Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3017
Views
0
Helpful
14
Replies

Failover FWSM Primary

Go to solution
estelamathew
Level 2
Level 2

‎02-08-2012 12:38 PM - edited ‎03-11-2019 03:26 PM

Hello,

I have a FWSM in Active/standby mode. My primary failed and i got a replacement. At present my standby FWSM is active and Network is running fine, I want to insert the new FWSM in the chasis, once it is inserted both will be active because there is no failover configured on the new FWSM. Now to configure the failover, i have to execute the below commands please correct me if i m wrong????? But i m afraid that after executing the commands the New FWSM will become active and it will start syncing his empty configuration to secondary and all the actual configuration will be wiped out.

Please anybody can confirm me the perfect procedure when the priamry fails and we are trying to replace the faulty FWSM 

failover lan unit primary------> I hope this command will make the new FWSM active with empty configs and it will wipe out the actual working configs on the secondary FWSM

failover lan interface faillink Vlan11

failover link statelink Vlan16

failover interface ip faillink 172.24.11.1 255.255.255.252 standby 172.24.11.2

failover interface ip statelink 172.24.16.1 255.255.255.252 standby 172.24.16.2

failover

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to estelamathew

‎02-10-2012 01:41 PM

That is correct, you should use the same version for a long term production!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-08-2012 01:05 PM

Hello Estela,

So the actual active FWSM is the secondary device on the HA cluster.

Now you will deploy the new FWSM and you want him to be the stand-by device eventhough he is the primary as he does not have anything configured.

So after you configured this:

failover lan unit  primary------> I hope this command will make the new FWSM active with  empty configs and it will wipe out the actual working configs on the  secondary FWSM

failover lan interface faillink Vlan11

failover link statelink Vlan16

failover interface ip faillink 172.24.11.1 255.255.255.252 standby 172.24.11.2

failover interface ip statelink 172.24.16.1 255.255.255.252 standby 172.24.16.2

failover

The active unit ( secondary in this scenario) will send his configuration file to the stand-by)

Remember failover replication is from active to secondary not from primary to secondary

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
craig bache
Level 1
Level 1

‎02-08-2012 01:09 PM

Hi Matthew

Please see the following link:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080531753.shtml

Hope this helps.....

Craig

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to craig bache

‎02-08-2012 10:21 PM

Dear Julio,

Remember failover replication is from active to secondary not from primary to secondary----

yes this is my question that  when i will insert the new FWSM both will be active the new fwsm and the existing secondary becz they both are not syncing together becz of no failover configuration,so after configuring failover so who will takerover whom???

The commands what i showed in above are perfect for the failover configuration to sync on the new FWSM which will configured as a primary unit.

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to estelamathew

‎02-09-2012 09:53 AM

Hello Estela,

Yeap, Failover replication  is from active to standby, so on the new device you can configure the command no failover active.

You will not have any problems as you have already setup a device as the active one...

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Julio Carvajal

‎02-09-2012 11:48 AM

Dear Julio,

So all together the commands for the failover are:

failover configuration on New FWSM which will be primary unit

failover lan unit  primary

failover lan interface faillink Vlan11

failover link statelink Vlan16

failover interface ip faillink 172.24.11.1 255.255.255.252 standby 172.24.11.2

failover interface ip statelink 172.24.16.1 255.255.255.252 standby 172.24.16.2

no failover active-------This commad will prevent new FWSM to become active and to replicate his empty configs to actual configs of secondary.

failover

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to estelamathew

‎02-09-2012 12:00 PM

Hello Estela,

That is correct!

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Julio Carvajal

‎02-09-2012 12:07 PM

Hello Julio,

faillover can  work with difference in minor version for Example 3.2(22) in primary and 3.2(5) in secondary and also minor difference in asdm images.

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to estelamathew

‎02-09-2012 12:13 PM

The two units in a failover configuration must be  in the operational modes (routed or transparent, single or multiple  context). They must have the same major (first number) and minor (second  number) software version, but you can use different versions of the  software within an upgrade process.

In this case they will share 3.2 so in fact they will share the major an minor versions so you will be okay. eventough is recommended to upgarde the other one so they match the exact version.

So it would work!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Julio Carvajal

‎02-09-2012 12:36 PM

Hello Julio,

what you have wrote above this is what i have read in configuration guide but still these words are not clear for me,

I hope what the guide trying to explain is:

If i  have a primary and secondary FWSM with 3.2(5) and If suppose i upgrade secondary from 3.2 (5) to 3.2 (19)  the failover will be active untill and unless the secondary FWSM reboots and 3.2(19) comes in action.Once i reboot secondary the failover will break and both will be Active/Active.

So the difference in minor and major will not work.

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to estelamathew

‎02-09-2012 01:00 PM

Hello Estela,

Nop, all the way around.

Take as an example this ( applies to both ASA's and FWSM)

Performing Zero Downtime Upgrades for Failover Pairs

The two units in a failover configuration should have the same major  (first number) and minor (second number) software version. However, you  do not need to maintain version parity on the units during the upgrade  process; you can have different versions on the software running on each  unit and still maintain failover support. To ensure long-term  compatibility and stability, we recommend upgrading both units to the  same version as soon as possible.

Table 43-1     Zero-Downtime Upgrade Support

Type of Upgrade
Support

Maintenance Release

You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.

Minor Release

You can upgrade from a minor release to the next minor release. You cannot skip a minor release.

For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0  directly to 7.2 is not supported for zero-downtime upgrades; you must  first upgrade to 7.1.

Major Release

You can upgrade from the last minor release of the previous version to the next major release.

For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.

Hope this helps!

Do rate all the helpful post...

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Julio Carvajal

‎02-09-2012 11:36 PM

Dear Julio,

I can't understand the below lines in cisco config guide:

but you can use different versions of the  software within an upgrade process.

So i will reach to final answer that if FWSM have difference in minor version they can't work in failover for long term running production.

Please correct me if i m wrong

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to estelamathew

‎02-10-2012 09:35 AM

Hello Estela,

I mean you can have different versions on the software ( 3.2 (5) to 3.2 (19) ) while you do the upgrade, but I mean if you can have them on the same version as the Firewall device is expected to work why you should not have it like that for a long term running production. Do you understand what I mean?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Julio Carvajal

‎02-10-2012 01:08 PM

Hello Julio,

As per your previous mail ,

you can have different versions on the software ( 3.2 (5) to 3.2 (19) ) while you do the upgrade,

  • As per cisco statements while only during upgrade but firewall is not aware whether we are doing upgrade or it is for long term production.???? As per logic we can have different minor version

BUT

  • Cisco recommends only during the upgrade and not for the long term production, So the conclusion is we can keep with differnet minor version but better not to keep as per cisco recommendation.

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to estelamathew

‎02-10-2012 01:41 PM

That is correct, you should use the same version for a long term production!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card