Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM command required or not?

Hi,

I use two FWSM's in active/standby failover configuration in two different chassis.

A 'show failover' command output shows that interfaces are not monitored for failover.

Someone told me this monitoring is not an option, but SHOULD be turned on to let failover function at all!

I am sure this is not true and failover also works fine in case of a failing fwsm, but cannot find it in documentation.

Can someone help me out?

Erik

Failover On

Failover unit Primary

Failover LAN Interface: fover-int Vlan 405 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds

Interface Policy 50%

Monitored Interfaces 0 of 250 maximum

Config sync: active

Version: Ours 3.1(3), Mate 3.1(3)

Last Failover at: 09:51:03 MET Jan 3 2007

This host: Primary - Active

Active time: 9260490 (sec)

Interface outside (10.2.3.4): Normal (Not-Monitored)

Interface inside (10.2.4.4): Normal (Not-Monitored)

Interface homewurks (10.2.5.4): Normal (Not-Monitored)

Etc..

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: FWSM command required or not?

Hi

Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role.

Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover.

Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ).

You can set a threshold of interfaces that are monitored that must fail before failover happens.

Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889

HTH

Jon

2 REPLIES
Hall of Fame Super Blue

Re: FWSM command required or not?

Hi

Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role.

Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover.

Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ).

You can set a threshold of interfaces that are monitored that must fail before failover happens.

Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889

HTH

Jon

New Member

Re: FWSM command required or not?

Thanks Jon for your explanantion!

Erik

270
Views
0
Helpful
2
Replies