled VPN Peers : Unlimited #Secondary: FWSM# sho activation-key Serial Number: SAD09120151 Running Activation Key: 0x37855a5f 0x2b7f2af2 0xf76c4668 0x2052b9d4 Licensed features for this platform: Maximum Interfaces : 256 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 20 GTP/GPRS : Disabled BGP Stub : Disabled Service Acceleration : Disabled VPN Peers : Unlimited
‘Show failover’ of course shows that failover is turned off and they are not in sync:
FWSM(config)# sho failover Failover Off Failover unit Primary Failover LAN Interface: FAIL-OVER Vlan 998 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 50% Monitored Interfaces 0 of 250 maximum
Cisco also provides you with the log that tracks the failover state changes:
FWSM# show failover history ====================================================================== From State To State Reason ====================================================================== Disabled Negotiation Set by the CI config cmd Negotiation Disabled Other unit license is different ======================================================================
Solution to this is to get an activation key from Cisco for either one of the modules to configure them with the same number of contexts, both either at 2 or 20. There doesn’t seem to be another way to fix this. To get an activation key you would need to provide the serial number of the FWSM. As a side note, be sure that both firewalls are running the same code and are configured in the same operating mode, both either in routed or transparent mode. The activation key consists of 4 hexadecimal numbers separated by space, such as in our case “0x37855a5f 0x2b7f2af2 0xf76c4668 0x2052b9d4″. To configure it just enter it with the ‘activation-key’ keyword:
FWSM(config)# activation-key 0x37855a5f 0x2b7f2af2 0xf76c4668 0x2052b9d4
Help us spread the word!