FWSM command required or not?

Answered Question
Apr 20th, 2007
User Badges:

Hi,


I use two FWSM's in active/standby failover configuration in two different chassis.


A 'show failover' command output shows that interfaces are not monitored for failover.


Someone told me this monitoring is not an option, but SHOULD be turned on to let failover function at all!


I am sure this is not true and failover also works fine in case of a failing fwsm, but cannot find it in documentation.


Can someone help me out?


Erik


Failover On

Failover unit Primary

Failover LAN Interface: fover-int Vlan 405 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

Config sync: active

Version: Ours 3.1(3), Mate 3.1(3)

Last Failover at: 09:51:03 MET Jan 3 2007

This host: Primary - Active

Active time: 9260490 (sec)

Interface outside (10.2.3.4): Normal (Not-Monitored)

Interface inside (10.2.4.4): Normal (Not-Monitored)

Interface homewurks (10.2.5.4): Normal (Not-Monitored)


Etc..



Correct Answer by Jon Marshall about 10 years 1 month ago

Hi


Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role.


Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover.


Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ).


You can set a threshold of interfaces that are monitored that must fail before failover happens.


Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail.


http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 04/20/2007 - 09:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role.


Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover.


Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ).


You can set a threshold of interfaces that are monitored that must fail before failover happens.


Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail.


http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889


HTH


Jon

Actions

This Discussion