cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4323
Views
10
Helpful
6
Replies
Highlighted
Beginner

sfr fail-open: will it failover over to secondary if SFR fails on primary?

Pair of 5515-x with SFR , in Active/Standby failover.

Policy-map is configured for:  sfr fail-open

If SFR fails on primary/active device, is:

1. primary device stays active since it's configured for sfr fail-open?

2. failover occurs and secondary becomes active since primary is no longer healthy?

I think the answer is 2, but I would like a confirmation.

Thanks.

Cath.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Cath,

Service module health is by default checked as part of the failover criteria in an ASA HA pair (or cluster). If the service module fails, that will trigger a failover event (assuming the Standby unit is in ready state).

As of ASA software 9.5(1) there is an option to change this default behavior with the command "no  health-check monitor-interface service-module".

View solution in original post

6 REPLIES 6
Highlighted
Hall of Fame Guru

Cath,

Service module health is by default checked as part of the failover criteria in an ASA HA pair (or cluster). If the service module fails, that will trigger a failover event (assuming the Standby unit is in ready state).

As of ASA software 9.5(1) there is an option to change this default behavior with the command "no  health-check monitor-interface service-module".

View solution in original post

Highlighted

Thanks Marvin.  That is what I thought.  I was aware also of the new features in 9.5 to not have the module considered for failover.

Marvin, your replies are always clear, concise and precise.  Your continuous contribution to the support forum is greatly appreciated.

Regards,

Cath.

Highlighted

You're welcome Cath.

Thank you for the kind words of encouragement. I've been at it here in the Cisco community forums for just over 15 years (CSC's predecessor Netpro started in 2000 the year before I joined); so I've pretty much got it figured out.

I read somewhere that an expert is somebody who's already made most of the mistakes (at least once). I might have a few more left to make; but I've had my fair share. :) 

Highlighted

Malcom Gladwell would say that an expert is someone who has put 10,000 hours practicing their skills. I'm sure you are well over that time threshold. Thanks again for your contribution. Cath.
Highlighted

I have my Any Connect VPN and Site to Site VPN Traffic redirected to SFR module while configuring almost similar to below rule. Difference is in my box I have configured the traffic here what I mentioned as XXXX. 

 

ciscoasa(config)# access-list sfr_redirect extended permit ip XXXX XXXX
ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect
ciscoasa(config-pmap-c)# sfr fail-open monitor-only

 

Now I need to configure this as an Inline Mode to start Inspecting the traffic. What are the steps I need to do to accomplish this other than configuring below command 

 

ciscoasa(config-pmap-c)# sfr fail-open

Highlighted

Hi Malcom,

If your sfr is already working in ''monitor mode'' and now you want to go with inline mode then apart from just typing ''sfr fail-open'' under class map

You need go through logs that generated by firepower when it was in monitor mode bcz there is an option it will tell ''what if i would be in INLINE mode'' 
you may need to spend time to see those logs bcz based on your policy configuration it may block some legitimate traffic of your network or may allow some malicious traffic to/from your network.

Content for Community-Ad