Firewall module on 6509

Unanswered Question

Dear all Firewall gurus,

I have a client who has a pair of Cisco 6509 with a Firewall module on each of the 6509s.

They are considering setting up the firewall modules as HA. What's the easiest way to setup the configuration for the stateful failover? And is there any verification commands for stateful failover??

Appreciated any help and assistance in advance =)

Cheers,

Hunt

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Tue, 11/10/2009 - 06:23

"show failover" will show you the status of failover, it will show you the peers, it will show you the status messages receives and transmits. Of course there are "debug fover" commands, but I wouldn't suggest them unless you are troubleshooting. "sh fail history" is one more useful command.

Now for setting it up, you need to have the active unit configured and make sure the vlans are pushed to both FWSMs and trunked between the switches (so that both FWSMs can see and "handle" the same traffic). Then you just configure the failover commands on the primary and secondary. You do not need to replicate the config to the standby because as soon as they establish failover it will copy over. Make sure you don't forget to have standby ip addresses on your interfaces.

I hope it helps.

PK

Panos Kampanakis Tue, 11/10/2009 - 06:45

Also to switch roles from active to standby for test use commands "failover active" and "no failover active".

PK

Hi all Firewall gurus,

If the Pair of HA Firewall Modules have been setup as failover already, if my customer wants to upgrade the IOS on the Firewall modules one-by-one:

1) Will the server / hosts connections be disconnect?? If so, any way of preventing them to drop??

2) Do I need to 'clear arp' on the 6509s??

Cheers,

Hunt

Panos Kampanakis Wed, 11/11/2009 - 08:44

1) If you are doing stateful failover then they should not drop.

2) No, when failing over the firewall sends gratuitous arps.

If you upgrade the firewall to a new major or minor release you will need downtime. You must not have two failover units running different major or minor releases at any time.

PK

Actions

This Discussion