Table Of Contents
Configuring Failover
Understanding Failover
Active/Standby Failover
Active/Active Failover
Stateless (Regular) Failover
Stateful Failover
Configuring Failover with the High Availability and Scalability Wizard
Accessing and Using the High Availability and Scalability Wizard
Configuring Active/Active Failover with the High Availability and Scalability Wizard
Configuring Active/Standby Failover with the High Availability and Scalability Wizard
Field Information for the High Availability and Scalability Wizard
Configuration Type
Failover Peer Connectivity and Compatibility Check
Change Device to Multiple Mode
Security Context Configuration
Failover Link Configuration
State Link Configuration
Standby Address Configuration
Summary
Field Information for the Failover Panes
Failover - Single Mode
Failover: Setup
Failover: Interfaces (Routed Firewall Mode)
Failover: Interfaces (Transparent Firewall Mode)
Failover: Criteria
Failover - Multiple Mode, Security Context
Failover - Routed
Failover - Transparent
Failover - Multiple Mode, System
Failover > Setup Tab
Failover > Criteria Tab
Failover > Active/Active Tab
Configuring Failover
This section contains the following topics:
•
Understanding Failover
•Configuring Failover with the High Availability and Scalability Wizard
•Field Information for the Failover Panes
Understanding Failover
The Failover panel contains the settings for configuring failover on the FWSM. However, the Failover panel changes depending upon whether you are in multiple mode or single mode, and when you are in multiple mode, it changes based on the security context you are in.
Failover allows you to configure two FWSMs so that one will take over operation if the other fails. Using a pair of FWSMs, you can provide high availability with no operator intervention. The FWSM communicates failover information over a dedicated failover link. The following information is communicated over the failover link:
•The failover state (active or standby).
•Hello messages (keep-alives).
•Network link status.
•Configuration replication.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the FWSM to terminate VPN tunnels.
The FWSM supports two types of failover, Active/Standby and Active/Active. Additionally, failover can be stateful or stateless. For more information about the types of failover, see the following topics:
•Active/Standby Failover
•Active/Active Failover
•Stateless (Regular) Failover
•Stateful Failover
Active/Standby Failover
In an Active/Standby configuration, the active FWSM handles all network traffic passing through the failover pair. The standby FWSM does not handle network traffic until a failure occurs on the active FWSM. Whenever the configuration of the active FWSM changes, it sends configuration information over the failover link to the standby FWSM.
When a failover occurs, the standby FWSM becomes the active unit. It assumes the IP and MAC address of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC address, ARP entries do not change or time out anywhere on the network.
Active/Standby failover is available to FWSMs in single mode or multiple mode.
Active/Active Failover
In an Active/Active failover configuration, both FWSMs pass network traffic. Active/Active failover is only available to FWSMs in multiple context mode.
To enable Active/Active failover on the FWSM, you need to create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is simply a logical group of one or more security contexts. You can create two failover groups on the FWSM. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
As in Active/Standby failover, each unit in an Active/Active failover pair is given a primary or secondary designation. Unlike Active/Standby failover, this designation does not indicate which unit is active when both units start simultaneously. Each failover group in the configuration is given a primary or secondary role preference. This preference determines on which unit in the failover pair the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.
Initial configuration synchronization occurs when one or both units start. This synchronization occurs as follows:
•When both units start simultaneously, the configuration is synchronized from the primary unit to the secondary unit.
•When one unit starts while the other unit is already active, the unit that is starting up receives the configuration from the already active unit.
After both units are running, commands are replicated from one unit to the other as follows:
•Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.
Note A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit.
•Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.
•Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.
Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs.
In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, failover group 2 remains active on the primary unit, while failover group 1 becomes active on the secondary unit.
Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.
Stateless (Regular) Failover
Stateless failover is also referred to as regular failover. In stateless failover, all active connections are dropped when a failover occurs. Clients need to reestablish connections when the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit in the failover pair continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
Note The IP address and MAC address for the state and LAN failover links do not change at failover.
To use Stateful Failover, you must configure a state link to pass all state information to the standby unit. You can use the same interface for the state link as the failover link. However, it is recommended that you use a dedicated interface for passing state information the standby unit.
The following information is passed to the standby unit when Stateful Failover is enabled:
•NAT translation table.
•TCP connection table (except for HTTP), including the timeout connection.
•HTTP connection states (if HTTP replication is enabled).
•H.323, SIP, and MGCP UDP media connections.
•The system clock.
•The ISAKMP and IPSec SA table.
•The user authentication (uauth) table.
The following information is not copied to the standby unit when Stateful Failover is enabled:
•HTTP connection table (unless HTTP replication is enabled).
•The ARP table.
•Routing tables.
Configuring Failover with the High Availability and Scalability Wizard
The High Availability and Scalability Wizard steps you through the process of creating an Active/Active or an Active/Standby failover configuration.
See the following topics for information about using the High Availability and Scalability Wizard:
•Accessing and Using the High Availability and Scalability Wizard
•Configuring Active/Active Failover with the High Availability and Scalability Wizard
•Configuring Active/Standby Failover with the High Availability and Scalability Wizard
•Field Information for the High Availability and Scalability Wizard
Accessing and Using the High Availability and Scalability Wizard
To open the High Availability and Scalability Wizard, choose Wizards > High Availability and Scalability Wizard from the ASDM menu bar. The first screen of the wizard appears.
To move to the next screen of the wizard, click the Next button. You must complete the mandatory field of each screen before you can move to the next screen.
To move to a previous screen of the wizard, click the Back button. If information filled in on later screens of the wizard is not affected by the change you make to an earlier screen, that information remains on the screen as you move forward through the wizard again. You do not need to reenter it.
To leave the wizard at any time without saving any changes, click Cancel.
To send your configuration to the FWSM at the end of the wizard, click Finish.
Configuring Active/Active Failover with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring Active/Active failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1 Choose Configure Active/Active failover on the Choose the type of failover configuration screen.
See Configuration Type for more information about this screen.
Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed.
See Failover Peer Connectivity and Compatibility Check for more information about this screen.
Step 3 If the FWSM or the failover peer are in single context mode, change them to multiple context mode on the Change Device to Multiple Mode screen. When you change the FWSM to multiple context mode, it will reboot. ASDM automatically reestablishes communication with the FWSM when it has finished rebooting.
See Change Device to Multiple Mode for more information about this screen.
Step 4 Assign security contexts to failover groups on the Context Configuration screen. You can add and delete contexts on this screen.
See Security Context Configuration for more information about this screen.
Step 5 Define the Failover Link on the Failover Link Configuration screen.
See Failover Link Configuration for more information about this screen.
Step 6 Define the Stateful Failover link on the State Link Configuration screen.
See State Link Configuration for more information about this screen.
Step 7 Add standby addresses to the FWSM interfaces on the Standby Address Configuration screen.
See Standby Address Configuration for more information about this screen.
Step 8 Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes.
See Summary for more information about this screen.
Step 9 Click Finish.
The failover configuration is sent to the FWSM and to the failover peer.
Configuring Active/Standby Failover with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring Active/Standby failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1 Choose Configure Active/Standby failover on the Choose the type of failover configuration screen. Click next.
See Configuration Type for more information about this screen.
Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed.
See Failover Peer Connectivity and Compatibility Check for more information about this screen.
Step 3 Define the Failover Link on the Failover Link Configuration screen.
See Failover Link Configuration for more information about this screen.
Step 4 Define the Stateful Failover link on the State Link Configuration screen.
See State Link Configuration for more information about this screen.
Step 5 Add standby addresses to the FWSM interfaces on the Standby Address Configuration screen.
See Standby Address Configuration for more information about this screen.
Step 6 Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes.
See Summary for more information about this screen.
Step 7 Click Finish.
The failover configuration is sent to the FWSM and to the failover peer.
Field Information for the High Availability and Scalability Wizard
The following dialogs are available in the High Availability and Scalability Wizard. You will not see every dialog box when you run through the wizard; each dialog box appears depending on the type of failover you are configuring.
•Configuration Type
•Failover Peer Connectivity and Compatibility Check
•Change Device to Multiple Mode
•Security Context Configuration
•Failover Link Configuration
•State Link Configuration
•Standby Address Configuration
•Summary
Configuration Type
The Configuration Type screen lets you select the type of failover to configure.
Fields
The Choose the Type of Failover Configuration displays the following informational fields. These are useful for determining the failover capabilities of the FWSM.
•Hardware Model—(Display only) Displays the FWSM model number.
•No. of Interfaces—(Display only) Displays the number of interfaces available on the FWSM.
•No. of Modules—(Display only) Displays the number of modules installed on the FWSM.
•Software Version—(Display only) Displays the version of the platform software on the FWSM.
•Failover License—(Display only) Displays the type of failover license installed on the device. You may need to purchase an upgraded license to configure failover.
•Firewall Mode—(Display only) Displays the firewall mode (routed or transparent) and the context mode (single or multiple).
Choose the type of failover configuration you are configuring:
•Configure Active/Active Failover—Configures the FWSM for Active/Active failover.
•Configure Active/Standby Failover—Configures the FWSM for Active/Standby failover.
•Configure VPN Cluster Load Balancing—Configures the FWSM to participate in VPN load balancing as part of a cluster.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
Failover Peer Connectivity and Compatibility Check
The Failover Peer Connectivity and Compatibility Check screen lets you verify that the selected failover peer is reachable and compatible with the current unit. If any of the connectivity and compatibility tests fail, you must correct the problem before you can proceed with the wizard.
Fields
•Peer IP Address—Enter the IP address of the peer unit. This address does not have to be the failover link address, but it must be an interface that has ASDM access enabled on it.
•Test Compatibility—Click this button to perform the following connectivity and compatibility tests:
–Connectivity test from this ASDM to the peer unit
–Connectivity test from this firewall device to the peer firewall device
–Hardware compatibility test
–Software version compatibility
–Failover license compatibility
–Firewall mode compatibility
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
Change Device to Multiple Mode
The Change Device to Multiple Mode dialog box appears for Active/Active failover configuration only. Active/Active failover requires the FWSM to be in multiple context mode. This dialog box lets you convert a FWSM in single context mode to multiple context mode.
When you convert from single context mode to multiple context mode, the FWSM creates the system configuration and the admin context from the current running configuration.The admin context configuration is stored in the admin.cfg file. The conversion process does not save the previous startup configuration, so if the startup configuration differed from the running configuration, those differences are lost.
Converting the FWSM from single context mode to multiple context mode causes the FWSM to reboot. However the High Availability and Scalability Wizard restores connectivity with the newly created admin context and reports the status in the Devices Status field in this dialog box.
You need to convert both the current FWSM and the peer FWSM to multiple context mode before you can proceed.
Fields
•Change device To Multiple Context—Causes the FWSM to change to multiple context mode. device is the hostname of the FWSM.
•Change device (peer) To Multiple Context—Causes the peer unit to change to multiple context mode. device is the hostname of the FWSM.
•Device Status—(Display only) Displays the status of the FWSM while converting to multiple context mode.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
Security Context Configuration
The Security Context Configuration screen appears for Active/Active configuration only. The Security Context Configuration screen lets you assign security contexts to failover groups. It displays the security contexts currently configured on the device and lets you add new ones or remove existing ones as needed. Although you can create security contexts on this screen, you cannot assign interfaces to those contexts or configure any other properties for them. To configure context properties and assign interfaces to a context, you need to use the System > Security Contexts pane.
Fields
•Name—Displays the name of the security context. To change the name, click the name and type a new name.
•Failover Group—Displays the failover group the context is assigned to. To change the failover group for a security context, click the failover group and select the new failover group number from the drop-down list.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
Failover Link Configuration
The Failover Link Configuration screen lets you configure the failover interface.
Fields
•LAN Interface—Choose the interface to use for failover communication from the drop-down list.
•Logical Name—Type a name for the interface.
•Active IP—Type the IP address used for the failover link on the unit that has failover group 1 in the active state.
•Standby IP—Type the IP address used for the failover link on the unit that has failover group 1 in the standby state.
•Subnet Mask—Type or select a subnet mask for the Active IP and Standby IP addresses.
•Secret Key—(Optional) Enter the key used to encrypt failover communication. If this field is left blank, failover communication, including any passwords or keys in the configuration sent during command replication, is in clear text.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
State Link Configuration
The State Link Configuration lets you enable Stateful Failover and configure the Stateful Failover link properties.
Fields
•Use the LAN link as the State Link—Choose this option to pass state information across the LAN-based failover link.
•Disable Stateful Failover—Choose this option to disable Stateful Failover.
•Configure another interface for Stateful failover—Choose this option to configure an unused interface as the Stateful Failover interface.
–State Interface—Choose the interface you want to use for Stateful Failover communication from the drop-down list.
–Logical Name—Type the name for the Stateful Failover interface.
–Active IP—Type the IP address for the Stateful Failover link on the unit that has failover group 1 in the active state.
–Standby IP—Type the IP address for the Stateful Failover link on the unit that has failover group 1 in the standby state.
–Subnet Mask—Type or select a subnet mask for the Active IP and Standby IP addresses.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
Standby Address Configuration
Use the Standby Address Configuration screen to assign standby addresses to the interface on the FWSM.
Fields
•Device/Interface—(Active/Standby failover) Displays the interfaces configured on the failover units. Click the plus sign (+) by a device name to displays the interfaces on that device. Click the minus sign (-) by a device name to hides the interfaces on that device.
•Device/Group/Context/Interface—(Active/Active failover) Displays the interfaces configured on the failover unit. The interfaces are grouped by context and the contexts are grouped by failover group. Click the plus sign (+) by a device, failover group, or context name to expand the list. Click the minus sign (-) by a device, failover group, or context name to collapse the list.
•Active IP—Double-click this field to edit or add an active IP address. Changes to this field also appear in the Standby IP field for the corresponding interface on the peer unit.
•Standby IP—Double-click this field to edit or add a standby IP address. Changes to this field also appear in the Active IP field for the corresponding interface on the peer unit.
•Is Monitored—Check this check box to enable health monitoring for that interface. Uncheck the check box to disable the health monitoring. By default, health monitoring of physical interfaces is enabled and health monitoring of virtual interfaces is disabled.
•ASR Group—Select the asynchronous group ID from the drop-down list. This setting is only available for physical interface. For virtual interfaces this field displays "None".
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
Summary
The Summary screen displays the results of the configuration steps you performed in the previous wizard panels.
Fields
The configuration appears in the center of the screen. Verify your settings and click Finish to send your configuration to the device. If you are configuring failover, the configuration is also sent to the failover peer. If you need to change a setting, click Back until you reach the screen where you need to make the change. Make the change and click Next until you return to the Summary screen.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
•
|
Field Information for the Failover Panes
What displays on the failover pane depends upon the mode you are in (single or multiple context mode) and whether you are in the system execution space or in a security context.
•Failover - Single Mode
•Failover - Multiple Mode, Security Context
•Failover - Multiple Mode, System
Failover - Single Mode
The Failover panel contains the tabs where you can configure Active/Standby failover in single context mode. For more information about failover, see Configuring Failover. For more information about configuring the settings on each tab of the Failover panel, see the following information. Note that the Interfaces tabs changes based on whether you are in routed firewall mode or transparent firewall mode.
•Failover: Setup
•Failover: Interfaces (Routed Firewall Mode)
•Failover: Interfaces (Transparent Firewall Mode)
•Failover: Criteria
Failover: Setup
Use this tab to enable failover on the FWSM. You also designate the failover link and the state link, if using Stateful Failover, on this tab.
For more information about configuring failover in general, see Configuring Failover.
Fields
•Enable Failover—Selecting this check box enables failover and lets you configure a standby FWSM.
Note The speed and duplex settings for an interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces panel before enabling failover.
•Use 32 hexadecimal character key—Select this check box to enter a hexadecimal value for the encryption key in the Shared Key box. Clear this check box to enter an alphanumeric shared secret in the Shared Key box.
•Shared Key—Specifies the failover shared secret or key for encrypted and authenticated communications between failover pairs.
If you selected the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f).
If you cleared the Use 32 hexadecimal character key check box, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.
•Lan Failover—Contains the fields for configuring lan-based failover.
–Interface—Specifies the interface used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to handle both the LAN-based failover and Stateful Failover traffic.
Note We recommend that you use two separate, dedicated interfaces for the Failover interface and the Stateful Failover interface.
Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces panel.
–Active IP—Specifies the IP address for the failover interface on the active unit.
–Subnet Mask—Specifies the mask for the failover interface on the primary and secondary unit.
–Logical Name—Specifies the logical name of the interface used for failover communication.
–Standby IP—Specifies the IP address used by the secondary unit to communicate with the primary unit
–Preferred Role—Specifies whether the preferred role for this FWSM is as the primary or secondary unit in a LAN failover.
•State Failover—Contains the fields for configuring Stateful Failover.
–Interface—Specifies the interface used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to handle both the LAN-based failover and Stateful Failover traffic. If you use the same interface for Stateful Failover that you are using for LAN-based failover, the Active IP, Subnet Mask, Logical Name, and Standby IP values do not need to be specified.
Note We recommend that you use two separate dedicated interfaces.
–Active IP—Specifies the IP address for the Stateful Failover interface on the primary unit.
–Subnet Mask—Specifies the mask for the Stateful Failover interfaces on the primary and secondary units.
–Logical Name—Specifies the logical interface used for failover communication.
–Standby IP—Specifies the IP address used by the secondary unit to communicate with the primary unit.
–Enable HTTP replication—Selecting this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
—
|
For More Information
For more information about failover in general, see Configuring Failover.
Failover: Interfaces (Routed Firewall Mode)
Use this tab to define the standby IP address for each interface on the FWSM and to specify whether the status of the interface should be monitored.
For more information about configuring failover in general, see Configuring Failover.
Fields
•Interface—Lists the interfaces on the FWSM and identifies their active IP address, standby IP address, and monitoring status.
–Interface Name—Identifies the interface name.
–Active IP—Identifies the active IP address for this interface.
–Standby IP—Identifies the IP address of the corresponding interface on the standby failover unit.
–Is Monitored—Select this checkbox to speify that health of the interface is monitored for failover. Clear this checkbox if you do not want the status of the interface to affect failover.
•Edit—Displays the Edit Failover Interface Configuration (Routed Firewall Mode) dialog box for the selected interface.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
For More Information
For more information about failover in general, see Configuring Failover.
Edit Failover Interface Configuration (Routed Firewall Mode)
Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Fields
•Interface Name—Identifies the interface name.
•Active IP Address—Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.
•Subnet Mask—Identifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface.
•Standby IP Address—Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.
•Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:
–Unknown—Initial status. This status can also mean the status cannot be determined.
–Normal—The interface is receiving traffic.
–Testing—Hello messages are not heard on the interface for five poll times.
–Link Down—The interface is administratively down.
–No Link—The physical link for the interface is down.
–Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
For More Information
For more information about failover in general, see Configuring Failover.
Failover: Interfaces (Transparent Firewall Mode)
Use this tab to define the standby management IP address and to specify whether the status of the interfaces on the FWSM should be monitored.
Fields
•Interface—Lists the interfaces on the FWSM.
–Interface Name—Identifies the interface name.
–Is Monitored—Select this checkbox to speify that health of the interface is monitored for failover. Clear this checkbox if you do not want the status of the interface to affect failover.
The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:
Unknown—Initial status. This status can also mean the status cannot be determined.
Normal—The interface is receiving traffic.
Testing—Hello messages are not heard on the interface for five poll times.
Link Down—The interface is administratively down.
No Link—The physical link for the interface is down.
Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
•Bridge Group—Lists the bridge groups defined on the FWSM. This list only appears for FWSM units or contexts in transparent mode.
–Bridge Group—Identifies the bridge group name for the FWSM or context in transparent firewall mode.
–Active IP Address—Identifies the active management IP address for the bridge group.
–Network Mask—Identifies the mask associated with the active and standby management IP addresses.
–Standby IP Address—Specifies the management IP address on the standby failover unit.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
—
|
•
|
•
|
—
|
—
|
For More Information
For more information about failover in general, see Configuring Failover.
Failover: Criteria
Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.
Fields
•Interface Policy—Contains the fields for defining the policy for failover when monitoring detects an interface failure.
–Number of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the value you set with this command, then the FWSM fails over. The range is between 1 and 250 failures.
–Percentage of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the percentage you set with this command, then the FWSM fails over.
•Failover Poll Times—Contains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.
–Unit Failover—The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 500 and 999 milliseconds.
–Unit Hold Time—Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the polltime.
–Monitored Interfaces—The amount of time between polls among interfaces. The range is between 3 and 15 seconds.
•Preempt—Check this checkbox to enable failover preemption. Failover preemption causes the primary unit to become the active unit automatically after rebooting or recovering from a failover condition. If this checkbox is not checked, then a primary unit that boots while the secondary unit is active or that recovers from a failed state will stay in the standby state until either a failover occurs or you force it to become active.
–with optional delay of—Specifies the number of seconds that the primary unit should wait after rebooting before taking over as the active unit. The range is between 1 and 1200 seconds. Leave this field blank to configure no delay.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
•
|
•
|
—
|
—
|
For More Information
For more information about failover in general, see Configuring Failover.
Failover - Multiple Mode, Security Context
The fields displayed on the Failover pane in multiple context mode change depending upon whether the context is in transparent or routed firewall mode.
This section contains the following topics:
•Failover - Routed
•Failover - Transparent
Failover - Routed
Use this panel to define the standby IP address for each interface in the security context and to specify whether the status of the interface should be monitored.
Fields
•Interface table—Lists the interfaces on the FWSM and identifies their active IP address, standby IP address, and monitoring status.
–Interface Name—Identifies the interface name.
–Active IP—Identifies the active IP address for this interface.
–Standby IP—Identifies the IP address of the corresponding interface on the standby failover unit.
–Is Monitored—Specifies whether this interface is monitored for failure.
•Edit button—Displays the Edit Failover Interface Configuration dialog box for the selected interface.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
—
|
•
|
—
|
For More Information
For more information about failover in general, see Configuring Failover.
Edit Failover Interface Configuration
Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Fields
•Interface Name—Identifies the interface name.
•Active IP Address—Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.
•Subnet Mask—Identifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface.
•Standby IP Address—Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.
•Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:
–Unknown—Initial status. This status can also mean the status cannot be determined.
–Normal—The interface is receiving traffic.
–Testing—Hello messages are not heard on the interface for five poll times.
–Link Down—The interface is administratively down.
–No Link—The physical link for the interface is down.
–Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
—
|
•
|
|
