cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1290
Views
0
Helpful
18
Replies

FWSM Failover takes more than 15 seconds !

yves.haemmerli
Level 1
Level 1

Hi,

I know this question has been posted last year already, however without a clear answer.

I have two FWSM (version 3.2(2) installed on two different switches. The FWSM are configured with two contexts ,running in active/standby mode.

I use two different VLANs for the failover and synchronization. manual switchover (with the no failover active command) works fine, TCP sessions are taken over, no problem.

However, if the primary unit fails (power off), the secondary unit take up to 15 seconds to take over. I tuned the unit poll frequency to 500 msec with a holdtime of 3 seconds.

What can be wrong ?

Here is the config on the primary unit :

SYSTEM# sh run failover

failover

failover lan unit primary

failover preempt 60

failover lan interface FAILOV Vlan10

failover polltime unit msec 500 holdtime 3

failover replication http

failover link STSYNC Vlan11

failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2

And the replicated version on the secondary unit :

failover

failover preempt 60

failover lan interface FAILOV Vlan10

failover polltime unit msec 500 holdtime 3

failover replication http

failover link STSYNC Vlan11

failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2

failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2

Thank you for any help

Yves Haemmerli

18 Replies 18

andrew.prince
Level 10
Level 10

Yves,

Try adding:-

failover timeout 0:00:03

HTH>

Andrew,

This command dos not exist on my FWSM... maybe an ASA command ?

Yves

Yes - sorry, checking the wrong device config!

Below is my fwsm failover config, it fails over in 3 seconds:-

failover

failover lan unit primary

failover preempt 300

failover lan interface failover Vlanxxx

failover polltime unit 1 holdtime 3

failover polltime interface 3

failover interface-policy 1

failover replication http

failover link failover Vlanxxx

failover interface ip failover x.x.x.x 255.255.255.252 standby 1x.x.x.x

Andrew,

I added the interface-policy 1 statement and the failover polltime interface 3 statement to my config, but the result is the same...

So my config is now :

SYSTEM# sh run failover

failover

failover lan unit primary

failover preempt 60

failover lan interface FAILOV Vlan10

failover polltime unit msec 500 holdtime 3

failover polltime interface 3

failover interface-policy 1

failover replication http

failover link STSYNC Vlan11

failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2

failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2

The only difference I have is that you maybe use the same VLAN for both failover and sync ? but anyway, it shouldn't have any impact

Yves

Try changing:-

from

failover polltime unit msec 500 holdtime 3

to

failover polltime unit 1 holdtime 3

HTH>

can you post the output from:-

show failover

Andrew,

I did the change, but unfortunately there is no change on the behaviour...It is really strange.

Do you have the stement "firewall autostate" statement on your 6500 switch config ?

Yves

Nope!

It's disabled by default!

Andrew,

Here is the command show failover output on the primary and secondary units :

On the primary :

SYSTEM# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOV Vlan 10 (up)

Unit Poll frequency 1 seconds, holdtime 3 seconds

Interface Poll frequency 3 seconds

Interface Policy 1

Monitored Interfaces 0 of 250 maximum

failover replication http

Config sync: active

Version: Ours 3.2(2), Mate 3.2(2)

Last Failover at: 15:53:01 UTC Aug 21 2008

This host: Primary - Active

Active time: 545 (sec)

ADMIN Interface FWMGT (10.56.2.12): Normal (Not-Monitored)

CH01FW01 Interface V-300-P (10.56.5.1): Normal (Not-Monitored)

CH01FW01 Interface V-400-P (10.56.9.1): Normal (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 596 (sec)

ADMIN Interface FWMGT (10.56.2.13): Normal (Not-Monitored)

CH01FW01 Interface V-300-P (10.56.5.2): Normal (Not-Monitored)

CH01FW01 Interface V-400-P (10.56.9.2): Normal (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : STSYNC Vlan 11 (up)

Stateful Obj xmit xerr rcv rerr

General 228 0 87 0

sys cmd 88 0 88 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 141 0 0 0

Xlate_Timeout 0 0 0 0

AAA tbl 0 0 0 0

DACL 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 612

Xmit Q: 0 0 229

An here on the secondary :

SYSTEM# sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: FAILOV Vlan 10 (up)

Unit Poll frequency 1 seconds, holdtime 3 seconds

Interface Poll frequency 3 seconds

Interface Policy 1

Monitored Interfaces 0 of 250 maximum

failover replication http

Config sync: active

Version: Ours 3.2(2), Mate 3.2(2)

Last Failover at: 15:53:39 UTC Aug 21 2008

This host: Secondary - Standby Ready

Active time: 596 (sec)

ADMIN Interface FWMGT (10.56.2.13): Normal (Not-Monitored)

CH01FW01 Interface V-300-P (10.56.5.2): Normal (Not-Monitored)

CH01FW01 Interface V-400-P (10.56.9.2): Normal (Not-Monitored)

Other host: Primary - Active

Active time: 663 (sec)

ADMIN Interface FWMGT (10.56.2.12): Normal (Not-Monitored)

CH01FW01 Interface V-300-P (10.56.5.1): Normal (Not-Monitored)

CH01FW01 Interface V-400-P (10.56.9.1): Normal (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : STSYNC Vlan 11 (up)

Stateful Obj xmit xerr rcv rerr

General 2520 0 7981 0

sys cmd 2124 0 2117 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 24 0 20 0

UDP conn 0 0 4 0

ARP tbl 373 0 5841 0

Xlate_Timeout 0 0 0 0

AAA tbl 0 0 0 0

DACL 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 2 25275

Sorry for the late reply, got caught up in an issue.

I notice that all the timers look correct - you are not monitoring any interfaces though, just the FWSM, I think you shoulds re-think that.

However that aside, I literally configured my failover - and it worked from the get go, it even fails over inside 3 seconds - which is nice. The below links could be helpfull:-

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/failover.html

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080965dec.shtml

HTH>

Hi Andrew,

I really appreciate your help, as I am a bit stuck with this issue in an important data center...

In the troubleshooting document, I read : "Note: Do not configure an IP address for the failover link or for the state link (if you are going to use Stateful

Failover)."

But in the sample configuration, they configure an IP address ??? I also configured an IP address on the failover VLAN and on the Sync VLAN (remember, I use two diferent VLANs, as recommended by Cisco).

For your information, here is my SYSTEM configuration :

SYSTEM# sh run

: Saved

:

FWSM Version 3.2(2)

!

resource acl-partition 12

hostname SYSTEM

enable password xxx

!

interface Vlan10

description LAN Failover Interface

!

interface Vlan11

description STATE Failover Interface

!

interface Vlan91

description *** Network Management VLAN ***

!

interface Vlan300

description *** Server Farms VLAN ***

!

interface Vlan400

description *** Critical Servers VLAN ***

!

passwd /qNhaw.ZtG3q1e1B encrypted

class default

limit-resource IPSec 5

limit-resource Mac-addresses 65535

limit-resource ASDM 5

limit-resource SSH 5

limit-resource Telnet 5

limit-resource All 0

!

ftp mode passive

pager lines 24

failover

failover lan unit primary

failover preempt 60

failover lan interface FAILOV Vlan10

failover polltime unit 1 holdtime 3

failover polltime interface 3

failover interface-policy 1

failover replication http

failover link STSYNC Vlan11

failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2

failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2

no asdm history enable

arp timeout 14400

console timeout 0

admin-context ADMIN

context ADMIN

description *** This is the administration context. It has a unique interface on VLAN 91 ***

allocate-interface Vlan91

config-url disk:/ADMIN.cfg

!

context CH01FW01

description *** This is the Firewall instance between security zones 3 and 4 ***

allocate-interface Vlan300

allocate-interface Vlan400

config-url disk:/CH01FW01.cfg

!

prompt hostname context

Cryptochecksum:xxx

: end

In your environment, do you monitor any interface in addition to unit monitoring ? If yes, what interface do you monitor ? I have basically two contexts in my FWSM : the ADMIN context, with a unique interface on my management vlan and another context for production, with two interfaces (inside and outside).

Yves

yes - I monitor the failover interface:-

failover lan interface failover Vlan256

failover polltime unit 1 holdtime 3

failover polltime interface 3

failover interface-policy 1

failover replication http

failover link failover Vlan256

failover interface ip failover 10.x.x.245 255.255.255.252 standby 10.x.x.246

Andrew,

Do you understand what Cisco means when writing :

"Note: Do not configure an IP address for the failover link or for the state link (if you are going to use Stateful

Failover)." ?

Actually, we both have configured IP addresses on the failover VLAN :

failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2

failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2

Yves

Yes - it's becuase you do not want the state link IP being transfered in the event of failover?

As below that note - there is this one:-

Note: You do not need to identify the standby address subnet mask. The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: