11-10-2009 05:36 AM - edited 03-11-2019 09:38 AM
Dear all Firewall gurus,
I have a client who has a pair of Cisco 6509 with a Firewall module on each of the 6509s.
They are considering setting up the firewall modules as HA. What's the easiest way to setup the configuration for the stateful failover? And is there any verification commands for stateful failover??
Appreciated any help and assistance in advance =)
Cheers,
Hunt
11-10-2009 06:23 AM
"show failover" will show you the status of failover, it will show you the peers, it will show you the status messages receives and transmits. Of course there are "debug fover" commands, but I wouldn't suggest them unless you are troubleshooting. "sh fail history" is one more useful command.
Now for setting it up, you need to have the active unit configured and make sure the vlans are pushed to both FWSMs and trunked between the switches (so that both FWSMs can see and "handle" the same traffic). Then you just configure the failover commands on the primary and secondary. You do not need to replicate the config to the standby because as soon as they establish failover it will copy over. Make sure you don't forget to have standby ip addresses on your interfaces.
I hope it helps.
PK
11-10-2009 06:28 AM
This will give you what you are looking for.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fail_f.html
11-10-2009 06:45 AM
Also to switch roles from active to standby for test use commands "failover active" and "no failover active".
PK
11-10-2009 05:54 PM
Hi all Firewall gurus,
If the Pair of HA Firewall Modules have been setup as failover already, if my customer wants to upgrade the IOS on the Firewall modules one-by-one:
1) Will the server / hosts connections be disconnect?? If so, any way of preventing them to drop??
2) Do I need to 'clear arp' on the 6509s??
Cheers,
Hunt
11-11-2009 08:44 AM
1) If you are doing stateful failover then they should not drop.
2) No, when failing over the firewall sends gratuitous arps.
If you upgrade the firewall to a new major or minor release you will need downtime. You must not have two failover units running different major or minor releases at any time.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide