cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1526
Views
0
Helpful
2
Replies

Active/active failover in FWSM - silly question

Hello

I have two 6500 switches, each with a FWSM running OS version 3.1(4).

I configured active/standby failover, followed by active/active failover. The configs for both types of failover look very similar. The only additions for active/active seem to be

! context system

failover group 1

primary

admin-context admin

context admin

join-failover-group 1

context abc

join-failover-group 1

Is this all? Results displayed by the "show failover" command also look very similar. There is nothing to indicate an active/active configuration or active/standby. Is there a simple way to be 100% sure what type of failover is configured?

Thank you,

Cristian

File with "show failover" results as attachment

2 Replies 2

jim
Level 1
Level 1

You need to configure a second group which the secondary fwsm will be a primary.

#blade 1

Failover group 1

failover group 2

secondary

#blade 2

failover group 2

failover group 1

secondary

#sho failover

Failover On

Failover unit Secondary

Failover LAN Interface: FAILOVER Management0/0 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(2), Mate 7.2(2)

Group 1 last failover at: 06:49:56 EST Jan 8 2007 Group 2 last failover at: 06:49:56 EST Jan 8 2007

This host: Secondary

Group 1 State: Active

Active time: 414641 (sec)

Group 2 State: Active

Active time: 70040 (sec)

slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)

admin Interface outside (12.109.107.5): Normal

admin Interface inside (172.16.0.5): Normal

admin Interface DMZ (10.0.0.1): Normal

admin Interface management (172.16.255.51): Normal (Not-Monito

red)

slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status

(Up/Up)

IPS, 5.0(2)S152.0, Up

Other host: Primary

Group 1 State: Standby Ready

Active time: 0 (sec)

Group 2 State: Standby Ready

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)

admin Interface outside (12.109.107.24): Normal

admin Interface inside (172.16.0.24): Normal

admin Interface DMZ (10.0.0.2): Normal

admin Interface management (0.0.0.0): Normal

(Not-Monitored)

slot 1: ASA-SSM-10 hw/sw rev (1.0/5.1(1)S205.0) status

(Up/Up)

IPS, 5.1(1)S205.0, Up

Stateful Failover Logical Update Statistics

Link : FAILOVER Management0/0 (up)

Stateful Obj xmit xerr rcv rerr

General 105117 0 62565 0

sys cmd 55988 0 55988 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 2725 0 6299 0

UDP conn 32 0 0 0

ARP tbl 46372 0 278 0

Xlate_Timeout 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 62565

Xmit Q: 0 1 105117

Thank you, Jim

So, the active/active configuration means that each firewall can be primary for one context, and secondary for another context. It's just an active/standby config, but the primary and secondary roles can be allocated to firewalls per context.

I expected a different behavior, the active/active designation seemed to indicate that both firewalls can process traffic for the same context at the same time.

Thank you,

Cristian

Review Cisco Networking for a $25 gift card