Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
2
Replies

FWSM command required or not?

Go to solution
Erik Molenaar
Level 1
Level 1

‎04-20-2007 05:40 AM - edited ‎03-11-2019 03:02 AM

Hi,

I use two FWSM's in active/standby failover configuration in two different chassis.

A 'show failover' command output shows that interfaces are not monitored for failover.

Someone told me this monitoring is not an option, but SHOULD be turned on to let failover function at all!

I am sure this is not true and failover also works fine in case of a failing fwsm, but cannot find it in documentation.

Can someone help me out?

Erik

Failover On

Failover unit Primary

Failover LAN Interface: fover-int Vlan 405 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

Config sync: active

Version: Ours 3.1(3), Mate 3.1(3)

Last Failover at: 09:51:03 MET Jan 3 2007

This host: Primary - Active

Active time: 9260490 (sec)

Interface outside (10.2.3.4): Normal (Not-Monitored)

Interface inside (10.2.4.4): Normal (Not-Monitored)

Interface homewurks (10.2.5.4): Normal (Not-Monitored)

Etc..

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-20-2007 09:34 AM

Hi

Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role.

Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover.

Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ).

You can set a threshold of interfaces that are monitored that must fail before failover happens.

Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889

HTH

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-20-2007 09:34 AM

Hi

Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role.

Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover.

Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ).

You can set a threshold of interfaces that are monitored that must fail before failover happens.

Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889

HTH

Jon

0 Helpful

Go to solution
Erik Molenaar
Level 1
Level 1
In response to Jon Marshall

‎04-23-2007 12:11 AM

Thanks Jon for your explanantion!

Erik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card