Using Management Center for Firewalls 1.3
Configuring Failover
Download this chapter
Configuring FailoverConfiguring Failover
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Configuring Failover

Important Note about Deployment Errors and Failover

What Is Meant by Regular and Stateful Failover?

Stateful Failover

Regular Failover

Configuring PIX Firewall Failover Pairs

Configuring a PIX Firewall for Serial Failover

Bootstrapping a PIX Firewall for LAN-based Failover

Configuring FWSM Failover Pairs

Bootstrapping a LAN-Based Failover Pair of FWSMs

Using the Show Failover Command for FWSM 1.1.3 or Earlier

What Triggers Failover in FWSM Pairs?

Configuring Failover Settings in Firewall MC

Setting Failover for PIX Firewalls or FWSM 1.1.3 or Earlier

Setting Failover for FWSM 2.1 or Later

Using the Show Failover Command for FWSM 2.1 or Later


Configuring Failover

Failover allows you to configure two firewall devices so that one will take over operation if the other fails. Failover requires that you purchase a second firewall device (sold as a failover device) that works only as a failover device. You must ensure that both devices have the same version of software, type of activation key, RAM, and amount of Flash memory. When configuring failover pairs using Firewall MC, you must:

1. Enable workflow in Firewall MC.

2. Configure Firewall MC to continue deployment when errors are found.

3. Prepare the failover pair.

4. Configure the failover settings in the GUI.

5. Generate commands.

6. Bootstrap devices.

7. Deploy command sets.

The following discussion describes tasks 2 through 6.

Note Although you can configure failover with workflow disabled, you will not be able to access the properly formatted bootstrap information. If you choose not to enable workflow, you must find and remove the comments from the bootstrap settings in the generated commands. To review all generated commands, select Configuration > View Config.

Topics to be discussed are:

Important Note about Deployment Errors and Failover

What Is Meant by Regular and Stateful Failover?

Configuring PIX Firewall Failover Pairs

Configuring FWSM Failover Pairs

Configuring Failover Settings in Firewall MC

Important Note about Deployment Errors and Failover

If you are configuring failover, we recommend that you use the Firewall MC Controls default setting to continue deployment if errors are found.

We also recommend that you do not select Reboot if deployment errors are found. If you create a failover network environment and enter a random or invalid command on the active failover unit, the command is immediately replicated to the standby unit without your using a write memory command. Such a command also generates an error.

In a non-failover configuration, you can reboot the active unit to restore the device to its previous working configuration. However, when you reboot the active unit in the failover configuration, it returns to service in standby mode. The previous standby unit is now active and it pushes the erroneous commands it receives from the previous active unit to the new standby unit. As a result, reloading the device does not restore the configuration to its previous condition in a failover scenario. Instead, the device has an incomplete configuration.

Selecting the option to continue if deployment errors occur restores the configuration to its previous condition in this environment.

What Is Meant by Regular and Stateful Failover?

The FWSM supports two types of failover:

Regular failover—When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over. See Regular Failover.

Stateful failover—During normal operation, the active unit continually passes per-connection stateful information (for each context) to the standby unit. The interval between stateful information updates is 10 seconds, but you can set the unit poll time to be greater than that value.

After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session. See Stateful Failover.

Stateful Failover

To use stateful failover, you must configure a state link to pass all state information. This link can be the same as the failover link, but we recommend that you assign a separate VLAN and IP address for the state link. The state traffic can be great and performance is improved with separate links.

In multiple context mode, the state link resides in the System configuration. This interface and the failover interface are the only interfaces in the System configuration.

Note The IP address and MAC address for the state link do not change at failover.

The state information passed to the standby unit includes:

NAT translation table.

TCP connection states.

HTTP connection states (Optional).

H.323, SIP, and MGCP UDP media connections.

Regular Failover

The two units constantly communicate over a failover link to determine the operating status of each. Communications over the failover link include:

The unit state (active or standby).

Hello messages (also sent on all other interfaces).

Configuration synchronization between the two units.

The failover link uses a special VLAN interface that you do not configure as a normal networking interface; instead, it exists only for failover communications. You should use this VLAN only for the failover link (and optionally the state link).

For multiple context mode, the failover link resides in the System configuration. The VLAN interface (and the state link, if used) is the only configurable interface in the System configuration.

Note The IP address and MAC address for the failover link do not change at failover.

Configuring PIX Firewall Failover Pairs

In a failover configuration, two PIX Firewalls communicate failover information through a failover link. This failover link can be either a LAN-based connection or a serial failover cable that connects the two firewalls. The active firewall handles all network traffic that passes through the failover pair. The standby firewall does not handle network traffic until a failure occurs on the active firewall. When a failure occurs, the standby PIX Firewall assumes the role of the active firewall.

You can use Firewall MC to manage PIX Firewalls that are configured for failover. By configuring PIX Firewalls for failover, you can protect critical entry points to your network if the first PIX Firewall fails. If the first PIX Firewall fails, the second PIX Firewall takes over the duties of the first.

For both types of failover links, the PIX Firewall supports two modes of failover: stateless failover and stateful failover. The default mode is stateless failover.

With stateless failover, when the standby PIX Firewall becomes active, it assumes the IP and MAC addresses of the previously active firewall. If you enter show ip address at the command prompt on the active PIX Firewall, you see two sets of System IP Addresses; the first set contains the IP addresses originally assigned to the firewall's interfaces. The second set, called Current IP Addresses, contains the IP addresses obtained from the failed firewall. These are the IP addresses the firewall uses in the running configuration.

The term failover interface refers to any interface that is enabled and has a failover IP address assigned to it. The corresponding interfaces between the failover pair exchange hello messages to determine if the peer is operational. If, after a specified period of time, the standby firewall detects that the active firewall's link does not respond, the standby firewall becomes the active firewall. It assumes the assigned system IP addresses, and the previously active firewall (now the standby firewall) assumes the failover IP addresses.

Because network devices see no change in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network. Any open connections, however, are closed. Those connections must be reestablished before the sessions can continue.

Stateful failover is similar to stateless failover. When the standby PIX Firewall becomes active, it assumes the IP and MAC addresses of the previously active firewall. As in stateless failover, the change in the firewall is not visible to other network devices. However, with stateful failover, connection states are transferred to the standby PIX Firewall. Applications with open connections during failover do not have to reconnect the communication session.

The following information is copied to the standby PIX Firewall when stateful failover is enabled:

Configuration.

TCP (except for HTTP) connection table including the timeout information of each connection.

Translation (xlate) table.

System clock.

The following information is not copied to the standby PIX Firewall when stateful failover is enabled:

HTTP connection table.

User authentication (uauth) table.

ISAKMP and IPSec SA table.

ARP table.

Routing information.

To use Firewall MC to manage PIX Firewalls in a failover configuration, you must import and define the settings for the active PIX Firewall. You do not need to represent the standby PIX Firewall in the Firewall MC GUI.

Because you do not represent the standby PIX Firewall in the Firewall MC GUI, you cannot distribute command sets directly to it. However, the standby PIX Firewall receives the command set from the active PIX Firewall over the failover link. The active PIX Firewall synchronizes the standby PIX Firewall upon receipt of each command.

One benefit of the way Firewall MC models two PIX Firewalls in a failover configuration is that you can easily turn a single PIX Firewall configuration into a failover configuration. By adding the standby PIX Firewall to the existing network, physically connecting it to the active PIX Firewall, and making a few changes to the existing PIX Firewall settings in Firewall MC, you can quickly turn a single PIX Firewall into a failover configuration. Because the standby PIX Firewall receives its command set from the active PIX Firewall, instead of from Firewall MC, you should experience little or no change in the command distribution time.

Configuring a PIX Firewall for Serial Failover

You can use Firewall MC to configure PIX Firewalls to operate in serial failover mode. In failover mode, whenever PIX Firewall hardware or software fails, the firewall transfers all operations to a standby PIX Firewall over a serial failover cable connecting the two firewalls. You can configure the PIX Firewall to transfer state information as well.

Failover mode detects when a network failure occurs or when the PIX Firewall experiences a hardware or software error that prevents it from transferring network packets. In a failover configuration, a second PIX Firewall acts as a standby in the case of such failures and takes over the responsibilities and configuration settings of the active PIX Firewall.

Caution If you are managing firewalls that are configured for failover (serial or LAN), you cannot use the Auto Update Server with those firewalls. You must deploy directly to the firewalls from Firewall MC. Otherwise, the firewalls will not operate in failover mode.

 
Action
Result

Step 1 

Verify that you have two devices that can be used in a failover configuration.

For failover, both PIX Firewalls are identical for the following:

Model number.

Number and type of interfaces in same slot configuration.

Amount of RAM.

Flash memory size.

OS Software version.

License to operate in failover mode.

The primary firewall must have an unrestricted license.

The secondary firewall must have either an unrestricted license or a failover license.

If the primary firewall has a DES/3DES license, the secondary must also have one.

Step 2 

Ensure that you have connected all enabled interfaces between the primary and secondary firewalls.

All enabled interfaces are connected to the correct networks.

Step 3 

Physically connect the standby PIX Firewall to the network and to the active PIX Firewall using the serial failover cable.

The appropriate end of the serial cable is connected to the corresponding firewall—primary connected to primary and secondary connected to secondary.

The physical configuration of the two failover devices is detailed in Configuration Guide for the PIX Firewall, which shipped with your product.

Step 4 

From the console, bootstrap the primary device with the basic information and the preconfiguration setup commands. See Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

Note For serial failover, only the primary device should be bootstrapped with a configuration. Use the write standby command to synchronize the configuration to the secondary.

The primary PIX Firewall is configured to enable Firewall MC to communicate with it over the network.

Step 5 

From the console connected to the primary firewall, enter the interface ethernet# speed command to enable each interface that will participate in failover. Use the write memory command to save your changes.

Note We recommend that you do not use the auto or 1000auto option for the speed argument. You should specify the actual speed of the interface.

Correct

interface ethernet0 10basetx

interface ethernet1 100basetx

Incorrect:

interface ethernet0 auto

interface ethernet1 1000auto

All interfaces on the primary firewall are enabled. When Firewall MC imports the configuration file from the primary firewall, it can discover the interfaces.

Step 6 

Ensure that you have assigned IP addresses to all of the enabled interfaces installed on the primary firewall.

All enabled interfaces have IP addresses assigned to them.

Step 7 

From Firewall MC, create an activity (if workflow is enabled) and import the configuration files from the PIX Firewall that will be designated as the primary firewall.

Note Do not import the device that will be designated as the secondary firewall. All configuration information on the standby PIX Firewall is received from the active PIX Firewall.

The primary firewall is configured in Firewall MC and the activity is submitted and approved.

Step 8 

Create an activity (if workflow is enabled) and configure failover settings for the primary firewall.

Note Do not enable LAN-based failover.

See Configuring Failover Settings in Firewall MC.

The Firewall MC has the basic configuration of the primary firewall (such as which networks it is attached to) and failover is enabled.

Step 9 

From Configuration > MC Settings > Deployment, select the Direct to device option on the Deployment control page.

Commands that are deployed to the PIX Firewall by Firewall MC will be deployed directly to the device.

For more information, see Important Note about Deployment Errors and Failover.

Step 10 

Under Configuration > Device Settings > Config Additions > Ending Commands, enter write standby as the last command.

When deployed to the primary firewall (active), this command initiates replication between the two firewalls and forces the active firewall to synchronize its configuration to the standby firewall.

Step 11 

Generate the command sets for the primary firewall by approving the activity (if workflow is enabled) you created in the previous step.

Note Because LAN-based failover is not enabled, no bootstrap commands are generated.

Firewall MC generates the commands for the primary firewall.

Step 12 

Create a job (if workflow is enabled), select the previously approved activity and the primary firewall as the device to deploy, then click Next.

The Review Devices page appears, which is the fourth page in the Job Wizard.

Step 13 

Deploy the generated commands directly to the primary firewall.

The device designated as the primary firewall was not rebooted; it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.

For more information, see Important Note about Deployment Errors and Failover.

Step 14 

Reboot the secondary firewall.

Note After you perform this procedure, we recommend that you remove the write standby command from Ending Commands on the active firewall.

The secondary firewall returns to service as the standby firewall.

Bootstrapping a PIX Firewall for LAN-based Failover

You can configure LAN-based failover for PIX Firewalls running version 6.2 and later. Firewall MC allows you to manage LAN-based failover settings, such as message encryption and authentication using a manual pre-shared key; however, you must bootstrap both firewalls before you can manage these configurations.

Caution Do not use Auto Update Server with firewalls you are managing that are configured for failover (serial or LAN). You must deploy directly to the firewalls from Firewall MC.

This section presents task flows for the following:

Migrating from Serial to LAN-Based Failover for PIX Firewall.

Bootstrapping a LAN-Based Failover Pair of PIX Firewalls.

Migrating from Serial to LAN-Based Failover for PIX Firewall

You can use Firewall MC to migrate a failover pair from serial to LAN-based failover. The following procedure steps you through the process required to prepare the firewall pair and configure Firewall MC.

 
Action
Result

Step 1 

From Firewall MC, create an activity (if workflow is enabled) and import the configuration files from the active PIX Firewall.

Note Do not import the standby firewall.

The active firewall is modeled in Firewall MC and the activity is submitted and approved. The active firewall is the primary firewall.

Step 2 

Create an activity (if workflow is enabled) and configure the settings under Configuration > Device Settings > Failover for the primary firewall. Specifically, you must select Enable LAN-based failover and configure the settings under this area.

See Configuring Failover Settings in Firewall MC.

Firewall MC has the basic configuration of the primary firewall, such as the networks to which it is attached, and the LAN failover connection settings, such as which interface to use as the failover interface.

Step 3 

From Configuration > MC Controls > Deployment, select the Direct to device option on the Deployment control page.

Commands that are deployed to the PIX Firewall by Firewall MC will be deployed directly to the device.

For more information, see Important Note about Deployment Errors and Failover.

Step 4 

Generate the command sets for the primary and secondary firewalls by approving the activity (if workflow is enabled) you created in the previous step.

Firewall MC generates the commands for the primary and secondary firewalls.

Step 5 

Create a job (if workflow is enabled), select the previously approved activity and the primary firewall as the device to deploy, then click Next.

The Review Devices page appears, which is the fourth page in the Job Wizard. At the bottom of the Review Devices page, the message Warning: Device needs to be manually configured for LAN-based failover! appears.

You must manually prepare both the primary and secondary firewalls with LAN failover-specific bootstrap commands before you can deploy the remaining commands to the primary firewall.

Step 6 

Disconnect the corresponding interfaces on the LAN failover pair (for example, the corresponding DMZ interfaces on each firewall).

These corresponding interfaces on the two firewalls are designated as the LAN failover link.

All enabled interfaces are connected to the correct networks except the interface to be used in the LAN failover link. These interfaces are not connected.

Step 7 

To view the commands that must be manually applied to the primary and secondary firewalls, click the manually configured link in Firewall MC.

A popup window displays all failover pairs that require bootstrap configurations.

Step 8 

From the list of failover pairs, select the appropriate failover pair devices, then click View Bootstrap Commands.

A popup window displays the bootstrap commands for the primary firewall at the top and those for the secondary firewall at the bottom.

Step 9 

From the console, use the show failover command to determine which firewall is active.

The active firewall is shown.

Step 10 

Through a console session to the active firewall, cut and paste the generated bootstrap commands for the primary firewall, then enter the write memory command.

The primary firewall is bootstrapped for LAN-based failover.

Step 11 

Through a console session to the standby firewall, cut and paste the generated bootstrap commands for the secondary firewall, then enter the write memory command.

The secondary firewall is bootstrapped for LAN-based failover and will receive its full configuration from the primary firewall when the LAN failover connection is established.

Step 12 

Connect the interfaces that you will use as your LAN failover link (physical connection).

-

Step 13 

Reboot the secondary firewall. While it is rebooting, disconnect the serial failover cable.

The secondary firewall returns to service as the standby firewall and the serial failover cable is disconnected.

Step 14 

After the secondary firewalls returns to service, deploy the remaining generated commands (non-LAN failover related) directly to the primary firewall.

The device that is designated as the primary firewall was not rebooted; it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.

For more information, see Important Note about Deployment Errors and Failover.

Bootstrapping a LAN-Based Failover Pair of PIX Firewalls

The process for enabling failover includes using CLI-based configuration commands and commands generated by Firewall MC. The following procedure describes the tasks to be performed.

After you bootstrap your failover pair the first time, do not focus on generated commands that refer to primary and secondary firewalls. The firewalls are primary and secondary because the PIX Firewalls require this designation initially. If both firewalls are rebooted simultaneously, the primary firewall always assumes the role of the active firewall and the secondary firewall always assumes the role of the standby firewall.

In the following task, you force this designation by rebooting the secondary firewall, which is a one-time operation. If you make changes to your LAN failover settings after the first bootstrap, you must always cut and paste the respective Firewall MC generated configurations directly to the active and standby firewalls from a console session. Use the show failover command at the console to determine which firewall is active or standby.

 
Action
Result

Step 1 

Verify that you have two devices that can be used in a failover configuration.

For failover, both PIX Firewalls are identical for the following:

Model number.

Number and type of interfaces in same slot configuration.

Amount of RAM.

Flash memory size.

OS Software version.

License to operate in failover mode.

The primary firewall must have an unrestricted license.

The secondary firewall must have either and unrestricted license or a failover license.

If the primary firewall has a DES/3DES license, the secondary must have one.

Step 2 

Ensure that you have connected all enabled interfaces between the primary and secondary firewalls, except for the interfaces to be used as the LAN failover link (for example, the corresponding DMZ interfaces on each firewall).

All enabled interfaces are connected to the correct networks other than the interface to be used in the LAN failover link. These interfaces are not connected.

Step 3 

From the console, bootstrap the primary and secondary devices with the basic information and the preconfiguration setup commands. See Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

The primary and secondary PIX Firewalls are configured to allow Firewall MC to communicate with them over the network.

Step 4 

From the console connected to the primary firewall, enter the interface ethernet# speed command to enable each interface that will participate in LAN-based failover. Use the write memory command to save your changes.

Note We recommend that you do not use the auto or 1000auto option for the speed argument. You should specify the actual speed of the interface.

Correct

interface ethernet0 10basetx

interface ethernet1 100basetx

Incorrect:

interface ethernet0 auto

interface ethernet1 1000auto

The primary firewall has all interfaces enabled. When Firewall MC imports the configuration file from the primary firewall, it can discover the interfaces.

Step 5 

Ensure that you have assigned IP addresses to all of the enabled interfaces installed on the primary firewall.

All enabled interfaces have IP addresses assigned to them.

Step 6 

Enable the LAN failover interface in the secondary firewall and assign it an IP address that is on the same subnet as the failover interface in the primary firewall.

The failover interface on the secondary device is enabled. The IP address on the same subnet as the failover interface on the primary device.

Step 7 

From Firewall MC, create an activity (if workflow is enabled) and import the configuration files from the PIX Firewall that will be designated as the primary firewall.

Note Do not import the device that will be designated as the secondary firewall.

The primary firewall is modeled in Firewall MC and the activity is submitted and approved.

Step 8 

Create an activity (if workflow is enabled) and configure the interfaces (Configuration > Device Settings > Interfaces) and failover (Configuration > Device Settings > Failover) settings for the primary firewall. Specifically, you need to select Enable LAN-based failover and configure the settings under this area.

See Configuring Failover Settings in Firewall MC.

Firewall MC has the basic configuration of the primary firewall (such as which networks it is attached to) as well as the LAN failover connection settings, such as which interface to use as the failover interface.

Step 9 

Under Configuration > MC Settings > Deployment, select the Direct to device option on the Deployment control page.

Commands that are deployed to the PIX Firewall by Firewall MC will be deployed directly to the device.

For more information, see Important Note about Deployment Errors and Failover.

Step 10 

Generate the command sets for the primary and secondary firewalls by approving the activity (if workflow is enabled) you created in the previous step.

Firewall MC generates the commands for the primary and secondary firewalls.

Step 11 

Create a job (if workflow is enabled), select the previously approved activity and the primary firewall as the device to deploy, then click Next.

The Review Devices page appears, which is the fourth page in the Job Wizard. At the bottom of the Review Devices page, the message Warning: Device needs to be manually configured for LAN-based failover! appears.

You must manually prepare both the primary and secondary firewalls with LAN failover-specific bootstrap commands before you can deploy the remaining commands to the primary firewall.

Step 12 

To view the commands that must be manually applied to the primary and secondary firewalls, click the manually configured link.

A popup window displays all failover pairs that require bootstrap configurations.

Step 13 

From the list of failover pairs, select the appropriate failover pair devices, then click View Bootstrap Commands.

A popup window displays the bootstrap commands for the primary firewall at the top and those for the secondary firewall at the bottom.

Step 14 

Through a console session to the primary firewall, cut and paste the generated bootstrap commands for this device, then enter the write memory command.

The primary firewall is bootstrapped for LAN-based failover.

Step 15 

Through a console session to the secondary firewall, cut and paste the generated bootstrap commands for this device, then enter the write memory command.

The secondary firewall is bootstrapped for LAN-based failover and will receive its full configuration from the primary firewall when the LAN failover connection is established.

Step 16 

Connect the interfaces that you will use as your LAN failover link (physical connection).

-

Step 17 

Reboot the secondary firewall.

The secondary firewall returns to service as the standby firewall.

Step 18 

After the secondary firewall returns to service, deploy the remaining generated commands (non-LAN failover related) directly to the primary firewall.

Tip We recommend that you wait a few minutes after the secondary firewall returns to service before deploying the remaining commands. This time allows the firewalls to initialize their failover settings.

The device designated as the primary firewall was not rebooted; it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.

For more information, see Important Note about Deployment Errors and Failover.

Configuring FWSM Failover Pairs

FWSM failover pairs differ from PIX Firewalls in that a serial failover is not possible; only LAN failover is supported. Also, you can configure the FWSM failover pairs as either intra-switch or inter-switch.

An intra-switch failover pair is two firewall modules in a single chassis

An inter-switch failover pair has a firewall module in two different chassis.

In either configuration, both firewall modules must have the same amount of RAM and Flash memory, and must be running the same version of software.

To set up failover on a single chassis, install two firewall modules on the same chassis and assign the same firewall VLAN group to both modules, as shown in Figure 18-1.

Figure 18-1 Failover Single Chassis Configuration

To configure failover in a single chassis, perform the following:

 
Command
Purpose

Step 1  

Router(config)# firewall 
vlan-group group-name vlan-group

Assigns VLANs to a VLAN group.

Step 2  

Router(config)# firewall module 
slot vlan-group group-name

Assigns the VLAN group to the primary module.

Step 3  

Router(config)# firewall module 
slot vlan-group group-name

Assigns the VLAN group to the secondary module.

To set up failover between two chassis, install a firewall module in each firewall and assign the same firewall VLAN group to both modules, as shown in Figure 18-2.

Figure 18-2 Dual-Chassis Failover Configuration

To set up a dual-chassis configuration, perform the following:

 
Command
Purpose

Step 1  

Router1(config)# firewall 
vlan-group group-name 
vlan-group

Configures the same set of firewall VLANs on both chassis.

Step 2  

Router2(config)# firewall 
module slot vlan-group 
group-name

Provides a trunk connecting the two chassis, carrying all the firewall VLANs.

Bootstrapping a LAN-Based Failover Pair of FWSMs

You can configure LAN-based failover for FWSMs running version 1.1.2 and later. The procedure for configuring failover differs depending on the version of FWSM that is running; however, the basic procedure for bootstrapping FWSMs is the same. Firewall MC allows you to manage LAN-based failover setting; however, you must bootstrap both firewall devices before you can manage these configurations.

Note FWSM does not have a serial port; it supports only LAN-based failover.

Caution If you are managing firewalls that are configured for failover, you cannot use the Auto Update Server with those firewalls. You must deploy directly to the firewalls from Firewall MC.

The process of enabling failover includes using CLI-based configuration commands and Firewall MC-generated commands. The following procedure describes tasks to be performed.

After you bootstrap the failover pair (complete the task flow) the first time, do not focus on generated commands that refer to primary and secondary firewalls. The firewalls are primary and secondary because the FWSM requires this designation initially. If both firewalls are rebooted simultaneously, the primary firewall always assumes the role of the active firewall and the secondary firewall always assumes the role of the standby firewall.

You force this designation by entering the failover active command at the FWSM prompt of the primary firewall in a one-time operation.

After the first bootstrap, if you make changes to your LAN failover settings, you must always cut and paste the respective Firewall MC generated configurations directly to the active and standby firewalls from a console session. You can determine which firewall device is active or standby by using the show failover command at the console.

 
Action
Result

Step 1 

Verify that you have two firewall modules that can be used in a failover configuration.

For failover, both FWSMs are identical for the following:

Model number.

Amount of RAM.

Flash memory size.

Software version.

Step 2 

From the console, bootstrap both the primary and secondary firewall modules with the basic information and the preconfiguration setup commands. For more information, see:

Bootstrapping an Existing FWSM.

Bootstrapping a New FWSM.

The primary and secondary FWSMs are configured to allow Firewall MC to communicate with them over the network.

Step 3 

Ensure that you have assigned IP addresses to all of the enabled interfaces installed on the primary and secondary firewalls.

All enabled interfaces have IP addresses assigned to them. The primary firewall has all interfaces enabled, which Firewall MC can discover on import.

Step 4 

From the MSFC, telnet to 127.0.0.#1, where #1 is the slot in which the primary FWSM resides. Create a dedicated logical interface (VLAN) for failover communication using the nameif vlan_id if_name security_level command.

The following is an example of a Telnet session to an FWSM blade in slot 3: 

telnet 127.0.0.31

Note We recommend that you separate the failover and logical update interfaces into separate links. Packets on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and failover LAN interfaces the same.

Step 5 

At the MSFC prompt, add the dedicated logical VLAN to the VLAN group using the firewall vlan-group command (for example, firewall vlan-group 3 10, whereby 3 is the VLAN group and 10 is the logical VLAN).

Step 6 

At the MSFC prompt, activate the dedicated VLAN using the VLAN [X] state active command.

Step 7 

Using Firewall MC, create an activity (if workflow is enabled) and import the configuration files from the FWSM that will be designated as the primary firewall.

Note Do not import the device that will be designated as the secondary firewall.

The primary firewall is modeled in Firewall MC and the activity is submitted and approved.

Step 8 

Create an activity (if workflow is enabled) and configure the interfaces (Configuration > Device Settings > Interfaces) and failover (Configuration > Device Settings > Failover) settings for the primary firewall. Specifically, you need to select Enable LAN-based failover and configure the settings under this area.

See Configuring Failover Settings in Firewall MC.

Firewall MC has the basic configuration of the primary firewall, such as which networks it is attached to, as well as the LAN failover connection settings, such as which interface to use as the failover interface.

Step 9 

From Configuration > MC Settings > Deployment, select the Direct to device option on the Deployment control page.

Commands that are deployed to the FWSM by Firewall MC will be deployed directly to the device.

Step 10 

Generate the command sets for the primary and secondary firewalls by approving the activity (if workflow is enabled) you created in the previous step.

Firewall MC generates the commands for the primary and secondary firewalls.

Step 11 

Create a job (if workflow is enabled), select the previously approved activity and the primary firewall as the device to deploy, then click Next.

The Review Devices page appears, which is the fourth page in the Job Wizard. At the bottom of the Review Devices page, the message Warning: Device needs to be manually configured for LAN-based failover! appears.

You must manually prepare both the primary and secondary firewalls with LAN failover-specific bootstrap commands before you can deploy the remaining commands to the primary firewall.

Step 12 

To view the commands that must be manually applied to the primary and secondary firewalls, click the manually configured link.

A popup window displays all failover pairs that require bootstrap configurations.

Step 13 

From the list of failover pairs, select the appropriate failover pair devices, then click View Bootstrap Commands.

A popup window displays the bootstrap commands for the primary firewall at the top and those for the secondary firewall at the bottom.

Step 14 

From the MSFC, telnet to 127.0.0.#1, where #1 is the slot in which the primary firewall resides. Cut and paste the generated bootstrap commands for the device, then enter the write memory command.

The following is an example of a Telnet session to an FWSM blade in slot 3: 

telnet 127.0.0.31

Note This command is required to ensure that the module comes back online with the failover configuration after a reload (or after a failure recovery).

The primary firewall is bootstrapped for LAN-based failover.

Step 15 

From the MSFC, telnet to 127.0.0.#1, where #1 is the slot in which the secondary firewall resides. Cut and paste the generated bootstrap commands for the device, then enter the write memory command.

The following is an example of a Telnet session to an FWSM blade in slot 3: 

telnet 127.0.0.31

The secondary module should detect the primary module, then switch to standby. The firewall configuration is synchronized from the active module to the standby module.

The secondary firewall is bootstrapped for LAN-based failover and will receive its full configuration from the primary firewall after you complete this procedure.

Step 16 

From the MSFC, telnet to 127.0.0.#1, where #1 is the slot in which the primary firewall resides, then enter the failover active command.

The following is an example of a Telnet session to an FWSM blade in slot 3: 

telnet 127.0.0.31

The primary firewall is forced to become the active firewall, which ensures that the secondary firewall assumes the standby state. This command is required to ensure that the remaining generated commands deployed to the primary firewall are accepted.

Step 17 

After the secondary firewall returns to service and the primary firewall is forced to the active state, deploy the remaining generated commands (non-LAN failover related) directly to the primary firewall.

Tip We recommend that you wait a few minutes after the secondary firewall returns to service before deploying the remaining commands. This time allows the firewalls to initialize their failover settings.

Because the device that is designated as the primary firewall is not rebooted, it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.

Using the Show Failover Command for FWSM 1.1.3 or Earlier

On each unit, you can verify the failover status by entering: 

primary(config)# show failover

This command shows:

Whether failover is on or off.

Which unit is active.

The IP addresses assigned for the active and standby units.

The failover link information.

Interface policy.

Stateful failover statistics.

See the following sample show failover command output. 

fwsm(config)# show failover

FWSM Version 1.1(1)

no gdb enable

nameif vlan5 inside security100

nameif vlan100 outside security0

nameif vlan200 dmz security50

nameif vlan17 DMZ777 security17

nameif vlan18 dmz888 security18

nameif vlan7 DMZ2 security10

nameif vlan999 DMZ999 security99

enable password cisco

passwd cisco

hostname FWSMAllSUP

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol http 80

no fixup protocol rtsp 554

fixup protocol h323 H225 1721

fixup protocol ftp 22

names

name 192.168.164.0 VPN

name 145.85.67.18 Rhone

access-list acl_mdc_DMZ777_access_1 deny ip any any

access-list acl_mdc_DMZ999_access_1 deny ip any any

access-list acl_mdc_DMZ2_access_1 deny ip any any

access-list acl_mdc_dmz888_access_1 deny ip any any

access-list acl_mdc_inside_access_1 permit ip any any

access-list acl_mdc_outside_access_1 permit ip any any

access-list acl_mdc_dmz_access_1 permit ip any any

access-list acl_mdc_dmz_authen permit ip any any

access-list acl_mdc_dmz_author permit ip any any

access-list acl_mdc_dmz_accnt permit ip any any

pager lines 24

logging console alerts

logging facility 0

logging queue 5

logging rate-limit 101 1 level 1

logging rate-limit 10 1 level 4

logging rate-limit 99999999 1 message 106010

icmp permit any inside

icmp permit any outside

icmp permit any dmz

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu DMZ777 1500

mtu dmz888 1500

mtu DMZ2 1500

mtu DMZ999 1500

ip address inside 5.1.1.1 255.255.255.0

ip address outside 100.1.1.1 255.255.255.0

ip address dmz 200.1.1.2 255.255.255.0

ip address DMZ777 6.1.1.1 255.255.255.0

ip address dmz888 8.1.1.1 255.255.255.0

ip address DMZ2 130.1.1.1 255.255.255.255

ip address DMZ999 99.99.99.99 255.255.255.0

ip verify reverse-path interface outside

failover

failover lan unit primary

failover poll 15

failover link DMZ2

failover replication http

failover lan interface dmz

failover ip address inside 5.1.1.2

failover ip address outside 100.1.1.2

failover ip address dmz 200.1.1.2

failover ip address DMZ777 6.1.1.2

failover ip address dmz888 8.1.1.2

failover ip address DMZ2 130.1.1.2

pdm location 172.20.109.11 255.255.255.255 inside

pdm location 172.69.69.0 255.255.255.0 inside

pdm location 172.69.69.0 255.255.255.0 dmz

pdm history enable

arp timeout 14400

global (dmz) 1 207.1.1.1

global (dmz) 2 207.1.2.1

nat (dmz) 1 211.1.1.0 255.255.255.0 0 0

nat (dmz) 2 211.1.2.0 255.255.255.0 0 0

nat (dmz) 2 211.1.3.0 255.255.255.0 0 0

static (inside,outside) tcp interface 999 172.16.5.100 telnet netmask 
255.255.255.255 0 0

static (dmz,outside) 145.85.2.2 145.85.2.2 netmask 255.255.255.255 0 0

static (inside,outside) 145.85.66.12 145.85.66.12 netmask 
255.255.255.255 0 0

access-group acl_mdc_inside_access_1 in interface inside

access-group acl_mdc_outside_access_1 in interface outside

access-group acl_mdc_dmz_access_1 in interface dmz

access-group acl_mdc_DMZ777_access_1 in interface DMZ777

access-group acl_mdc_DMZ999_access_1 in interface DMZ999

access-group acl_mdc_DMZ2_access_1 in interface DMZ2

access-group acl_mdc_dmz888_access_1 in interface dmz888

rip dmz default version 2 authentication text cisco 7

!

interface inside


!

!

interface outside


!

!

interface dmz



!

!

interface DMZ777


	shutdown


!

!

interface dmz888


!

!

interface DMZ2


!

!

interface DMZ999

!


route inside 0.0.0.0 0.0.0.0 5.1.1.2 0

route outside 0.0.0.0 0.0.0.0 100.1.1.1 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server RADIUS (outside) host 15.1.1.30 cisco timeout 30

aaa-server TACACS+ (dmz) host 6.1.1.254 cisco timeout 30

aaa-server TACACS+ (DMZ999) host 99.99.99.254 cisco timeout 30

aaa-server TACACS+ (dmz888) host 8.1.1.254 cisco timeout 30

aaa authentication match acl_mdc_dmz_authen dmz TACACS+

aaa authorization match acl_mdc_dmz_author dmz TACACS+

aaa accounting match acl_mdc_dmz_accnt dmz TACACS+

url-server (DMZ2) vendor websense host 127.0.0.3 timeout 5 protocol 
TCP version 1

url-cache dst 128KB

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server DMZ2 5.1.1.253 /fwsm/configs

floodguard enable

fragment size 200 inside

fragment size 200 outside

fragment size 200 dmz

sysopt connection tcpmss 128

sysopt noproxyarp DMZ2

auth-prompt prompt hi there

telnet 0.0.0.0 0.0.0.0 inside

telnet 172.69.69.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 dmz

telnet 172.69.69.0 255.255.255.0 dmz

telnet timeout 60

ssh 171.69.69.0 255.255.255.0 inside

ssh timeout 60

dhcpd address 5.1.1.2-5.1.1.10 inside

dhcpd dns 1.1.1.2

dhcpd wins 1.1.1.2

dhcpd lease 300

dhcpd ping_timeout 60

dhcpd domain Cisco1.com

terminal width 80

Cryptochecksum:a0a284500ccb0a91ff1eb33eaf0d422c

: end

What Triggers Failover in FWSM Pairs?

The active unit can fail if:

It has a hardware failure or power failure.

It has a software failure.

Too many monitored interfaces fail.

Because the FWSM can have a large number of interfaces, it cannot monitor every interface. Instead, you configure the FWSM to monitor a subset of interfaces. The FWSM fails over when a certain number of monitored interfaces fails; you configure the failure threshold to be an absolute value or a percentage of the total number of monitored interfaces.

In the case of a hardware or power failure, the standby FWSM becomes active because it does not receive hello messages over the failover link or over any network interfaces for a user-configurable amount of time.

An interface is considered to be failed when the standby FWSM does not receive hello messages over the monitored interface for either three user-configurable polling intervals, or 15 seconds—whichever is greater.

Configuring Failover Settings in Firewall MC

For PIX Firewalls or FWSMs running version 1.1.3 or earlier, see Setting Failover for PIX Firewalls or FWSM 1.1.3 or Earlier.

For FWSM running version 2.1 or later, see Setting Failover for FWSM 2.1 or Later.

Setting Failover for PIX Firewalls or FWSM 1.1.3 or Earlier

To configure the failover settings in Firewall MC for PIX Firewalls or for firewall devices running OS version 1.x, select Configuration > Device Settings >  Failover > PIX and FWSM 1.x. From this page, you can configure three types of failover:

Serial—(PIX Firewalls only) Configures two firewall devices so that a standby device can take over processing network connections if the primary active device fails. The two devices are connected by a special serial failover cable.

Stateful—Allows the standby device to maintain the state of all connections, except those started by web connections, by maintaining a network connection to a fast interface on the active firewall device dedicated for this purpose.

LAN-based—Configures two firewall devices for failover using a dedicated LAN interface on each unit. See Important Note about Deployment Errors and Failover.

From the Failover page, you can enable, disable, and configure failover, stateful failover, and LAN-based failover.

Tip You can enable logging failover from the Configuration > Device Settings > Logging > Logging Setup page. When selected, this feature enables log messages to be sent to a syslog server from both the primary and secondary units.

Before You Begin

Make sure the failover interfaces on the standby unit are on the same subnet as those on the primary unit.

Make sure interfaces are not configured for auto or 1000auto.

Make sure all active interfaces are configured with a failover IP address.

Make sure that workflow is enabled. As of Firewall MC 1.1.2 and later, workflow must be enabled to configure LAN failover. You can enable workflow from the Admin > Workflow Setup page.

Note Auto Update Server does not support firewall devices that are configured for failover. You should deploy devices configured for failover to a device or to a file.

Step 1 Select Configuration > Device Settings > Failover > PIX and FWSM 1.x.

The PIX and FWSM 1.x Failover page appears.

Step 2 Select the interface to use as your failover interface:

If you are configuring a PIX Firewall, you must edit each interface to include an IP address.

a. Select the check box for the interface, then click Edit.

b. Enter the IP address for the interface.

c. Click OK.

Note You must configure your failover IP addresses and interfaces before enabling failover or defining other failover settings.

Step 3 Select the Enable failover check box. You must select this check box if you are configuring serial failover, stateful failover, or LAN-based failover.

Note Serial failover applies to PIX Firewalls only.

The Failover Interface table is automatically populated with all enabled interfaces on the firewall device.

Note To enable failover, you must ensure that both devices have the same version of software, type of activation key, Flash memory, and RAM.

Step 4 Enter the failover poll time. Values are 3-15 seconds. Default is 15.

Step 5 To enable stateful failover:

a. Select the Enable stateful failover check box.

b. Select the HTTP Replication check box to enable stateful failover to copy an active HTTP session to a standby PIX Firewall.

c. Select a Fast LAN Link from the list (for example, 100full, 1000sxfull, or 1000full). Stateful, serial failover requires both a dedicated fast LAN link and a failover cable.

Step 6 To enable LAN-based failover:

a. Select the Enable LAN-based failover check box.

b. Select the LAN interface from the list. The list displays all interfaces defined at the current scope.

Note The primary and secondary units must be bootstrapped with a set of commands for LAN-based failover. Firewall MC generates the bootstrap commands for the standby unit. These commands appear as comments in the generated configuration file and are displayed separately in the deployment wizard. You must copy and paste the commands into the standby unit configuration file. For more information, see Bootstrapping a PIX Firewall for LAN-based Failover.

c. (PIX only) Enter the shared key used to authenticate and encrypt traffic between firewall devices.

Step 7 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Note If a device is configured with failover enabled at the time of deployment, a warning is displayed when the device is deployed. This warning indicates which devices need to be bootstrapped.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 18-1 describes the elements in the PIX and FWSM 1.x page.

Table 18-1 PIX and FWSM 1.x 

Element
Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable failover check box

When selected, allows you to select failover interface and IP addresses displayed in table.

Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Failover Poll Time (seconds)

Specifies how long failover waits before determining if other devices remain available between primary and standby devices over all network interfaces and failover cable. Values are 3-15 seconds. Default
is 15.

Enable stateful failover check box

When selected, enables stateful failover interface.

Note If you enable stateful failover, you must select a fast LAN link from the list, (for example, 100full, 1000full, or 1000sxfull).

Enable HTTP Replication check box

Enables stateful failover to copy active HTTP sessions to standby PIX Firewall.

Fast LAN Link list

Allows you to select interface with fastest LAN link. A dedicated fast LAN link is required in addition to failover cable to support stateful failover.

Enable LAN-based failover check box

When selected, enables LAN-based failover.

LAN Interface list

List of all interfaces defined at the current scope.

Shared Key

Used to encrypt communication between primary and standby devices. Value can be any string. This field is only valid for PIX Firewalls.

Interface Name

Displays name of interface on active firewall device to be used for communication with standby device for failover. When configured for stateful failover, interface is connected directly to standby device.

IP Address

Used by standby device to communicate with active device. Address must be on same network as system IP address; for example, if system IP address is 192.159.1.3, set failover IP address to 192.159.1.4.

Tip You can use this IP address with the ping tool to check status of the standby device.

Setting Failover for FWSM 2.1 or Later

The failover feature allows you to use a standby FWSM to take over the functionality of a failed FWSM. The two FWSMs must have the same software version, license, and operating modes (routed or transparent, single or multiple context).

Active and standby modes are on a per-blade basis for Single Context Mode and Multiple Context Mode. Although still operating on a per-blade basis, the FWSM can only fail over the entire module (including all contexts); it cannot fail over individual contexts separately.

When the active unit fails, it changes to the standby state, while the standby unit changes to the active state.

The unit that becomes active takes over the active unit IP addresses (or, for transparent firewall, the management IP address) and MAC address, and begins passing traffic. The FWSM has one MAC address for all interfaces. The unit that was active and is now in standby state takes over the standby IP addresses and MAC address.

Because network devices see no change in the MAC to IP address pairing, failover is unnoticed by the rest of the network. However, the host switch needs to reassociate the new active and standby chassis slots with their corresponding MAC addresses. The FWSM helps this process by sending out gratuitous ARP commands on all its VLAN interfaces.

The standby unit can effectively take over as the active unit because it has the same configuration, and it is assigned the same VLANs from the switch.

Failover communication is done through the failover interface, which exists in the global context. You must configure the VLAN and IP address for this failover interface. You can also specify interfaces for failover to monitor and the policy used to determine when to fail over to the standby unit.

NoteIf you are configuring FWSM 2.1 or later for failover and you are in single context mode, you must configure FWSM 2.x System Config and FWSM 2.x Security Context in the Firewall MC GUI.

If you are configuring FWSM 2.1 or later for failover and you are in multiple context mode, you need only configure FWSM 2.x Security Context, which currently is used only for monitoring purposes.

To access these failover sections, select:

Configuration > Device Settings > Failover > FWSM 2.x System Config

Configuration > Device Settings > Failover > FWSM 2.x Security Context

FWSM 2.x System Config

The following procedure is required for FWSM 2.1 in single context mode only.

Step 1 Select Configuration > Device Settings > Failover > FWSM 2.x System Config.

Step 2 Select the Enable failover check box. You must select this check box if you are configuring stateful failover or LAN-based failover.

Note To enable failover, ensure that both devices have the same version of software, type of activation key, Flash memory, and RAM.

Step 3 If you are configuring a failover LAN interface, enter the following:

a. Interface name—A unique name for the interface.

b. VLAN ID—The name of the logical VLAN interface, for example VLAN 100.

c. Active IP address—IP address and subnet mask for the failover LAN and failover link interfaces.

d. Standby IP address—IP address used by the standby device to communicate with the active device. The address must be on the same network as the active IP address; for example, if the active IP address is 192.159.1.3, you should set the standby failover IP address to 192.159.1.4.

Step 4 If you are enabling stateful failover, enter the following:

a. Interface name—A unique name for the interface.

b. VLAN ID—The name of the logical VLAN interface, for example VLAN 101.

c. IP address and subnet mask—IP address and subnet mask for the failover LAN and failover link interfaces.

d. Standby IP address—IP address used by the standby device to communicate with the active device. The address must be on the same network as the active IP address; for example, if the active IP address is 192.159.1.3, you should set the standby failover IP address to 192.159.1.4.

e. Select the Enable HTTP Replication check box to enable stateful failover to copy an active HTTP session to a standby firewall device.

Step 5 If you are configuring failover policy, enter a value to measure whether failover occurs and whether that value represents the number of monitored interface failures (nonreceipt of hello messages) or a percentage of the total number of monitored interfaces. The default value is 50 percent.

Note To understand when failover occurs, see Configuring PIX Firewall Failover Pairs.

Step 6 Enter failover poll information.

a. Failover Unit Interfaces—Interfaces being monitored. Default is 1 second.

b. Hold Time—Amount of time during which a unit must receive a hello message on the failover link, after which the unit begins testing for peer failure. Values are 15-45 seconds. Default is the greater of 15 seconds or 3 times the poll time. You cannot enter a value that is less than 3 times the poll time.

c. Monitored Interfaces—Amount of time before the FWSM runs a test on a monitored interfaces if it does not receive hello messages. Default is 15 seconds.

Step 7 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 18-2 describes the elements in the FWSM 2.x System Config page.

Table 18-2 FWSM 2.x System Config 

Element
Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable failover check box

When selected, allows failover interface and IP addresses displayed in table to be selected.

You must configure the logical LAN failover interface and, optionally, the stateful interface.

To enable failover, ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Failover LAN Interface

Interface Name

Name of interface on active firewall device to be used to communicate with standby device for failover.

VLAN ID

VLAN interface you are using for the failover link, for example, VLAN 11.

Active IP Address

Sets the IP address of the primary unit.

Subnet Mask

Sets the subnet mask for the primary unit.

Standby IP Address

Sets the IP address of the standby unit. The standby IP address must be in the same subnet as the active IP address.

Note You do not need to enter the subnet mask.

Enable stateful failover check box

When selected, enables a stateful failover interface.

Interface Name

Name of interface on active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

VLAN ID

VLAN interface you are using for the stateful failover link, for example, VLAN 12.

IP Address

IP address of the primary unit.

Subnet Mask

Subnet mask for the primary unit.

Standby IP Address

IP address of the standby unit. The standby IP address must be in the same subnet as the active IP address.

Note You do not need to enter the subnet mask.

Enable HTTP Replication check box

Enables stateful failover to copy active HTTP sessions to standby PIX Firewall.

Failover Policy

Failed interfaces that triggers failover

Sets the threshold for monitored interface failure. When the number of failed monitored interfaces exceeds the value you set, the FWSM fails over.

Number or Percent radio buttons

Number—an absolute value.

Number percent—a percentage of all monitored interfaces.

Failover Poll Times

Failover Unit Interfaces

The amount of time hello messages are sent on the failover link and how long to wait before testing the peer for failure if no hello messages are received. Values are 1-15 seconds. Default is 1.

Hold Time

Sets the time during which a unit must receive a hello message on the failover link. Otherwise the unit begins testing for peer failure. Values are 15-45 seconds. Default is the greater of 15 seconds or 3 times the poll time.

You cannot enter a value that is less than 3 times the poll time. For example, if the poll time is 1 second, then a 15 second hold time means 15 hello messages are missed before the unit is tested for failure.

Note The interval between stateful information updates is 10 seconds, but if you set the poll time to a value greater than 10, that interval is used.

Monitored Interfaces

Sets the time in seconds between hello messages on monitored interfaces. If the unit does not receive 3 consecutive hello messages, the unit begins the testing process for interface failure. Value is 3-15 seconds. Default is 15.

Note The default value of 15 seconds means if a unit receives no reply for 45 seconds (3 times the polling interval), the unit or interface is then tested for failure.


FWSM 2.x Security Context

The following procedures are used for FWSM 2.1 or later in single and multiple context modes. If you are configuring for failover in multiple context mode, you need only configure FWSM 2.x Security Context, which currently is used only to monitor, or detect, the occurrence of a failure.

Configuring Routed Mode

Routed mode is used when firewalls reside on multiple networks. Because each interface has an address associated with it, do not identify a special management address.

Step 1 Select Configuration > Device Settings > FWSM 2.x Security Context.

The Failover 2.x Security Context page appears.

Step 2 Select the check box for the appropriate row, then click Edit.

A popup window displays the interface name of the failover standby unit.

Step 3 Enter the IP address of the failover standby unit.

Step 4 To monitor the failover standby unit, click the Yes radio button.

Step 5 Click OK.

Note Do not configure a management standby IP address when the FWSM is operating in routed mode. The IP address assigned to each enable monitoring interface identifies the address from which failure messages are sent.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Configuring Transparent Mode

Transparent mode indicates the firewall is inspecting traffic on the same subnet; it is an inline firewall. When configuring failover settings for this mode, you specify whether the inside or outside interface should be monitored, and you identify the management IP address from which failure messages are sent.

Step 1 Select Configuration > Device Settings > FWSM 2.x Security Context.

The Failover 2.x Security Context page appears.

Step 2 Select the check box for the appropriate row, then click Edit.

A popup window displays the interface name of the failover standby unit.

Step 3 Leave the IP address field blank.

While you can select which interfaces within the context should be monitored, there are no addresses assigned to transparent mode interfaces. Therefore, the IP address from failover messages are sent is specified in Step 6.

Step 4 To monitor the selected interface for failover messages, click the Yes radio button.

Step 5 Click OK.

Step 6 Enter the management standby IP address.

Step 7 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Using the Show Failover Command for FWSM 2.1 or Later

On each unit, you can verify the failover status by entering (in the System execution space): 

primary(config)# show failover

This command shows:

Whether failover is on or off.

Which unit is active.

The IP addresses assigned for the active and standby units.

The failover link information.

Interface policy.

Stateful failover statistics.

See the following sample show failover command output. A description of each field follows. 

fwsm(config)# show failover

Failover On

Failover unit Primary

Failover LAN Interface fover Vlan 150

Unit Poll frequency 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

        This host: Primary - Active 

                Active time: 2232 (sec)

                admin Interface inside (10.6.8.91): Normal 

                admin Interface outside (70.1.1.2): Normal 

        Other host: Secondary - Standby 

                Active time: 0 (sec)

                admin Interface inside (10.6.8.100): Normal 

                admin Interface outside (70.1.1.3): Normal 


Stateful Failover Logical Update Statistics

        Link : 4th

        Stateful Obj    xmit       xerr       rcv        rerr

        General         0          0          0          0

        sys cmd         0          0          0          0

        up time         0          0          0          0

        xlate           0          0          0          0

        tcp conn        0          0          0          0

        udp conn        0          0          0          0

        ARP tbl         0          0          0          0

RIP Tbl         0          0          0          0


        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       0       0

        Xmit Q:         0       0       0