Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, 6.2F
Configuring Failover
Downloads: This chapterpdf (PDF - 298.0KB) The complete bookPDF (PDF - 13.51MB) | Feedback

Configuring Failover

Table Of Contents

Configuring Failover

Understanding Failover

Active/Standby Failover

Active/Active Failover

Stateless (Regular) Failover

Stateful Failover

Configuring Failover with the High Availability and Scalability Wizard

Accessing and Using the High Availability and Scalability Wizard

Configuring Active/Active Failover with the High Availability and Scalability Wizard

Configuring Active/Standby Failover with the High Availability and Scalability Wizard

Field Information for the High Availability and Scalability Wizard

Configuration Type

Failover Peer Connectivity and Compatibility Check

Change Device to Multiple Mode

Security Context Configuration

Failover Link Configuration

State Link Configuration

Standby Address Configuration

Summary

Field Information for the Failover Panes

Failover—Single Mode

Failover: Setup

Failover: Interfaces (Routed Firewall Mode)

Failover: Interfaces (Transparent Firewall Mode)

Failover: Criteria

Failover—Multiple Mode, Security Context

Failover—Routed

Failover—Transparent

Failover—Multiple

Failover > Setup Tab

Failover > Criteria Tab

Failover > Active/Active Tab


Configuring Failover


This section contains the following topics:

Understanding Failover

Configuring Failover with the High Availability and Scalability Wizard

Field Information for the Failover Panes

Understanding Failover

The Failover panel contains the settings for configuring failover on the FWSM. However, the Failover panel changes depending upon whether you are in multiple mode or single mode, and when you are in multiple mode, it changes based on the security context you are in.

Failover allows you to configure two FWSMs so that one will take over operation if the other fails. Using a pair of FWSMs, you can provide high availability with no operator intervention. The FWSM communicates failover information over a dedicated failover link. The following information is communicated over the failover link:

The failover state (active or standby).

Hello messages (keep-alives).

Network link status.

Configuration replication.


Caution All information that is sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords, and preshared keys that are used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the FWSM to terminate VPN tunnels.

The FWSM supports two types of failover, Active/Standby and Active/Active. Additionally, failover can be stateful or stateless. For more information about the types of failover, see the following topics:

Active/Standby Failover

Active/Active Failover

Stateless (Regular) Failover

Stateful Failover

Active/Standby Failover

In an Active/Standby configuration, the active FWSM processes all network traffic passing through the failover pair. The standby FWSM does not process network traffic until a failure occurs on the active FWSM. Whenever the configuration of the active FWSM changes, it sends configuration information over the failover link to the standby FWSM.

When a failover occurs, the standby FWSM becomes the active unit. It assumes the IP and MAC address of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC address, ARP entries do not change or time out anywhere on the network.

Active/Standby failover is available to FWSMs in single mode or multiple mode.

Active/Active Failover

In an Active/Active failover configuration, both FWSMs pass network traffic. Active/Active failover is only available to FWSMs in multiple context mode.

To enable Active/Active failover on the FWSM, you need to create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is simply a logical group of one or more security contexts. You can create two failover groups on the FWSM. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

As in Active/Standby failover, each unit in an Active/Active failover pair is given a primary or secondary designation. Unlike Active/Standby failover, this designation does not indicate which unit is active when both units start simultaneously. Each failover group in the configuration is given a primary or secondary role preference. This preference determines on which unit in the failover pair the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

Initial configuration synchronization occurs when one or both units start. This synchronization occurs as follows:

When both units start simultaneously, the configuration is synchronized from the primary unit to the secondary unit.

When one unit starts while the other unit is already active, the unit that is starting up receives the configuration from the already active unit.

After both units are running, commands are replicated from one unit to the other as follows:

Commands that are entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.


Note A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit.


Commands that are entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.

Commands that are entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.

Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs.

In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, failover group 2 remains active on the primary unit, while failover group 1 becomes active on the secondary unit.


Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.


Stateless (Regular) Failover

Stateless failover is also referred to as regular failover. In stateless failover, all active connections are dropped when a failover occurs. Clients need to re-establish connections when the new active unit takes over.

Stateful Failover

When Stateful Failover is enabled, the active unit in the failover pair continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.


Note The IP address and MAC address for the state and LAN failover links do not change at failover.


To use Stateful Failover, you must configure a state link to pass all state information to the standby unit. You can use the same interface for the state link as the failover link. However, it is recommended that you use a dedicated interface for passing state information the standby unit.

The following information is passed to the standby unit when Stateful Failover is enabled:

NAT translation table.

TCP connection table (except for HTTP), including the timeout connection.

HTTP connection states (if HTTP replication is enabled).

H.323, SIP, and MGCP UDP media connections.

The system clock.

The ISAKMP and IPsec SA table.

The user authentication (uauth) table.

The following information is not copied to the standby unit when Stateful Failover is enabled:

HTTP connection table (unless HTTP replication is enabled).

The ARP table.

Routing tables.

Configuring Failover with the High Availability and Scalability Wizard

The High Availability and Scalability Wizard steps you through the process of creating an Active/Active or an Active/Standby failover configuration.

See the following topics for information about using the High Availability and Scalability Wizard:

Accessing and Using the High Availability and Scalability Wizard

Configuring Active/Active Failover with the High Availability and Scalability Wizard

Configuring Active/Standby Failover with the High Availability and Scalability Wizard

Field Information for the High Availability and Scalability Wizard

Accessing and Using the High Availability and Scalability Wizard

To open the High Availability and Scalability Wizard, choose Wizards > High Availability and Scalability Wizard from the ASDM menu bar. The first screen of the wizard appears.

To move to the next screen of the wizard, click the Next button. You must complete the mandatory field of each screen before you can move to the next screen.

To move to a previous screen of the wizard, click the Back button. If information filled in on later screens of the wizard is not affected by the change you make to an earlier screen, that information remains on the screen as you move forward through the wizard again. You do not need to re-enter it.

To leave the wizard at any time without saving any changes, click Cancel.

To send your configuration to the FWSM at the end of the wizard, click Finish.

Configuring Active/Active Failover with the High Availability and Scalability Wizard

The following procedure provides a high-level overview for configuring Active/Active failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.


Step 1 Choose Configure Active/Active failover on the Choose the type of failover configuration screen.

See Configuration Type for more information about this screen.

Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed.

See Failover Peer Connectivity and Compatibility Check for more information about this screen.

Step 3 If the FWSM or the failover peer are in single context mode, change them to multiple context mode on the Change Device to Multiple Mode screen. When you change the FWSM to multiple context mode, it will reboot. ASDM automatically re-establishes communication with the FWSM when it has finished rebooting.

See Change Device to Multiple Mode for more information about this screen.

Step 4 Assign security contexts to failover groups on the Context Configuration screen. You can add and delete contexts on this screen.

See Security Context Configuration for more information about this screen.

Step 5 Define the Failover Link on the Failover Link Configuration screen.

See Failover Link Configuration for more information about this screen.

Step 6 Define the Stateful Failover link on the State Link Configuration screen.

See State Link Configuration for more information about this screen.

Step 7 Add standby addresses to the FWSM interfaces on the Standby Address Configuration screen.

See Standby Address Configuration for more information about this screen.

Step 8 Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes.

See Summary for more information about this screen.

Step 9 Click Finish.

The failover configuration is sent to the FWSM and to the failover peer.


Configuring Active/Standby Failover with the High Availability and Scalability Wizard

The following procedure provides a high-level overview for configuring Active/Standby failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.


Step 1 Choose Configure Active/Standby failover on the Choose the type of failover configuration screen. Click next.

See Configuration Type for more information about this screen.

Step 2 Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed.

See Failover Peer Connectivity and Compatibility Check for more information about this screen.

Step 3 Define the Failover Link on the Failover Link Configuration screen.

See Failover Link Configuration for more information about this screen.

Step 4 Define the Stateful Failover link on the State Link Configuration screen.

See State Link Configuration for more information about this screen.

Step 5 Add standby addresses to the FWSM interfaces on the Standby Address Configuration screen.

See Standby Address Configuration for more information about this screen.

Step 6 Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes.

See Summary for more information about this screen.

Step 7 Click Finish.

The failover configuration is sent to the FWSM and to the failover peer.


Field Information for the High Availability and Scalability Wizard

The following dialogs are available in the High Availability and Scalability Wizard. You will not see every dialog box when you run through the wizard; each dialog box appears depending on the type of failover you are configuring.

Configuration Type

Failover Peer Connectivity and Compatibility Check

Change Device to Multiple Mode

Security Context Configuration

Failover Link Configuration

State Link Configuration

Standby Address Configuration

Summary

Configuration Type

The Configuration Type screen lets you select the type of failover to configure.

Fields

The Choose the Type of Failover Configuration displays the following informational fields. These types are useful for determining the failover capabilities of the FWSM.

Hardware Model—(Display only) Displays the FWSM model number.

No. of Interfaces—(Display only) Displays the number of interfaces available on the FWSM.

No. of Modules—(Display only) Displays the number of modules that are installed on the FWSM.

Software Version—(Display only) Displays the version of the platform software on the FWSM.

Failover License—(Display only) Displays the type of failover license that is installed on the device. You may need to purchase an upgraded license to configure failover.

Firewall Mode—(Display only) Displays the firewall mode (routed or transparent) and the context mode (single or multiple).

Choose the type of failover configuration you are configuring:

Configure Active/Active Failover—Configures the FWSM for Active/Active failover.

Configure Active/Standby Failover—Configures the FWSM for Active/Standby failover.

Configure VPN Cluster Load Balancing—Configures the FWSM to participate in VPN load balancing as part of a cluster.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Failover Peer Connectivity and Compatibility Check

The Failover Peer Connectivity and Compatibility Check screen lets you verify that the selected failover peer is reachable and compatible with the current unit. If any of the connectivity and compatibility tests fail, you must correct the problem before you can proceed with the wizard.

Fields

Peer IP Address—Enter the IP address of the peer unit. This address does not have to be the failover link address, but it must be an interface that has ASDM access enabled on it.

Test Compatibility—Click this button to perform the following connectivity and compatibility tests:

Connectivity test from this ASDM to the peer unit

Connectivity test from this firewall device to the peer firewall device

Hardware compatibility test

Software version compatibility

Failover license compatibility

Firewall mode compatibility

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Change Device to Multiple Mode

The Change Device to Multiple Mode dialog box appears for Active/Active failover configuration only. Active/Active failover requires the FWSM to be in multiple context mode. This dialog box lets you convert a FWSM in single context mode to multiple context mode.

When you convert from single context mode to multiple context mode, the FWSM creates the system configuration and the admin context from the current running configuration. The admin context configuration is stored in the admin.cfg file. The conversion process does not save the previous startup configuration, so if the startup configuration differed from the running configuration, those differences are lost.

Converting the FWSM from single context mode to multiple context mode causes the FWSM to reboot. However the High Availability and Scalability Wizard restores connectivity with the newly created admin context and reports the status in the Devices Status field in this dialog box.

You need to convert both the current FWSM and the peer FWSM to multiple context mode before you can proceed.

Fields

Change device To Multiple Context—Causes the FWSM to change to multiple context mode. device is the hostname of the FWSM.

Change device (peer) To Multiple Context—Causes the peer unit to change to multiple context mode. device is the hostname of the FWSM.

Device Status—(Display only) Displays the status of the FWSM while converting to multiple context mode.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Security Context Configuration

The Security Context Configuration screen appears for Active/Active configuration only. The Security Context Configuration screen lets you assign security contexts to failover groups. It displays the security contexts that are currently configured on the device and lets you add new ones or remove existing ones as needed. Although you can create security contexts on this screen, you cannot assign interfaces to those contexts or configure any other properties for them. To configure context properties and assign interfaces to a context, you need to use the System > Security Contexts pane.

Fields

Name—Displays the name of the security context. To change the name, click the name and type a new name.

Failover Group—Displays the failover group the context is assigned to. To change the failover group for a security context, click the failover group and select the new failover group number from the drop-down list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Failover Link Configuration

The Failover Link Configuration screen lets you configure the failover interface.

Fields

LAN Interface—Choose the interface to use for failover communication from the drop-down list.

Logical Name—Type a name for the interface.

Active IP—Type the IP address that is used for the failover link on the unit that has failover group 1 in the active state.

Standby IP—Type the IP address that is used for the failover link on the unit that has failover group 1 in the standby state.

Subnet Mask—Type or select a subnet mask for the Active IP and Standby IP addresses.

Secret Key—(Optional) Enter the key that is used to encrypt failover communication. If this field is left blank, failover communication, including any passwords or keys in the configuration that is sent during command replication, is in clear text.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


State Link Configuration

The State Link Configuration lets you enable Stateful Failover and configure the Stateful Failover link properties.

Fields

Use the LAN link as the State Link—Choose this option to pass state information across the LAN-based failover link.

Disable Stateful Failover—Choose this option to disable Stateful Failover.

Configure another interface for Stateful Failover—Choose this option to configure an unused interface as the Stateful Failover interface.

State Interface—Choose the interface that you want to use for Stateful Failover communication from the drop-down list.

Logical Name—Type the name for the Stateful Failover interface.

Active IP—Type the IP address for the Stateful Failover link on the unit that has failover group 1 in the active state.

Standby IP—Type the IP address for the Stateful Failover link on the unit that has failover group 1 in the standby state.

Subnet Mask—Type or select a subnet mask for the Active IP and Standby IP addresses.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Standby Address Configuration

Use the Standby Address Configuration screen to assign standby addresses to the interface on the FWSM.

Fields

Device/Interface—(Active/Standby failover) Displays the interfaces that are configured on the failover units. Click the plus sign (+) by a device name to displays the interfaces on that device. Click the minus sign (-) by a device name to hides the interfaces on that device.

Device/Group/Context/Interface—(Active/Active failover) Displays the interfaces that are configured on the failover unit. The interfaces are grouped by context, and the contexts are grouped by failover group. Click the plus sign (+) by a device, failover group, or context name to expand the list. Click the minus sign (-) by a device, failover group, or context name to collapse the list.

Active IP—Double-click this field to edit or add an active IP address. Changes to this field also appear in the Standby IP field for the corresponding interface on the peer unit.

Standby IP—Double-click this field to edit or add a standby IP address. Changes to this field also appear in the Active IP field for the corresponding interface on the peer unit.

Is Monitored—Check this check box to enable health monitoring for that interface. Uncheck the check box to disable the health monitoring. By default, health monitoring of physical interfaces is enabled and health monitoring of virtual interfaces is disabled.

ASR Group—Select the asynchronous group ID from the drop-down list. This setting is only available for physical interface. For virtual interfaces, this field displays "None".

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Summary

The Summary screen displays the results of the configuration steps you performed in the previous wizard panels.

Fields

The configuration appears in the center of the screen. Verify your settings and click Finish to send your configuration to the device. If you are configuring failover, the configuration is also sent to the failover peer. If you need to change a setting, click Back until you reach the screen where you need to make the change. Make the change and click Next until you return to the Summary screen.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Field Information for the Failover Panes

What displays on the failover pane depends upon the mode you are in (single or multiple context mode) and whether you are in the system execution space or in a security context.

Failover—Single Mode

Failover—Multiple Mode, Security Context

Failover—Multiple

Failover—Single Mode

The Failover panel contains the tabs where you can configure Active/Standby failover in single context mode. For more information about configuring the settings on each tab of the Failover panel, see the following information. Note that the Interfaces tabs changes based on whether you are in routed firewall mode or transparent firewall mode.

Failover: Setup

Failover: Interfaces (Routed Firewall Mode)

Failover: Interfaces (Transparent Firewall Mode)

Failover: Criteria

Failover: Setup

Use this tab to enable failover on the FWSM. You also designate the failover link and the state link, if using Stateful Failover, on this tab.

Fields

Enable Failover—Selecting this check box enables failover and lets you configure a standby FWSM.


Note The speed and duplex settings for an interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces panel before enabling failover.


Use 32 hexadecimal character key—Select this check box to enter a hexadecimal value for the encryption key in the Shared Key box. Clear this check box to enter an alphanumeric shared secret in the Shared Key box.

Shared Key—Specifies the failover shared secret or key for encrypted and authenticated communications between failover pairs.

If you selected the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f).

If you cleared the Use 32 hexadecimal character key check box, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid characters are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.

LAN Failover—Contains the fields for configuring LAN-based failover.

Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic.


Note We recommend that you use two separate, dedicated interfaces for the Failover interface and the Stateful Failover interface.


Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces panel.

Active IP—Specifies the IP address for the failover interface on the active unit.

Subnet Mask—Specifies the mask for the failover interface on the primary and secondary unit.

Logical Name—Specifies the logical name of the interface that is used for failover communication.

Standby IP—Specifies the IP address that the secondary unit uses to communicate with the primary unit.

Preferred Role—Specifies whether the preferred role for this FWSM is as the primary or secondary unit in a LAN failover.

State Failover—Contains the fields for configuring Stateful Failover.

Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic. If you use the same interface for Stateful Failover that you are using for LAN-based failover, the Active IP, Subnet Mask, Logical Name, and Standby IP values do not need to be specified.


Note We recommend that you use two separate dedicated interfaces.


Active IP—Specifies the IP address for the Stateful Failover interface on the primary unit.

Subnet Mask—Specifies the mask for the Stateful Failover interfaces on the primary and secondary units.

Logical Name—Specifies the logical interface used for failover communication.

Standby IP—Specifies the IP address used by the secondary unit to communicate with the primary unit.

Enable HTTP replication—Selecting this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Configuring Failover.

Failover: Interfaces (Routed Firewall Mode)

Use this tab to define the standby IP address for each interface on the FWSM and to specify whether the status of the interface should be monitored.

For more information about configuring failover in general, see Configuring Failover.

Fields

Interface—Lists the interfaces on the FWSM and identifies their active IP address, standby IP address, and monitoring status.

Interface Name—Identifies the interface name.

Active IP—Identifies the active IP address for this interface.

Standby IP—Identifies the IP address of the corresponding interface on the standby failover unit.

Is Monitored—Select this checkbox to specify that health of the interface is monitored for failover. Clear this checkbox if you do not want the status of the interface to affect failover.

Edit—Displays the Edit Failover Interface Configuration (Routed Firewall Mode) dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration (Routed Firewall Mode)

Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.

Fields

Interface Name—Identifies the interface name.

Active IP Address—Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

Subnet Mask—Identifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface.

Standby IP Address—Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean that the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover: Interfaces (Transparent Firewall Mode)

Use this tab to define the standby management IP address and to specify whether the status of the interfaces on the FWSM should be monitored.

Fields

Interface—Lists the interfaces on the FWSM.

Interface Name—Identifies the interface name.

Is Monitored—Select this checkbox to specify that health of the interface is monitored for failover. Clear this checkbox if you do not want the status of the interface to affect failover.

The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean that the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Bridge Group—Lists the bridge groups that are defined on the FWSM. This list only appears for FWSM units or contexts in transparent mode.

Bridge Group—Identifies the bridge group name for the FWSM or context in transparent firewall mode.

Active IP Address—Identifies the active management IP address for the bridge group.

Network Mask—Identifies the mask that is associated with the active and standby management IP addresses.

Standby IP Address—Specifies the management IP address on the standby failover unit.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover: Criteria

Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.

Fields

Interface Policy—Contains the fields for defining the policy for failover when monitoring detects an interface failure.

Number of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the value that you set with this command, then the FWSM fails over. The range is between 1 and 250 failures.

Percentage of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the percentage that you set with this command, then the FWSM fails over.

Failover Poll Times—Contains the fields for defining how often hello messages are sent on the failover link and, optionally, how long to wait before testing the peer for failure if no hello messages are received.

Unit Failover—The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 500 and 999 milliseconds (ms.).

Unit Hold Time—Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the polltime.

Monitored Interfaces—The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Preempt—Check this checkbox to enable failover preemption. Failover preemption causes the primary unit to become the active unit automatically after rebooting or recovering from a failover condition. If this checkbox is not checked, then a primary unit that boots while the secondary unit is active or that recovers from a failed state will stay in the standby state until either a failover occurs or you force it to become active.

with optional delay of—Specifies the number of seconds that the primary unit should wait after rebooting before taking over as the active unit. The range is between 1 and 1200 seconds. Leave this field blank to configure no delay.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover—Multiple Mode, Security Context

The fields that are displayed on the Failover pane in multiple context mode change depending upon whether the context is in transparent or routed firewall mode.

This section contains the following topics:

Failover—Routed

Failover—Transparent

Failover—Routed

Use this panel to define the standby IP address for each interface in the security context and to specify whether the status of the interface should be monitored.

Fields

Interface table—Lists the interfaces on the FWSM and identifies their active IP address, standby IP address, and monitoring status.

Interface Name—Identifies the interface name.

Active IP—Identifies the active IP address for this interface.

Standby IP—Identifies the IP address of the corresponding interface on the standby failover unit.

Is Monitored—Specifies whether this interface is monitored for failure.

Edit button—Displays the Edit Failover Interface Configuration dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration

Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.

Fields

Interface Name—Identifies the interface name.

Active IP Address—Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

Subnet Mask—Identifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface.

Standby IP Address—Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean that the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover—Transparent

Use this panel to define the standby IP address for the management interface for the security context and to specify whether the status of the interfaces on the security context should be monitored.

Fields

Interface—Lists the interfaces on the FWSM.

Interface Name—Identifies the interface name.

Is Monitored—Select this checkbox to specify that health of the interface is monitored for failover. Clear this checkbox if you do not want the status of the interface to affect failover.

The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean that the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Bridge Group—Lists the bridge groups that are defined on the FWSM. This list only appears for FWSM units or contexts in transparent mode.

Bridge Group—Identifies the bridge group name for the FWSM or context in transparent firewall mode.

Active IP Address—Identifies the active management IP address for the bridge group.

Network Mask—Identifies the mask that is associated with the active and standby management IP addresses.

Standby IP Address—Specifies the management IP address on the standby failover unit.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration

Use the Edit Failover Interface Configuration dialog box to specify whether the status of the interface should be monitored.

Fields

Interface Name—Identifies the interface name.

Monitor interface for failure—Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the FWSM is 250. Hello messages are exchanged between the FWSM failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean that the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover—Multiple

This panel includes tabs for configuring the system-level failover settings in the system context of a FWSM in multiple context mode. In multiple mode, you can configure Active/Standby or Active/Active failover. Active/Active failover is automatically enabled when you create failover groups in the device manager. For both types of failover, you need to provide system-level failover settings in the system context, and context-level failover settings in the individual security contexts. For more information about configuring failover in general, see Understanding Failover.

Seethe following topics for more information:

Failover > Setup Tab

Failover > Criteria Tab

Failover > Active/Active Tab

Failover > Setup Tab

Use this tab to enable failover on a FWSM in multiple context mode. You also designate the failover link and the state link, if using Stateful Failover, on this tab.

Fields

Enable Failover—Selecting this check box enables failover and lets you configure a standby FWSM.


Note The speed and duplex settings for an interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces panel before enabling failover.


Shared Key—Specifies the failover shared secret for encrypted and authenticated communications between failover pairs.

LAN Failover—Contains the fields for configuring LAN-based failover.

Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic.


Note We recommend that you use two separate dedicated interfaces.


Only unconfigured interfaces or subinterfaces that have not been assigned to a context are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces panel or assign that interface to a context.

Active IP—Specifies the IP address for the failover interface on the active unit.

Subnet Mask—Specifies the mask for the failover interface on the active unit.

Logical Name—Specifies the logical name for the failover interface.

Standby IP—Specifies the IP address of the standby unit.

Preferred Role—Specifies whether the preferred role for this FWSM is as the primary or secondary unit in a LAN failover.

State Failover—Contains the fields for configuring Stateful Failover.

Interface—Specifies the interface that is used for failover communication. Failover requires a dedicated interface, but you can use the same interface for Stateful Failover. The interface needs enough capacity to process both the LAN-based failover and Stateful Failover traffic. If you use the same interface for Stateful Failover that you are using for LAN-based failover, the Active IP, Subnet Mask, Logical Name, and Standby IP values do not need to be specified.


Note We recommend that you use two separate dedicated interfaces.


Active IP—Specifies the IP address for the Stateful Failover interface on the active unit.

Subnet Mask—Specifies the mask for the Stateful Failover interface on the active unit.

Logical Name—Specifies the logical name for the Stateful Failover interface.

Standby IP—Specifies the IP address of the standby unit.

Enable HTTP replication—Selecting this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover > Criteria Tab

Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.


Note If you are configuring Active/Active failover, you do not use this tab to define the interface policy; instead, you define the interface policy for each failover group using the Failover > Active/Active Tab. With Active/Active failover, the interface policy settings that are defined for each failover group override the settings on this tab. If you disable Active/Active failover, then the settings on this tab are used.


Fields

Interface Policy—Contains the fields for defining the policy for failover when monitoring detects an interface failure.

Number of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the value that you set with this command, then the FWSM fails over. The range is between 1 and 250 failures.

Percentage of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the percentage that you set with this command, then the FWSM fails over.

Failover Poll Times—Contains the fields for defining how often hello messages are sent on the failover link and, optionally, how long to wait before testing the peer for failure if no hello messages are received.

Unit Failover—The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 500 and 999 ms.

Unit Hold Time—Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the polltime.

Monitored Interfaces—The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Preempt—Check this checkbox to enable failover preemption. Failover preemption causes the primary unit to become the active unit automatically after rebooting or recovering from a failover condition. If this checkbox is not checked, then a primary unit that boots while the secondary unit is active or that recovers from a failed state will stay in the standby state until either a failover occurs or you force it to become active.

with optional delay of—Specifies the number of seconds that the primary unit should wait after rebooting before taking over as the active unit. The range is between 1 and 1200 seconds. Leave this field blank to configure no delay.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Failover > Active/Active Tab

Use this tab to enable Active/Active failover on the FWSM by defining failover groups. In an Active/Active failover configuration, both FWSMs pass network traffic. Active/Active failover is only available to FWSMs in multiple mode.

A failover group is simply a logical group of security contexts. You can create two failover groups on the FWSM. You must create the failover groups on the active unit in the failover pair. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.


Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.


Fields

Failover Groups—Lists the failover groups that are currently defined on the FWSM.

Group Number—Specifies the failover group number. This number is used when assigning contexts to failover groups.

Preferred Role—Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is checked. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

Preempt Enabled—Specifies whether the unit that is the preferred failover device for this failover group should become the active unit after rebooting.

Preempt Delay—Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.

Interface Policy—Specifies either the number of monitored interface failures or the percentage of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.

Interface Poll Time—Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Replicate HTTP—Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

Add button—Displays the Add Failover Group dialog box. This button is only enabled if less than two failover groups exist. See Add/Edit Failover Group for more information.

Edit button—Displays the Edit Failover Group dialog box for the selected failover group. See Add/Edit Failover Group for more information.

Delete button—Removes the currently selected failover group from the failover groups table. This button is only enabled if the last failover group in the list is selected.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Failover Group

Use the Add/Edit Failover Group dialog box to define failover groups for an Active/Active failover configuration.

Fields

Preferred Role—Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

Preempt after booting with optional delay of—Selecting this check box causes the unit that is the preferred failover device for a failover group to become the active unit after rebooting. Selecting this check box also enables the Preempt after booting with optional delay of box in which you can specify a period of time that the device should wait before becoming the active unit.

Preempt after booting with optional delay of—Specifies the number of seconds that a unit should wait after rebooting before taking over as the active unit for any failover groups for which it is the preferred failover device. The range is between 0 and 1200 seconds.

Interface Policy—Contains the fields for defining the policy for failover when monitoring detects an interface failure. These settings override any interface policy settings on the Criteria tab.

Number of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the value that you set with this command, then the FWSM fails over. The range is between 1 and 250 failures.

Percentage of failed interfaces that triggers failover—When the number of failed monitored interfaces exceeds the percentage that you set with this command, then the FWSM fails over.

Poll time interval for monitored interfaces—The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Enable HTTP replication—Selecting this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

For more information about failover in general, see Understanding Failover.