Filter
Top Products
49-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 49 Configuring Failover
Failover Policies
Navigation Path
To access this feature, select a FWSM in Device View and then select Platform > Device Admin >
Failover from the Device Policy selector.
Related Topics
• Failover Policies, page 49-10
• Additional Steps for an Active/Standby Failover Configuration, page 49-9
• Bootstrap Configuration for LAN Failover Dialog Box, page 49-26
Field Reference
Table 49-3 Failover Page (FWSM)
Element Description
Enable Failover Check this box to enable failover on this device. Ensure that both
devices have the same software version, activation key, flash memory,
and RAM.
You must next configure the logical LAN Failover interface and,
optionally, the stateful failover interface.
Settings button Click to display the Advanced Settings Dialog Box, page 49-15, used
to define when failover should occur.
Configuration
This section is presented only for FWSM 3.1.1+ devices operating in multiple-context mode.
Active/Active In an Active/Active failover configuration, both security appliances
inspect network traffic, on a per-context basis. That is, for each context,
one of the appliances is the active device, while the other is the standby
device.
To enable Active/Active failover on the device, you must assign the
security contexts to one of two failover groups. A failover group is a
simply a logical group of one or more security contexts. You should
specify failover group assignments on the unit that will have failover
group 1 in the active state. The admin context is always a member of
failover group 1. Any unassigned security contexts are also members of
failover group 1 by default. See Add/Edit Security Context Dialog Box
(FWSM), page 57-5 for information about assigning a context to a
failover group.
Active/Standby In an Active/Standby configuration, the active security appliance
handles all network traffic passing through the failover pair. The
standby security appliance does not handle network traffic until a
failure occurs on the active security appliance. Whenever the
configuration of the active security appliance changes, it sends
configuration information over the failover link to the standby security
appliance.
When a failover occurs, the standby security appliance becomes the
active unit. It assumes the IP and MAC addresses of the previously
active unit. Because the other devices on the network do not see any
changes in the IP or MAC addresses, ARP entries do not change or time
out.