Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1219
Views
0
Helpful
5
Replies

Firewall module on 6509

huntlee
Level 1
Level 1

‎11-10-2009 05:36 AM - edited ‎03-11-2019 09:38 AM

Dear all Firewall gurus,

I have a client who has a pair of Cisco 6509 with a Firewall module on each of the 6509s.

They are considering setting up the firewall modules as HA. What's the easiest way to setup the configuration for the stateful failover? And is there any verification commands for stateful failover??

Appreciated any help and assistance in advance =)

Cheers,

Hunt

Labels:
0 Helpful
5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-10-2009 06:23 AM

"show failover" will show you the status of failover, it will show you the peers, it will show you the status messages receives and transmits. Of course there are "debug fover" commands, but I wouldn't suggest them unless you are troubleshooting. "sh fail history" is one more useful command.

Now for setting it up, you need to have the active unit configured and make sure the vlans are pushed to both FWSMs and trunked between the switches (so that both FWSMs can see and "handle" the same traffic). Then you just configure the failover commands on the primary and secondary. You do not need to replicate the config to the standby because as soon as they establish failover it will copy over. Make sure you don't forget to have standby ip addresses on your interfaces.

I hope it helps.

PK

0 Helpful

mcroberts
Level 1
Level 1

‎11-10-2009 06:28 AM

This will give you what you are looking for.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to mcroberts

‎11-10-2009 06:45 AM

Also to switch roles from active to standby for test use commands "failover active" and "no failover active".

PK

0 Helpful

huntlee
Level 1
Level 1
In response to Panos Kampanakis

‎11-10-2009 05:54 PM

Hi all Firewall gurus,

If the Pair of HA Firewall Modules have been setup as failover already, if my customer wants to upgrade the IOS on the Firewall modules one-by-one:

1) Will the server / hosts connections be disconnect?? If so, any way of preventing them to drop??

2) Do I need to 'clear arp' on the 6509s??

Cheers,

Hunt

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to huntlee

‎11-11-2009 08:44 AM

1) If you are doing stateful failover then they should not drop.

2) No, when failing over the firewall sends gratuitous arps.

If you upgrade the firewall to a new major or minor release you will need downtime. You must not have two failover units running different major or minor releases at any time.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card