ā02-08-2012 12:38 PM - edited ā03-11-2019 03:26 PM
Hello,
I have a FWSM in Active/standby mode. My primary failed and i got a replacement. At present my standby FWSM is active and Network is running fine, I want to insert the new FWSM in the chasis, once it is inserted both will be active because there is no failover configured on the new FWSM. Now to configure the failover, i have to execute the below commands please correct me if i m wrong????? But i m afraid that after executing the commands the New FWSM will become active and it will start syncing his empty configuration to secondary and all the actual configuration will be wiped out.
Please anybody can confirm me the perfect procedure when the priamry fails and we are trying to replace the faulty FWSM
failover lan unit primary------> I hope this command will make the new FWSM active with empty configs and it will wipe out the actual working configs on the secondary FWSM
failover lan interface faillink Vlan11
failover link statelink Vlan16
failover interface ip faillink 172.24.11.1 255.255.255.252 standby 172.24.11.2
failover interface ip statelink 172.24.16.1 255.255.255.252 standby 172.24.16.2
failover
Solved! Go to Solution.
ā02-10-2012 01:41 PM
That is correct, you should use the same version for a long term production!
Regards,
Julio
ā02-08-2012 01:05 PM
Hello Estela,
So the actual active FWSM is the secondary device on the HA cluster.
Now you will deploy the new FWSM and you want him to be the stand-by device eventhough he is the primary as he does not have anything configured.
So after you configured this:
failover lan unit primary------> I hope this command will make the new FWSM active with empty configs and it will wipe out the actual working configs on the secondary FWSM
failover lan interface faillink Vlan11
failover link statelink Vlan16
failover interface ip faillink 172.24.11.1 255.255.255.252 standby 172.24.11.2
failover interface ip statelink 172.24.16.1 255.255.255.252 standby 172.24.16.2
failover
The active unit ( secondary in this scenario) will send his configuration file to the stand-by)
Remember failover replication is from active to secondary not from primary to secondary
Regards,
Julio
Do rate helpful posts!!
ā02-08-2012 01:09 PM
Hi Matthew
Please see the following link:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080531753.shtml
Hope this helps.....
Craig
ā02-08-2012 10:21 PM
Dear Julio,
Remember failover replication is from active to secondary not from primary to secondary----
yes this is my question that when i will insert the new FWSM both will be active the new fwsm and the existing secondary becz they both are not syncing together becz of no failover configuration,so after configuring failover so who will takerover whom???
The commands what i showed in above are perfect for the failover configuration to sync on the new FWSM which will configured as a primary unit.
Thanks
ā02-09-2012 09:53 AM
Hello Estela,
Yeap, Failover replication is from active to standby, so on the new device you can configure the command no failover active.
You will not have any problems as you have already setup a device as the active one...
Julio
ā02-09-2012 11:48 AM
Dear Julio,
So all together the commands for the failover are:
failover configuration on New FWSM which will be primary unit
failover lan unit primary
failover lan interface faillink Vlan11
failover link statelink Vlan16
failover interface ip faillink 172.24.11.1 255.255.255.252 standby 172.24.11.2
failover interface ip statelink 172.24.16.1 255.255.255.252 standby 172.24.16.2
no failover active-------This commad will prevent new FWSM to become active and to replicate his empty configs to actual configs of secondary.
failover
Thanks
ā02-09-2012 12:00 PM
Hello Estela,
That is correct!
Regards,
ā02-09-2012 12:07 PM
Hello Julio,
faillover can work with difference in minor version for Example 3.2(22) in primary and 3.2(5) in secondary and also minor difference in asdm images.
Thanks
ā02-09-2012 12:13 PM
The two units in a failover configuration must be in the operational modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version, but you can use different versions of the software within an upgrade process.
In this case they will share 3.2 so in fact they will share the major an minor versions so you will be okay. eventough is recommended to upgarde the other one so they match the exact version.
So it would work!
ā02-09-2012 12:36 PM
Hello Julio,
what you have wrote above this is what i have read in configuration guide but still these words are not clear for me,
I hope what the guide trying to explain is:
If i have a primary and secondary FWSM with 3.2(5) and If suppose i upgrade secondary from 3.2 (5) to 3.2 (19) the failover will be active untill and unless the secondary FWSM reboots and 3.2(19) comes in action.Once i reboot secondary the failover will break and both will be Active/Active.
So the difference in minor and major will not work.
Thanks
ā02-09-2012 01:00 PM
Hello Estela,
Nop, all the way around.
Take as an example this ( applies to both ASA's and FWSM)
The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading both units to the same version as soon as possible.
Hope this helps!
Do rate all the helpful post...
Julio
ā02-09-2012 11:36 PM
Dear Julio,
I can't understand the below lines in cisco config guide:
but you can use different versions of the software within an upgrade process.
So i will reach to final answer that if FWSM have difference in minor version they can't work in failover for long term running production.
Please correct me if i m wrong
ā02-10-2012 09:35 AM
Hello Estela,
I mean you can have different versions on the software ( 3.2 (5) to 3.2 (19) ) while you do the upgrade, but I mean if you can have them on the same version as the Firewall device is expected to work why you should not have it like that for a long term running production. Do you understand what I mean?
Regards,
Julio
ā02-10-2012 01:08 PM
Hello Julio,
As per your previous mail ,
you can have different versions on the software ( 3.2 (5) to 3.2 (19) ) while you do the upgrade,
BUT
Thanks
ā02-10-2012 01:41 PM
That is correct, you should use the same version for a long term production!
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide