Failover FWSM problem

Hello world

I have a question on the FWSM failover.

I understand that I can configure? polling frequency? to detect the loss of accessibility between FWSM Active and standby FWSM and not configure? number of polling stations in attempts? This Eve FWSM recognize active FWSM fails.

I changed? mark for 3 (minimum value) to confirm what time is necessary (elapsed) to get back successfully done.

The result of my survey, about 30 seconds (elapsed) to take necessary supported successfully completed.

So I think that 30 seconds is the minimum (best) time to take care that it was completed successfully, because I can change? polling frequency? not only,? number of retries?

My understanding is correct?

Or y at - it no parameters to speed up takes less than 30 seconds?

Your information would be greatly appreciated.

Best regards

Hello

How fast FWSM can start checking the failover process?

Primary (config) # polltime failover [Unit] [MS] number [holdtime seconds]

-> Unit number [MS] polltime - how fast you want the gof mark/recording of the State of the interface before the failover control process has begun.

The amount of time between hello messages. That set the time in seconds between 1 (faster) and 15. The default value is 1 second. If you specify msec, you can set the time between 500 and 999 milliseconds.

-> holdtime number - sets the time during which a unit must receive a message hello on the failover link, otherwise the supply unit begins the process of test for non-peers. Set the time in seconds between 15 and 45. The default value is the higher of 15 seconds or 3 times the polltime. You cannot enter a value that is less than 3 times the polltime. That means that the lowest or faster time keeping is 15 sec.

time = 15 sec

It is a verification of the standard during failover process to verify, before the new blade is elected active FWSM:

1. link up/down test? A test of the VLAN State. If the link up/down test indicates the VLAN is operational, then the FWSM performs network tests. The purpose of these tests is to generate network traffic to determine which (if there are two) unit has failed. At the beginning of each test, each unit clears the number of packets received for its interfaces. At the end of each event, each unit looking to see if she has received any traffic. If so, the interface is considered operational. If a unit receives traffic for a test and the other device does not work, the unit that received no traffic is considered as impossible. If no unit has received traffic, the next test is used.

2. test of network activity? A received network activity test. The unit counts all packets received for 5 seconds. If all the packets are received at any time during this interval, the interface is considered operational and analysis stops. If no traffic is received, at the beginning of the ARP test.

* time = 5 seconds

3. ARP test? A reading of the unit of ARP cache for 2 more recently acquired entries. One at a time, the unit sends ARP request to these machines, to try to stimulate the network traffic. After each request, the unit of account all traffic received for 5 seconds. If the traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list, no traffic is received, the ping test begins.

* time = 5 seconds

4 spread the Ping test? A ping test which is to send a broadcast ping request. The unit has so all packets received for 5 seconds. If all the packets are received at any time during this interval, the interface is considered operational and analysis stops.

* time = 5 seconds

* estimated control failover time = 15 sec

Total = 30secsonds.

http://www.Cisco.com/en/us/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802010c0.html#wp1109055

Rgds,

AK

Tags: Cisco Security

Similar Questions

  • Failover FWSM Interchassis

    Is it mandatory to have a dedicated link (trunk) as link state/failover failover between the two switches for FWSM Interchassis failover?

    Hello

    It is not mandatory to have a "dedicated link" to a failover not but it is a recommended practice. You can use existing binding of the trunk that carries other traffic vlan.

    The suggestion to use a dedicated link is to ensure that the link does not get flooded by normal data traffic that could lead to problems with failover.

    It depends on how busy your existing trunk layer2 links are.

    HTH

    Jon

  • PIX 515E failover restart problems

    Thursday, November 23, we went from the PIX cluster to version 7.1 (2) 6.2 (2) with the default memory (64 MB) in each PIX. The Active PIX then suffered what appeared to be leaking memory (attributed to process ARP Thread). This continued for a few days? with the result that we force reloaded the Active PIX every 8 hours to ensure the continuity of the service. Monday 27 after a reload? It has been noticed that the Active PIX leaked is more memory per process threads ARP? the same day, we went from the cluster PIX to 128 MB of memory. Then, we have had failovers active / standby every 2 hours? that seems to be attributed to missed? Hello? in the e-mail of failover? We decided then to configure LAN failover on the PIX cluster. In the process of activation of this secondary feature PIX (which was the current asset) crashed

    You have any explanation as to why these events took place.

    Hi Carlton,

    I can tell you that maybe the method you used to upgrade starts the chain of problems. I used for the migration of these products and I've never met before. In general I WINS configurations, program a service stop and I leave the unit of failover working alone while I do the upgrade of the unit the ex-active. After the upgrade, I had loaded the software configuration I saved before and made the customizations.

    For the PIX without restrictions, is real memory of 128 MB required. For the restricted permission, you can use the default of 64 MB.

    After that, you can place the active unit instead of the recovery. You improve the unit of failover so and connect again in active, already in production and restart the synchronization.

    For all my clients, it worked.

    It will be useful. If Yes, please rate.

    Kind regards

    Rafael Lanna

  • Oracle failover setting problem

    Hi ~
    I'm runnning on jrun with oracle 9i, updater6, external Web server connection that Apache1.3.27 running

    I use jrun jdbc data sources

    I use light customer oracle jdbc drivers, but I want to use oracle oci driver to use oracle failover...

    but jrun4 supports oracle oci8 driver... TT

    How can I configure oci driver to connect with the oracle 9i database server?



    -Sorry, my English is so poor T.T

    I discovered the solution

    See http://www.adobe.com/go/tn_18353

  • Add new storage "opération TimedOut" with RDM LUN on host. Pls Help

    Hello

    Installation program:

    4 ESX 3.5 hosts each with 2 HBA adapter connected to the HP MSA1000.

    Question:

    I set up MSCS SQL 2000 with RDM through host, MSCS failover without problem, performance wise is not a problem at all too. But the problem is that if the MSCS SQL resource is managed by the Active virtual machine that is running on host1, I can navigate to storage / adding LUNs, set in shape of new LUN with no problems.

    If I want to add new storage on the other host "host2" I received the error "Tor time to ask"is it because of the resource ROW being busy serving the machine virtual active it is why the host not allowing do not change with the addition of new storage?

    Guests see these LUNs. I can add the data store or to do a new analysis also long the LUNS are not presented to the host. Also I can browse the data store, able to see the addition of Storge Wizard when adding new

    Data store and make a new analysis only on the host where the operation of the active node. Suppose the preseneted RDM LUN on host1 and host2 and VM SQL running on host1, I can only browse the data warehouses, a new analysis and add new storge to this host. I can't do the same thing with

    hosts2.

    But if I take these "RDM LUN" LUNS in host2, host3 and host4. I can do a rescan, adding other LUNS as the RDM presented to the virtual machine, able to see the add storage wizard.

    I googled the error and found that the Ontario server is question, or DNS

    Best regards

    Hussain Al Sayed

    Post edited by: habibalby

    I had similar questions to those two problems here where I couldn't add a data store as he would expire and I got the long startup time. I also use RDM which I use for MSCS in the whole of boxes 2. Here's a quote from my previous post in which I found a response that helped me. Changingthe SCSI retry time increased my boot time and allowed me to add one more time without the question of the time-out, data warehouses.

    Response to previous Post:

    I did some research and I think I've made some progress. I found that I get lots of SCSI errors in the VMkernel newspaper. I did some more research and found out that I can change the time retrying SCSI 80 to 10 and it has done wonders for my time to reboot. Now, instead of taking 20 minutes to start, it takes less than 5 minutes now. Much better. I made the change in the host-> advance-> SCSI--> SCSI configuration try again. 80 a the default and 10A was suggested as being a good value. It helped and I will keep an eye on what can make the effect, but so far it has helped with startup times.

    http://communities.VMware.com//thread/203122?TSTART=0

  • FWSM: Failover (Pseudo-veille)

    Hello!!!

    We run FWSM Firewall Version 3.2 (1). In context with failover (2 boxes of 6509) Interchassie multi mode

    I have problem FWSM failover.

    Zone primary sh switching output

    ****

    This context: Active

    Context of peers: failure

    Secondary area shows

    *******

    Flipping out (Pseudo-veille)

    Secondary failover unit

    Failover LAN interface: faillink Vlan x (h)

    Frequency of survey unit 1 seconds, 15 seconds holding time

    Interface frequency of survey 15 seconds

    4 political interface

    Monitored Interfaces maximum 46 250

    failover replication http

    If someone please can guide with the

    1 reason behind failover descended on the secondary zone

    2. What can be done to recover from this State.

    3. What are the effects of this if it is not recovered.

    Thanks in advance

    Concerning

    Yogesh

    India

    Yes do a "write mem". It seems that you lack an IP address on the interface nattest and also you lack secondary VLAN Safeco and Bizco on the main switch.

    Make a vlan show on the secondary switch and see if these VLANS exist and are ACTIVE!

    Concerning

    Farrukh

  • Problem with FWSM and the same L3 interface switch

    I have two 6513 s with a 802. 1 q trunk linking them. Each switch is redundant Sup720s running in native mode, worm IOS 12.2 (18) SXF (that they were running out of SXD3). A FWSM (ver 2.3 (3), routed mode, unique context) is in each switch, Setup in failover mode.

    I can't get a PC in a virtual LAN that has the defined layer 3 interface on the switch with the active FWSM in this document, to communicate with the devices 'behind' the FWSM. If I move the configuration of layer 3 to this vlan to the other 6513, everything works fine.

    The MSFCs are inside the firewall, they have a configured layer 3 interface in the same vlan as the FWSM 'inside' interface. Several "same security level" interfaces are defined on the FWSM and used to protect the farms. I use OSPF on the MSFCs and FWSM and the routing table is correct.

    The FWSM generates connections to the attempts made by the PC with interface layer 3 defined on the same switch as the active FWSM very well, so this isn't a problem with FWSM ACL.

    A ping of the FWSM "inside" interface from a PC with the defined layer 3 interface on the same switch as the active FWSM fails, although debug icmp trace on the FWSM demand and response shows. A the packet capture, using the NAM-2, only shows the request packets. I captured on the vlan common and FWSM port channel interface bottom of basket.

    Just to add to the confusion, if I capture in the same places, but do the ping of a PC which is in a VLAN with the interface of layer 3 defined in the 6513 which does not contain the active FWSM, that works very well, I see the request and response on the capture of vlan common, but only on demand on the capture of the port channel.

    This problem has been there since the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I had this experience with all the VLANS that I tried to define the interface of layer 3 to on the switch with the active FWSM. I turned on MLS.

    If anyone has experienced this and solved, or knows what is happening, I would be grateful for any ideas.

    Thank you.

    Keith

    Keith, are you running etherchannel distributed on of your 6513?

  • Failover of DAG 2013 Exchange in Outlook problem

    Hi guys,.

    I'm trying to configure DAG for the first time on Exchange 2013.  Here's what I did:
    -Installed Exchange 2013 std on two virtual machines

    -Set up a witness server

    -Created the DAG (server name, directory witness and he has assigned an IP address)

    -J' have set up my databases and added the copy of database

    -Checked DAG health Active confirmed and index as healthy state

    -Verification of databases is mounted

    Here's the problem I have...

    When I powerdown one of the exchange servers, after that the exchange server starts to close Outlook (2013), poster "folder updated XX: XX."  trying to connect.
    When I check the connection status in Outlook on the workstations, it shows the status of 'Connection' and after a few minutes (between 5 and 10), it finally connects and everything works fine.

    I tried researching this issue and that you have used the following command in the hope, would solve the problem, but it does not

    [PS] C:\>get-OutlookAnywhere | Set-OutlookAnywhere - InternalHostname mail.labtest.co.uk - InternalClientsRequireSsl $false

    My questions are:
    1. I guess that's not just that it takes more than 5 minutes for Outlook to connect when the failover of DAG?  What additional steps need to be checked to prevent this (as I thought that take seconds to scan more)

    2. If a witness server goes down / fail, does that mean that all Email clients will stop working (IE send/receive)

    If this is the case, is it possible to configure a failover of witness? or is it something that should be created in case of failure?

    Thanks a lot for any intervention in the present.

    Hello

    Your question is beyond the scope of this community.

    I suggest that repost you your Question in Exchange for TechNet Forums.

    https://social.technet.Microsoft.com/forums/Exchange/en-us/home?category=ExchangeServer

    Or here:

    https://social.technet.Microsoft.com/forums/Exchange/en-us/home?Forum=exchangesvrgeneral

    See you soon.

  • Problems of AX150i cluster and failover

    Hi all.

    I tried to implement cluster failover on Win2003 x 64 with AX150i.

    We already have a cluster configured with an AXE so I now it is not working properly.

    The problem is that when I create a cluster node owns the disks and another should see drives but have no rights over them except wait for them to be released from the first node, but on my setup when the first node appropriating on diskettes, disks on the other node start to fail, they become unavailable , cluster service who sees and stops, so the second node becomes unavailable too.

    I have the latest firmware installed, latest PowerPath and the latest Microsoft iScsi initiator installed.

    Any suggestion would be appreciated.

    Thank you

    Concerning

    Amar


  • Failover problem Manager HA of the NAC

    Hi all

    I have a high availability manager high availability server of the NAC and NAC. When I try to active failover primary NAC Manager to secondary NAC Manager, NAC Server is not able to connect to the secondary NAC Manager. I don't know that ip connectivity is not a problem. When I try to do the NAC Manager primary such as active, the NAC server can connect to the main Manager of NAC. It seems that NAC Server cannot connect to the secondary NAC Manager.

    Does anyone have an idea?

    Thank you.

    have you checked certificates between them?

    you export the certificate of the secondary primary NAC NAC?

  • How to use Cisco MARCH to monitor two FWSMs in two Cat6500 to the failover?

    Hello

    I have understad that I can add the two catalysts to MARS and I can add primary FWSM as a primary catalyst module as well. But how can I add secondary FWSM.

    Any ideas appreciated

    Thank you

    If you have already configured the primary, you do have to configure the secondary image. No need to configure the secondary because it is not recommended to do so, in the case of a failover secondary firewall will automatically resume the active configuration (EX: IP address) of the primary so the source of the syslogs will remain the same

  • The upgrade of FWSMs pair of failover

    Due to the bug, we are modernizing our pair of double chassis FWSM tipping from 1.1.2 to 1.1.4. I want to minimize service disruptions, can someone point me to some documents or to explain briefly the best process. 2.2 documentation it appears I can pass between the maintenance release while retaining the functionality of failover, this was the case with 1.1? Or is the "replacement of failover unit after hardware failure' the best method for a unit of failover eventhough not missed?

    The doc in FWSM 2.2 for the replacement of the faulty module can serve as a guideline.

    http://www.Cisco.com/en/us/partner/products/HW/modules/ps2706/products_tech_note09186a0080531753.shtml

    But as stated in the FAQ FWSM - failover for ver 1.1 (http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item0900aecd800fa578.shtml), this may be your case. FWSM ver2.2 running offer more flexibility and minimize downtime with the features of "upgrade online. This feature is not available in code 1.1.x.

    Therefore, when you perform the upgrade. restart both FWSM modules are inevitable, but at least with a minimum off time (time required for the module get online and work).

    What you can do is to 'break' the FWSM before the failover process and perform the upgrade. Repeat the same process for the two blades. See the attachment for details instruction.

    HTH

    AK

  • FWSM Configuration problem

    Hello

    Please can someone help with the following problem:

    I have 659 with FWSM, I configured the FWSM in routed Mode unique.

    My requirement is to make the MSFC behind the firewall, so I need only two VLANS to act as a firewall interfaces, all other VLAN should through the MSFC.

    I used the vlan 100 as inside of VLANs and vlan 101 as Vlan outside and I did all the required configurations on the 6509 (switch, MSFC) and the firewall.

    The problem is: outside VLAN (101) is not coming on the MSFC even if there is an active port on this vlan (which is the router connected to the VLAN outside!)

    Why this vlan is not coming? Help, please

    This is the configuration I used on 6509 and FWSM (I included only the related configuration)

    ON FWSM:

    -----------------

    nameif vlan101 off security0

    nameif vlan100 inside the security100

    IP outdoor 62.149.76.2 255.255.255.248

    IP address inside 10.8.100.2 255.255.255.0

    Route outside 0.0.0.0 0.0.0.0 62.149.76.126 1

    Route inside 10.8.0.0 255.255.0.0 10.8.100.1 1

    6509 (Switch):

    --------------------

    name of vlan 100 inside set

    name of vlan 101 Set out

    define the vlan 100-101 firewall - vlan 8

    6509 (MSFC):

    -------------------------

    interface Vlan100

    Description inside of vlan

    IP 10.8.100.1 255.255.255.0

    !

    interface Vlan101

    Besides description of vlan

    IP 62.149.76.1 255.255.255.248

    ----------------------------------------------

    Yes, that's correct. This way you will get a unique link between the MSFC and FW.

    For your MSFC your default gateway will be 10.8.100.2. Inside networks for your FW, will point to 10.8.100.1, that you specified. There is no need for interface VLAN 101 of the MSFC. Keep 101 as is, otherwise.

    I hope this helps.

  • Problem with VPN L2L and RA in a failover configuration

    I use two ASA 5540 in failover active-standby configuration. These boxes (primary and secondary) are used to establish some L2L and VPN RA (remote access). The active area run the OSPF process.

    The problem is when the failover (blocking just to the bottom of the active area, or "active failover" running in a secondary zone) all L2L be restored in a secondary zone. The only way I can do this (re-connect) removes the configuration of IPP (Reverse injectable way) (for example. ("no card crypto rprbbe_map 3 don't set reverse-road") and the configuration of IPP ("card crypto rprbbe_map 3 Road opposite the value"). After this the connection is re-established.

    In RA guests the session persists on a failover event, but the customer loses access. To resolve this problem, the customer needs to disconnect and reconnect.

    Anyone has any experience with this kind of (L2L and RA) VPN configuration using failover?

    Behavior seems buggy.

    What version do you use?

  • Problem with Oracle fail safe 4.1.1 on W2k8 R2 Cluster Failover and Oracle 11.2.0.4 database

    Hi all

    I'm doing some tests on a Windows 2008 (64-bit) R2 two-node failover Cluster.

    I installed and configured successfully bone and the Failover Cluster feature.

    So I followed Oracle Doc-ID 1916391.1 to perform the installation and configuration of Oracle 11.2.0.4 database and Oracle Fail Safe 4.1.1

    After a successful (via Fail Safe Manager) validation of cluster and group, now I'm trying to validate the stand-alone database, but I'm stuck with this error (output in verbose mode of PowerShell):

    PS C:\Users\demo > Test-OracleClusterAvailableDatabase TESTDB - SysPwd (Read-Host-AsSecureString-Prompt "SYS Password ')-verbose

    SYS password: *.

    DETAILES: FS-10915: NODE1: from verification of autonomous resources TESTDB

    DETAILES: FS-10371: NODE1: run the initialization processing

    DETAILES: FS-10371: NODE2: run the initialization processing

    DETAILES: FS-10372: NODE1: resource owner information collection

    DETAILES: FS-10372: NODE2: resource owner information collection

    DETAILES: FS-10373: NODE1: determine the owner of the TESTDB resource node

    DETAILES: FS-10374: NODE1: collection of cluster information required to perform the specified operation

    DETAILES: FS-10374: NODE2: collection of cluster information required to perform the specified operation

    DETAILES: FS-10375: NODE1: analysis of the cluster information required to perform the specified operation

    DETAILES: FS-10378: NODE1: preparation for the configuration of resource TESTDB

    TH: FS-10349: database TESTDB instance is not alive. You want to stop and restart the database instance?

    Confirmation

    Operation does?

    Running dell' operation sulla "Test-OracleClusterAvailableDatabase' likelihood 'TESTDB '.

    [S] Sì Sì [T] a [N] no [U] tutti a tutti [O] Sospendi [?] Guida (he valore predefinito e "S"):

    DETAILES: FS-10350: from the TESTDB database

    Test-OracleClusterAvailableDatabase: OCIEnvNlsCreate failed


    Riga: 1 car: 1

    + Test-OracleClusterAvailableDatabase - SysPwd TESTDB (Read-Host - AsSecureString - P...)

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo: DeviceError: (TESTDB:ResourceDatabase) [Test-OracleClusterAvailableDatabase], PowerShell

    Exception

    + FullyQualifiedErrorId: Process, Oracle.FailSafe.PowerShell.TestOracleClusterAvailableDatabase

    Test-OracleClusterAvailableDatabase: FS-10999: an internal programming error

    Riga: 1 car: 1

    + Test-OracleClusterAvailableDatabase - SysPwd TESTDB (Read-Host - AsSecureString - P...)

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo: DeviceError: (TESTDB:ResourceDatabase) [Test-OracleClusterAvailableDatabase], PowerShell

    Exception

    + FullyQualifiedErrorId: Process, Oracle.FailSafe.PowerShell.TestOracleClusterAvailableDatabase

    Test-OracleClusterAvailableDatabase: FS-10160: impossible to verify the Oracle of standalone TESTDB database

    Riga: 1 car: 1

    + Test-OracleClusterAvailableDatabase - SysPwd TESTDB (Read-Host - AsSecureString - P...)

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo: DeviceError: (TESTDB:ResourceDatabase) [Test-OracleClusterAvailableDatabase], PowerShell

    Exception

    + FullyQualifiedErrorId: Process, Oracle.FailSafe.PowerShell.TestOracleClusterAvailableDatabase

    Test-OracleClusterAvailableDatabase: FS-10818: provider of resources of the database Oracle failed in preparing for

    treatment for TESTDB resource configuration

    Riga: 1 car: 1

    + Test-OracleClusterAvailableDatabase - SysPwd TESTDB (Read-Host - AsSecureString - P...)

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo: DeviceError: (TESTDB:ResourceDatabase) [Test-OracleClusterAvailableDatabase], PowerShell

    Exception

    + FullyQualifiedErrorId: Process, Oracle.FailSafe.PowerShell.TestOracleClusterAvailableDatabase

    Test-OracleClusterAvailableDatabase: FS-10890: Oracle Services for MSCS failed during the verifyStandalone operation

    Riga: 1 car: 1

    + Test-OracleClusterAvailableDatabase - SysPwd TESTDB (Read-Host - AsSecureString - P...)

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo: DeviceError: (TESTDB:ResourceDatabase) [Test-OracleClusterAvailableDatabase], PowerShell

    Exception

    + FullyQualifiedErrorId: Process, Oracle.FailSafe.PowerShell.TestOracleClusterAvailableDatabase

    Attached is the log of the OFS Cluster Dump (no error in my opinion).

    I surfed around but I can't find anything to solve the problem.

    I think something about the language of the (Italian) OS and Oracle NLS settings (AMERICAN. AMERICA), but obviolsly I'm not sure about this.

    Thanks in advance for any suggestion,

    Alessandro

    Message modificato da 1d457339-524e-4aa5-94aa-fd7d1ae98732 updated: attached is also output trace of the fss.

    Hello Alessandro.

    Solution to the issue is:

    Patch 20744940: 4.1.1.1: ORACLE FAIL SAFE VERSION 4.1.1 PATCH SET 1

Maybe you are looking for