Do you have the following in your FWSM config: icmp permit any INSIDE That is ; assuming you have the *appropriate* acl on the INSIDE int. The dafault is deny all!
The same applies wrt *management* : identical to ASAs: management-access INSIDE and specify hosts: ssh <a.b.c.c> 255.255.255.255 INSIDE ssh <e.f.g.h> 255.255.255.255 INSIDE HTH ./Randy --- On Fri, 10/14/11, Jeff Kell <jeff-k...@utc.edu> wrote: > From: Jeff Kell <jeff-k...@utc.edu> > Subject: [c-nsp] FWSM failover question... > To: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net> > Date: Friday, October 14, 2011, 4:44 PM > Just finished > configuration/installation of a secondary FWSM for > failover (active/standby), but it is not behaving as > expected (I have > ASAs in similar configurations). There are standby > IPs configured on > the vlans, and they respond to pings from the 6500 itself, > but not > otherwise. > > The ARPs show up properly, but on the "show mac address" > lists the > primary MAC on each of the firewall-group vlans, but the > secondary MAC > only appears for the failover vlan. > > Is this normal? The ASAs answer on either address, > and the MACs > populate all their vlans. But not the FWSM. > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/