I use two FWSM's in active/standby failover configuration in two different chassis.
A 'show failover' command output shows that interfaces are not monitored for failover.
Someone told me this monitoring is not an option, but SHOULD be turned on to let failover function at all!
I am sure this is not true and failover also works fine in case of a failing fwsm, but cannot find it in documentation.
Can someone help me out?
Failover unit Primary
Failover LAN Interface: fover-int Vlan 405 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 0 of 250 maximum
Config sync: active
Version: Ours 3.1(3), Mate 3.1(3)
Last Failover at: 09:51:03 MET Jan 3 2007
This host: Primary - Active
Active time: 9260490 (sec)
Interface outside (10.2.3.4): Normal (Not-Monitored)
Interface inside (10.2.4.4): Normal (Not-Monitored)
Interface homewurks (10.2.5.4): Normal (Not-Monitored)
Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role.
Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover.
Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ).
You can set a threshold of interfaces that are monitored that must fail before failover happens.
Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail.