I am testing the failover process (Active / Standby) on the FWSM modules.
Setup: (2) cat6506's
(2) FWSM modules configured
Switch#1 - hosts primary FWSM
Switch#2 - hosts secondary FWSM
Switch#3 - Internet/Gateway router
I have the FWSM configured to monitor the "outside" interface. The "outside" interface is on vlan 100. On switch#1 vlan 100 is only assigned to one physical port that is connected to switch#3 (duplicated on switch#2).
In order to test failover I disconnect the cable that provides the link between switch#1 and switch#3.
The primary FWSM does fail over to the Secondary FWSM, but it takes 12 -14 seconds. I have the failover criteria set to the minimum parameters.
The 12-14 seconds that it takes to failover is to long. I beleive that duirng this time period any TCP sessions would be timed out.
Is there a better way to configure / design this setup in order to provide a failover scenario that would not drop the tcp sessions ?
Is there a way to associate the SVI interface on the FWSM module to a physical interface on the switch ? So that if the physical link changes state to down, the SVI interface on the FWSM would change state to down.
Thanks for the reply. I already have the failover critieria parameters set to the minimum.
unit fail: 1 second
unit hold: 3 seconds (must be 3 times unit fail)
Monitor interface: 1 second
The issue that I have is that if the link from switch#1 to Switch#3 goes away for some reason it still takes 12 -14 seconds for the primary FWSM to failover ot the Secondary FWSM. I beleive this is because of the testing that the interfaces have to go through once they lose connectivity with mate.
If there are no other configuration options to get the primary to failover quicker than I am thinking about (2) possible solutions.
Make the link from switch#1 to switch#3 an Etherchannel on seperate modules. This would help reduce the possibility of a single failure on this link.
Add the vlan for the outside interface (vlan 100) to the trunk that is connected between switch#1(primary FWSM) and switch#2(secondary FWSM). In this case if the link between switch#1 and switch#3 went away then the FWSM's would not lose connectivity on vlan 100. traffic would go through the primary FWSM on switch#1, then go across the trunk link to swithc#2, then go to switch#3 via the linkn on vlan 100 between switch#2 and switch#3.
I was really hoping that there was a way to associate a physical interface on the switch to the SVI interface on the FWSM, and if the physical interface on the switch changed states to down, that the SVI interface on the FWSM would change state to down. It seems like the unit would failover quicker and not drop the active TCP sessions.
I checked and the switches were using PVST. I changed them to use Rapid-PVST. I ran the tests again with the same results. I think it has more to do with the failover process. When the primary FWSM loses contact with its mate on an interface it has to go through some inital testing on that interface in order to verify which side is down. I believe this is where the 12 -14 second delay comes from before the primary FWSM fails over.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...