Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Firewall module on 6509

Dear all Firewall gurus,

I have a client who has a pair of Cisco 6509 with a Firewall module on each of the 6509s.

They are considering setting up the firewall modules as HA. What's the easiest way to setup the configuration for the stateful failover? And is there any verification commands for stateful failover??

Appreciated any help and assistance in advance =)

Cheers,

Hunt

5 REPLIES
Cisco Employee

Re: Firewall module on 6509

"show failover" will show you the status of failover, it will show you the peers, it will show you the status messages receives and transmits. Of course there are "debug fover" commands, but I wouldn't suggest them unless you are troubleshooting. "sh fail history" is one more useful command.

Now for setting it up, you need to have the active unit configured and make sure the vlans are pushed to both FWSMs and trunked between the switches (so that both FWSMs can see and "handle" the same traffic). Then you just configure the failover commands on the primary and secondary. You do not need to replicate the config to the standby because as soon as they establish failover it will copy over. Make sure you don't forget to have standby ip addresses on your interfaces.

I hope it helps.

PK

Community Member

Re: Firewall module on 6509

Cisco Employee

Re: Firewall module on 6509

Also to switch roles from active to standby for test use commands "failover active" and "no failover active".

PK

Community Member

Re: Firewall module on 6509

Hi all Firewall gurus,

If the Pair of HA Firewall Modules have been setup as failover already, if my customer wants to upgrade the IOS on the Firewall modules one-by-one:

1) Will the server / hosts connections be disconnect?? If so, any way of preventing them to drop??

2) Do I need to 'clear arp' on the 6509s??

Cheers,

Hunt

Cisco Employee

Re: Firewall module on 6509

1) If you are doing stateful failover then they should not drop.

2) No, when failing over the firewall sends gratuitous arps.

If you upgrade the firewall to a new major or minor release you will need downtime. You must not have two failover units running different major or minor releases at any time.

PK

792
Views
0
Helpful
5
Replies
CreatePlease to create content