https://community.cisco.com/t5/network-security/fwsm-command-required-or-not/m-p/774383#M1006592 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role. </P><P></P><P>Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover. </P><P></P><P>Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ). </P><P></P><P>You can set a threshold of interfaces that are monitored that must fail before failover happens. </P><P></P><P>Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889" target="_blank">http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889</A></P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Fri, 20 Apr 2007 16:34:48 GMT Jon Marshall 2007-04-20T16:34:48Z https://community.cisco.com/t5/network-security/fwsm-command-required-or-not/m-p/774382#M1006587 <P>Hi,</P><P></P><P>I use two FWSM's in active/standby failover configuration in two different chassis.</P><P></P><P>A 'show failover' command output shows that interfaces are not monitored for failover. </P><P></P><P>Someone told me this monitoring is not an option, but SHOULD be turned on to let failover function at all!</P><P></P><P>I am sure this is not true and failover also works fine in case of a failing fwsm, but cannot find it in documentation.</P><P></P><P>Can someone help me out?</P><P></P><P>Erik</P><P></P><P>Failover On </P><P>Failover unit Primary</P><P>Failover LAN Interface: fover-int Vlan 405 (up)</P><P>Unit Poll frequency 15 seconds, holdtime 45 seconds</P><P>Interface Poll frequency 15 seconds</P><P>Interface Policy 50%</P><P>Monitored Interfaces 0 of 250 maximum</P><P>Config sync: active</P><P>Version: Ours 3.1(3), Mate 3.1(3)</P><P>Last Failover at: 09:51:03 MET Jan 3 2007</P><P> This host: Primary - Active </P><P> Active time: 9260490 (sec)</P><P> Interface outside (10.2.3.4): Normal (Not-Monitored)</P><P> Interface inside (10.2.4.4): Normal (Not-Monitored)</P><P> Interface homewurks (10.2.5.4): Normal (Not-Monitored)</P><P></P><P>Etc..</P><P></P><P></P> Mon, 11 Mar 2019 10:02:26 GMT https://community.cisco.com/t5/network-security/fwsm-command-required-or-not/m-p/774382#M1006587 Erik Molenaar 2019-03-11T10:02:26Z https://community.cisco.com/t5/network-security/fwsm-command-required-or-not/m-p/774383#M1006592 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Failover will still work even without monitored interfaces but it will not be very efficient ie. only if the whole unit goes down will failover happen. The FWSM uses the failover link to monitor the other FWSM. If the standby loses connectivity with the active then it assumes the active role. </P><P></P><P>Problem with this is that if you lose some of your firewall interfaces eg the outside interface and you are not monitoring it then the FWSM will not failover. </P><P></P><P>Generally speaking you should monitor the important interfaces. If you use a shared vlan, for exmaple on the outside interfaces, you only need to monitor the outside interface in one of your contexts ( if you are using contexts that is ). </P><P></P><P>You can set a threshold of interfaces that are monitored that must fail before failover happens. </P><P></P><P>Attached is a link to the FWSM 3.1 failover confgiuration section. Have a look at the failover triggers to explain all of this in more detail. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889" target="_blank">http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080602f98.html#wp1046889</A></P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Fri, 20 Apr 2007 16:34:48 GMT https://community.cisco.com/t5/network-security/fwsm-command-required-or-not/m-p/774383#M1006592 Jon Marshall 2007-04-20T16:34:48Z https://community.cisco.com/t5/network-security/fwsm-command-required-or-not/m-p/774384#M1006599 <HTML><HEAD></HEAD><BODY><P>Thanks Jon for your explanantion!</P><P></P><P>Erik</P></BODY></HTML> Mon, 23 Apr 2007 07:11:23 GMT https://community.cisco.com/t5/network-security/fwsm-command-required-or-not/m-p/774384#M1006599 Erik Molenaar 2007-04-23T07:11:23Z