08-21-2008 06:33 AM - edited 03-11-2019 06:34 AM
Hi,
I know this question has been posted last year already, however without a clear answer.
I have two FWSM (version 3.2(2) installed on two different switches. The FWSM are configured with two contexts ,running in active/standby mode.
I use two different VLANs for the failover and synchronization. manual switchover (with the no failover active command) works fine, TCP sessions are taken over, no problem.
However, if the primary unit fails (power off), the secondary unit take up to 15 seconds to take over. I tuned the unit poll frequency to 500 msec with a holdtime of 3 seconds.
What can be wrong ?
Here is the config on the primary unit :
SYSTEM# sh run failover
failover
failover lan unit primary
failover preempt 60
failover lan interface FAILOV Vlan10
failover polltime unit msec 500 holdtime 3
failover replication http
failover link STSYNC Vlan11
failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2
And the replicated version on the secondary unit :
failover
failover preempt 60
failover lan interface FAILOV Vlan10
failover polltime unit msec 500 holdtime 3
failover replication http
failover link STSYNC Vlan11
failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2
Thank you for any help
Yves Haemmerli
08-21-2008 06:42 AM
Yves,
Try adding:-
failover timeout 0:00:03
HTH>
08-21-2008 06:53 AM
Andrew,
This command dos not exist on my FWSM... maybe an ASA command ?
Yves
08-21-2008 07:06 AM
Yes - sorry, checking the wrong device config!
Below is my fwsm failover config, it fails over in 3 seconds:-
failover
failover lan unit primary
failover preempt 300
failover lan interface failover Vlanxxx
failover polltime unit 1 holdtime 3
failover polltime interface 3
failover interface-policy 1
failover replication http
failover link failover Vlanxxx
failover interface ip failover x.x.x.x 255.255.255.252 standby 1x.x.x.x
08-21-2008 07:38 AM
Andrew,
I added the interface-policy 1 statement and the failover polltime interface 3 statement to my config, but the result is the same...
So my config is now :
SYSTEM# sh run failover
failover
failover lan unit primary
failover preempt 60
failover lan interface FAILOV Vlan10
failover polltime unit msec 500 holdtime 3
failover polltime interface 3
failover interface-policy 1
failover replication http
failover link STSYNC Vlan11
failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2
The only difference I have is that you maybe use the same VLAN for both failover and sync ? but anyway, it shouldn't have any impact
Yves
08-21-2008 07:41 AM
Try changing:-
from
failover polltime unit msec 500 holdtime 3
to
failover polltime unit 1 holdtime 3
HTH>
08-21-2008 07:47 AM
can you post the output from:-
show failover
08-21-2008 07:59 AM
Andrew,
I did the change, but unfortunately there is no change on the behaviour...It is really strange.
Do you have the stement "firewall autostate" statement on your 6500 switch config ?
Yves
08-21-2008 08:05 AM
Nope!
It's disabled by default!
08-21-2008 08:12 AM
Andrew,
Here is the command show failover output on the primary and secondary units :
On the primary :
SYSTEM# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOV Vlan 10 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds
Interface Policy 1
Monitored Interfaces 0 of 250 maximum
failover replication http
Config sync: active
Version: Ours 3.2(2), Mate 3.2(2)
Last Failover at: 15:53:01 UTC Aug 21 2008
This host: Primary - Active
Active time: 545 (sec)
ADMIN Interface FWMGT (10.56.2.12): Normal (Not-Monitored)
CH01FW01 Interface V-300-P (10.56.5.1): Normal (Not-Monitored)
CH01FW01 Interface V-400-P (10.56.9.1): Normal (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 596 (sec)
ADMIN Interface FWMGT (10.56.2.13): Normal (Not-Monitored)
CH01FW01 Interface V-300-P (10.56.5.2): Normal (Not-Monitored)
CH01FW01 Interface V-400-P (10.56.9.2): Normal (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : STSYNC Vlan 11 (up)
Stateful Obj xmit xerr rcv rerr
General 228 0 87 0
sys cmd 88 0 88 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 141 0 0 0
Xlate_Timeout 0 0 0 0
AAA tbl 0 0 0 0
DACL 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 612
Xmit Q: 0 0 229
An here on the secondary :
SYSTEM# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOV Vlan 10 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds
Interface Policy 1
Monitored Interfaces 0 of 250 maximum
failover replication http
Config sync: active
Version: Ours 3.2(2), Mate 3.2(2)
Last Failover at: 15:53:39 UTC Aug 21 2008
This host: Secondary - Standby Ready
Active time: 596 (sec)
ADMIN Interface FWMGT (10.56.2.13): Normal (Not-Monitored)
CH01FW01 Interface V-300-P (10.56.5.2): Normal (Not-Monitored)
CH01FW01 Interface V-400-P (10.56.9.2): Normal (Not-Monitored)
Other host: Primary - Active
Active time: 663 (sec)
ADMIN Interface FWMGT (10.56.2.12): Normal (Not-Monitored)
CH01FW01 Interface V-300-P (10.56.5.1): Normal (Not-Monitored)
CH01FW01 Interface V-400-P (10.56.9.1): Normal (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : STSYNC Vlan 11 (up)
Stateful Obj xmit xerr rcv rerr
General 2520 0 7981 0
sys cmd 2124 0 2117 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 24 0 20 0
UDP conn 0 0 4 0
ARP tbl 373 0 5841 0
Xlate_Timeout 0 0 0 0
AAA tbl 0 0 0 0
DACL 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 25275
08-22-2008 12:44 AM
Sorry for the late reply, got caught up in an issue.
I notice that all the timers look correct - you are not monitoring any interfaces though, just the FWSM, I think you shoulds re-think that.
However that aside, I literally configured my failover - and it worked from the get go, it even fails over inside 3 seconds - which is nice. The below links could be helpfull:-
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/failover.html
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080965dec.shtml
HTH>
08-22-2008 01:21 AM
Hi Andrew,
I really appreciate your help, as I am a bit stuck with this issue in an important data center...
In the troubleshooting document, I read : "Note: Do not configure an IP address for the failover link or for the state link (if you are going to use Stateful
Failover)."
But in the sample configuration, they configure an IP address ??? I also configured an IP address on the failover VLAN and on the Sync VLAN (remember, I use two diferent VLANs, as recommended by Cisco).
For your information, here is my SYSTEM configuration :
SYSTEM# sh run
: Saved
:
FWSM Version 3.2(2)
!
resource acl-partition 12
hostname SYSTEM
enable password xxx
!
interface Vlan10
description LAN Failover Interface
!
interface Vlan11
description STATE Failover Interface
!
interface Vlan91
description *** Network Management VLAN ***
!
interface Vlan300
description *** Server Farms VLAN ***
!
interface Vlan400
description *** Critical Servers VLAN ***
!
passwd /qNhaw.ZtG3q1e1B encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
!
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover preempt 60
failover lan interface FAILOV Vlan10
failover polltime unit 1 holdtime 3
failover polltime interface 3
failover interface-policy 1
failover replication http
failover link STSYNC Vlan11
failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2
no asdm history enable
arp timeout 14400
console timeout 0
admin-context ADMIN
context ADMIN
description *** This is the administration context. It has a unique interface on VLAN 91 ***
allocate-interface Vlan91
config-url disk:/ADMIN.cfg
!
context CH01FW01
description *** This is the Firewall instance between security zones 3 and 4 ***
allocate-interface Vlan300
allocate-interface Vlan400
config-url disk:/CH01FW01.cfg
!
prompt hostname context
Cryptochecksum:xxx
: end
In your environment, do you monitor any interface in addition to unit monitoring ? If yes, what interface do you monitor ? I have basically two contexts in my FWSM : the ADMIN context, with a unique interface on my management vlan and another context for production, with two interfaces (inside and outside).
Yves
08-22-2008 01:29 AM
yes - I monitor the failover interface:-
failover lan interface failover Vlan256
failover polltime unit 1 holdtime 3
failover polltime interface 3
failover interface-policy 1
failover replication http
failover link failover Vlan256
failover interface ip failover 10.x.x.245 255.255.255.252 standby 10.x.x.246
08-22-2008 02:13 AM
Andrew,
Do you understand what Cisco means when writing :
"Note: Do not configure an IP address for the failover link or for the state link (if you are going to use Stateful
Failover)." ?
Actually, we both have configured IP addresses on the failover VLAN :
failover interface ip FAILOV 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip STSYNC 192.168.11.1 255.255.255.0 standby 192.168.11.2
Yves
08-22-2008 03:27 AM
Yes - it's becuase you do not want the state link IP being transfered in the event of failover?
As below that note - there is this one:-
Note: You do not need to identify the standby address subnet mask. The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: