FWSM: Failover (Pseudo-veille)

Similar Questions

• The upgrade of FWSMs pair of failover

  Due to the bug, we are modernizing our pair of double chassis FWSM tipping from 1.1.2 to 1.1.4. I want to minimize service disruptions, can someone point me to some documents or to explain briefly the best process. 2.2 documentation it appears I can pass between the maintenance release while retaining the functionality of failover, this was the case with 1.1? Or is the "replacement of failover unit after hardware failure' the best method for a unit of failover eventhough not missed?

  The doc in FWSM 2.2 for the replacement of the faulty module can serve as a guideline.

  http://www.Cisco.com/en/us/partner/products/HW/modules/ps2706/products_tech_note09186a0080531753.shtml

  But as stated in the FAQ FWSM - failover for ver 1.1 (http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item0900aecd800fa578.shtml), this may be your case. FWSM ver2.2 running offer more flexibility and minimize downtime with the features of "upgrade online. This feature is not available in code 1.1.x.

  Therefore, when you perform the upgrade. restart both FWSM modules are inevitable, but at least with a minimum off time (time required for the module get online and work).

  What you can do is to 'break' the FWSM before the failover process and perform the upgrade. Repeat the same process for the two blades. See the attachment for details instruction.

  HTH

  AK

• Failover FWSM problem

  Hello world

  I have a question on the FWSM failover.

  I understand that I can configure? polling frequency? to detect the loss of accessibility between FWSM Active and standby FWSM and not configure? number of polling stations in attempts? This Eve FWSM recognize active FWSM fails.

  I changed? mark for 3 (minimum value) to confirm what time is necessary (elapsed) to get back successfully done.

  The result of my survey, about 30 seconds (elapsed) to take necessary supported successfully completed.

  So I think that 30 seconds is the minimum (best) time to take care that it was completed successfully, because I can change? polling frequency? not only,? number of retries?

  My understanding is correct?

  Or y at - it no parameters to speed up takes less than 30 seconds?

  Your information would be greatly appreciated.

  Best regards

  Hello

  How fast FWSM can start checking the failover process?

  Primary (config) # polltime failover [Unit] [MS] number [holdtime seconds]

  -> Unit number [MS] polltime - how fast you want the gof mark/recording of the State of the interface before the failover control process has begun.

  The amount of time between hello messages. That set the time in seconds between 1 (faster) and 15. The default value is 1 second. If you specify msec, you can set the time between 500 and 999 milliseconds.

  -> holdtime number - sets the time during which a unit must receive a message hello on the failover link, otherwise the supply unit begins the process of test for non-peers. Set the time in seconds between 15 and 45. The default value is the higher of 15 seconds or 3 times the polltime. You cannot enter a value that is less than 3 times the polltime. That means that the lowest or faster time keeping is 15 sec.

  time = 15 sec

  It is a verification of the standard during failover process to verify, before the new blade is elected active FWSM:

  1. link up/down test? A test of the VLAN State. If the link up/down test indicates the VLAN is operational, then the FWSM performs network tests. The purpose of these tests is to generate network traffic to determine which (if there are two) unit has failed. At the beginning of each test, each unit clears the number of packets received for its interfaces. At the end of each event, each unit looking to see if she has received any traffic. If so, the interface is considered operational. If a unit receives traffic for a test and the other device does not work, the unit that received no traffic is considered as impossible. If no unit has received traffic, the next test is used.

  2. test of network activity? A received network activity test. The unit counts all packets received for 5 seconds. If all the packets are received at any time during this interval, the interface is considered operational and analysis stops. If no traffic is received, at the beginning of the ARP test.

  * time = 5 seconds

  3. ARP test? A reading of the unit of ARP cache for 2 more recently acquired entries. One at a time, the unit sends ARP request to these machines, to try to stimulate the network traffic. After each request, the unit of account all traffic received for 5 seconds. If the traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list, no traffic is received, the ping test begins.

  * time = 5 seconds

  4 spread the Ping test? A ping test which is to send a broadcast ping request. The unit has so all packets received for 5 seconds. If all the packets are received at any time during this interval, the interface is considered operational and analysis stops.

  * time = 5 seconds

  * estimated control failover time = 15 sec

  Total = 30secsonds.

  http://www.Cisco.com/en/us/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802010c0.html#wp1109055

  Rgds,

  AK

• Sleep seems to work, but does not (iPad 2)

  For years, my iPad 2 (9.3.5, 32 GB iOS) went right to sleep when I close the magnetic lid. (It's a Yoobao coverage.) Battery would not be overturned while he was sleeping, and everything was fine.

  Now in the past couple of days, even if it seems to go to sleep when I close the lid (I say "seems" because I need to type my password when I re - open the cover, although the cover was closed only five seconds ago), yet the battery goes down. If I leave the night in this Pseudo-veille, the charge will go to zero.

  Apparently not the battery is dying, because if I have the iPad completely turn off and leave it for a number of hours, there is no appreciable load loss.

  Any ideas what I can do about it?

  I'm not able to troubleshoot your iPad, but it is still possible to do some significant tests.

  First of all, see Removing cover Yoobao made a difference. If this resolves things, there are some covers well recommended to replace your old.

  Secondly, to consider whether the recent update of iOS could be the cause of your woes. If so, report the problem to Apple is recommended.

  Finally and above all, to change the Autolock 'never' 10 min period ' (settings > general > auto-lock).

• Failover FWSM Interchassis

  Is it mandatory to have a dedicated link (trunk) as link state/failover failover between the two switches for FWSM Interchassis failover?

  Hello

  It is not mandatory to have a "dedicated link" to a failover not but it is a recommended practice. You can use existing binding of the trunk that carries other traffic vlan.

  The suggestion to use a dedicated link is to ensure that the link does not get flooded by normal data traffic that could lead to problems with failover.

  It depends on how busy your existing trunk layer2 links are.

  HTH

  Jon

• How to use Cisco MARCH to monitor two FWSMs in two Cat6500 to the failover?

  Hello

  I have understad that I can add the two catalysts to MARS and I can add primary FWSM as a primary catalyst module as well. But how can I add secondary FWSM.

  Any ideas appreciated

  Thank you

  If you have already configured the primary, you do have to configure the secondary image. No need to configure the secondary because it is not recommended to do so, in the case of a failover secondary firewall will automatically resume the active configuration (EX: IP address) of the primary so the source of the syslogs will remain the same

• Bypass FWSM VLAN via JOINT

  I have a briged the FWSM VLAN (DMZ, DMZ-BRIDGE of the name) through the METHOD. However, on the failover 'show' on FWSM Server VLAN shows as "No. Link / Unknown". Is it because there is no assigned IP address. Is this the right status/configuration. Do I have to assign an IP address to the VLAN bridged. Please help.

  This host: primary: enabled

  DMZ-BRIDGE (0.0.0.0) interface: no connection (not guarded)

  Another host: secondary - ready Standby

  Interface DMZ-BRIDGE (0.0.0.0): unknown (not guarded)

  NO.

  Only Vlan 10 and 20 will be defined on the FWSM and will be delegated to the switch.

  JOINT will L2 bypass and it will fill vlan 20 & 30.

  Same IP network will exist on vlan 20 & 30.

  Syed

• JOINT double and double FWSM

  I have two basic 65XX switches in config HSRP. Both switches has FWSMs configured in failover and active mode.

  Both switches has JOINT-2 as well. JOINT-2 active switch will do traffic analysis. It is supposed to failover in case of failure of the active switch.

  The active JOINT-2, active FWSM has been configured as a blocking device.

  Can the JOINT-2 standby pass also set up unit of the active FSWM? (In this case, the two controls IDSMs the FWSM even.

  No, you should not configure 2 sensors to control the same firewall (router or switch).

  2 wind sensors fighting for control of the firewall and remove each and other block commands in some situations.

  If you have 2 choices.

  (1) configure each JOINT-2 to only control it is associated with FWSM.

  or

  (2) set up a JOINT-2 as the master blocking sensor and the other JOINT-2 that the sensor block Forwarding. The master blocking sensor will control the two FWSMs. You will lose all block them if you master blocking sensor breaks down for some reason any. There is no "failover" other JOINT-2 mechanism to take over.

• FWSM and ARP SNMP MIB

  Hello

  I have two cards FWSM in two 6513 switches with active failover.

  Connected to the switches are several servers connected to different interfaces of the firewall. One of them is a HPOV (openview) needs the ARP table of the FWSM to reach and explore the net together to start to monitorize the network.

  My problem is that I can't get the firewall ARP table, so I can't find out more devices, I am able to SNMP them by editing the poller SNMP in the configuration file of OVO, but even network devices is displayed, it cannot achieve the work.

  I stick my worm here sh.

  FWSM-1 # sh ver

  FWSM Firewall Version 3.2 (1)

  Version 5.2 (1) F Device Manager

  Updated Friday, June 7 07 20:16 by which

  FWSM-1 up to 7 days, 13 hours

  1 year 94 days upwards failover cluster

  Material:-WS-SVC-FWM-1, 1024 MB RAM, Pentium III 1000 MHz processor

  Flash Flash STI 7.2.0 @ 0xc321, 20 MB

  0: Int: do not license: irq 5

  1: Int: do not license: irq 7

  2: Int: do not license: irq 11

  The activation key running is not set, using the default settings:

  The devices allowed for this platform:

  Maximum Interfaces: 256

  Internal hosts: unlimited

  Failover: Active/active

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Security contexts: 2

  GTP/GPRS: disabled

  Heel of BGP: disabled

  VPN peers: unlimited

  Serial number: SAD101804FV

  Activation key running: 0x00000000 0x00000000 0x00000000 0x00000000

  Configuration changed from enable_1 to 13:59:35.590 THIS Monday, November 3, 2008

  I think that version 3.2 can not recover the MIB for ARP, and I found this version 4.01 only. But I was unable to find any kind of upgrade notes here, and we have the control of server farms proyect sttoped for this problem.

  Any who had this problem?

  How did solve you this?

  Thank you!

  Angel,

  You're right, '(IP - MIB) ARP table entries' MIB was introduced in 4.0 (1) and you have to upgrade to 4.0 code to get to the ARP Table via SNMP MIB.

  And here is the document that contains information on the FWSM upgrade.

  http://www.Cisco.com/en/us/docs/security/FWSM/fwsm40/configuration/guide/swcnfg_f.html#wp1052902

  Kind regards

  Arul

  * Rate pls if it helps *.

• FSWM shows the active connections on the FWSM standby why?

  Does anyone know why the FWSM Eve shows 45581 active connections.

  Thank you very much

  Ian Vickery

  Standby

  XTRAK1-County of conn sho FWSM #.

  45581 in use

  Primary

  XTRAK1-County of conn sho FWSM #.

  158080 in use

  Unit of primary failover

  Ha failover LAN interface

  Frequency of survey 10 seconds

  failover replication http

  This host: primary: enabled

  Activity time: 118040 (s)

  Interface (outside): Normal

  State-sync () of the interface: Normal

  MGMT () of the interface: Normal

  Crippen () of the interface: Normal

  Interface of Gorgon: Normal

  Production interface (): Normal

  Another host: high - availability

  Activity time: 1311050 (s)

  Interface (outside): Normal

  State-sync () of the interface: Normal

  MGMT () of the interface: Normal

  Crippen () of the interface: Normal

  Interface of Gorgon: Normal

  Production interface (): Normal

  Failover stateful logical Update Statistics

  Link: State-sync

  Stateful Obj xmit rcv rerr xerr

  15850 0 15849 General 0

  sys cmd 15850 0 15849 0

  time 0 0 0 0

  xlate 0 0 0 0

  Conn TCP 289351 0 331 0

  Conn UDP 0 0 0 0

  TCP 58955994 0 24657 3148 NPs

  182101602 0 58540 3148 NPs UDP

  Logical update queue information

  Heart Max Total

  Q: recv 0 1 15849

  Xmit Q: 0 1 15850

  XTRAK1-FWSM #.

  XTRAK1-FWSM #.

  XTRAK1-County of conn sho FWSM #.

  45581 in use

  XTRAK1-sho FWSM # fail

  Failover on

  Secondary failover unit

  Ha failover LAN interface

  Frequency of survey 10 seconds

  failover replication http

  This host: high - availability

  Activity time: 1311050 (s)

  Production interface (): Normal

  Interface of Gorgon: Normal

  Crippen () of the interface: Normal

  MGMT () of the interface: Normal

  State-sync () of the interface: Normal

  Interface (outside): Normal

  Another host: primary: enabled

  Activity time: 117960 (s)

  Production interface (): Normal

  Interface of Gorgon: Normal

  Crippen () of the interface: Normal

  MGMT () of the interface: Normal

  State-sync () of the interface: Normal

  Interface (outside): Normal

  Failover stateful logical Update Statistics

  Link: State-sync

  Because you are a dynamic rollover. Connections built on assets are transferred to waiting on the "failover connection", this way if the active FW dies suddenly, forward resumes and knows all of the existing connections and sessions users abandon.

  Not all types of connection are transferred, that is why you see the difference in number, but other than that you see is normal and a good thing. If you see not those connections on the day before, when the failover occurred would abandon all user sessions and they would have to reconnect.

  One thing I might suggest, you have replication HTTP is enabled with the command "failover replication http. On a busy FW, this can lead to a large number of connections being replicated. When you consider that loading a web page can open and close different connections of 5-10, all very quickly, you really want to have all these replicated to the waiting? If the active made fail the worst that could happen is that the user would have to reload their web page. I would say that put off, which is the default anyway, it'll put a lot less load on your two FW.

• Issue of license FWSM

  I have 2 FWSMs both with "free license".

  Features licensed:

  Failover: enabled

  VPN - A: enabled

  VPN-3DES: enabled

  Maximum Interfaces: 256

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Throughput: unlimited

  ISAKMP peers: unlimited

  Security contexts: 2

  This machine has an unrestricted license (UR).

  My Question is about active/active failover.

  2 security contexts means: 1 admin + 1 context customer or not it means 1 admin + 2 client contexts?

  Hello

  This means 1 admin + 2 client contexts. You will receive these settings when you buy the FWSM. If you need more you can buy license for additional context.

  HTH

  Jon

• PIX 6.3 (4) failover strangeness with VLAN

  I have a failover pair 535 6.3 (4) running and have experienced strange things while he was trying to get the dynamic failover to work. We use the serial cable to failover and a GE dedicated to the traffic of State via a cable directly connected x. We have a mix of standard interfaces for non - VLAN'ed, but also a physical I / f including 10 ~ VLAN. We are well within the limits of i / f allowed on the PIX so that isn't a problem. Also the

  VLAN'ed i / f on the two firewalls connects via a 802. 1 q trunk on the same switch Procurve 9315. All the required them VLAN is configured as marked on the two ports on the switch.

  The problem we had was that all as-based interfaces on the VLAN and physics i / f associated with these virtual local networks were perpetually in the State (pending) and we had no stats in the status section of the command 'show fail', which implies to me that stateful failover did not in fact. Failover works and traffic passes regardless of which firewall is enabled.

  Based on things I've read that I concluded that the problem is probably that 'Hello' messages were not being seen on each VLAN. So I did a bunch of capture on the VLAN different i / f of the PIX expecting to see outgoing Hello in the local unit, but saw nothing. Then I had a thought that maybe they were sent out without a label on the physical I / f, so I made a capture on it and also got nothing else than to the Hellos coming out to the physical interface.

  What we did that fixed it was to add the VLAN physics to the list of allowed VLANS labeled on firewall connected switch ports. As if by magic the physics I / f to the Normal State, as did all the local VIRTUAL network interfaces, and we started to get statistics on the State of the output of the show fail command section.

  And yet a capture on any of the interfaces VLAN does still not show the Hellos, and a capture on the physical displays now the bidirectional Hello for the physical LAN. Weird.

  So my questions are:

  1 > why the VLAN interfaces are dependent on their physical I / f for failover. I was told that you need not have any IP or configured for physical integrity, nameif I / f it's just must be enabled for the VLAN I / fs to work.

  2 > how are the VLAN I / f passing Hellos to the other.

  I can include my config if that helps.

  Peter

  Peter,

  (1) why is a good question. AFAIK that is according to the doc (same link below)

  "When you set up failover for an interface VLAN, Hello packets are sent through the physical interface, so the physical interface must be configured with an ip address."

  (2) I don't think that they are:

  One of the guides

  http://www.Cisco.com/en/us/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

  "Note that failover is supported with VIRTUAL local network interfaces. But the failover LAN interface command does not support VIRTUAL local network interfaces or failover link commands. "

  So basically it looks like helo packets are sent only on physical interfaces (dumped on any vlan you put them) and the VLAN will be "failover" If the pix, but if you had a failure in one vlan particular the pix would not notice it until the vlan the physical interface has been awarded to failed.

  Of course, it works in the equivalent level of the FWSM code - but FWSM never had the physical interfaces.

  The train 7.x supports subinterfaces, obviously.

  -Jason

  Please rate this message if it helps!

• Combining several FWSMs on simple C6509 for higher flow

  Hello

  I know that the FWSM has a flow rate of 5 GB max. I want to increase the flow rate beyond 5 GB by adding another module FWSM. How to combine the FWSMs to increase flow? Specifically, how to configure the feature?

  Thanks in advance!

  I don't know if it is possible to achieve this bandwidth by combining blades to virtually "bind" the background flow of basket to say, 10 Gbps.

  FWSM two or more may still exist in single chassis of series Cat6500. But pls keep in mind, every act of unit as a personal firewall, unless configure you them as a failover pair.

  The reason why, for example 2 FWSMs exist in the same chassis (no failover) must allow them to manage several VLANs and traffic. You can separate a few group of VLAN to be handled by each FWSM.

  So far, Cisco has never mentioned thereon as well, in addition, no command (switch or FWSM) to achieve this goal.

  HTH

  AK

• Problem with FWSM and the same L3 interface switch

  I have two 6513 s with a 802. 1 q trunk linking them. Each switch is redundant Sup720s running in native mode, worm IOS 12.2 (18) SXF (that they were running out of SXD3). A FWSM (ver 2.3 (3), routed mode, unique context) is in each switch, Setup in failover mode.

  I can't get a PC in a virtual LAN that has the defined layer 3 interface on the switch with the active FWSM in this document, to communicate with the devices 'behind' the FWSM. If I move the configuration of layer 3 to this vlan to the other 6513, everything works fine.

  The MSFCs are inside the firewall, they have a configured layer 3 interface in the same vlan as the FWSM 'inside' interface. Several "same security level" interfaces are defined on the FWSM and used to protect the farms. I use OSPF on the MSFCs and FWSM and the routing table is correct.

  The FWSM generates connections to the attempts made by the PC with interface layer 3 defined on the same switch as the active FWSM very well, so this isn't a problem with FWSM ACL.

  A ping of the FWSM "inside" interface from a PC with the defined layer 3 interface on the same switch as the active FWSM fails, although debug icmp trace on the FWSM demand and response shows. A the packet capture, using the NAM-2, only shows the request packets. I captured on the vlan common and FWSM port channel interface bottom of basket.

  Just to add to the confusion, if I capture in the same places, but do the ping of a PC which is in a VLAN with the interface of layer 3 defined in the 6513 which does not contain the active FWSM, that works very well, I see the request and response on the capture of vlan common, but only on demand on the capture of the port channel.

  This problem has been there since the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I had this experience with all the VLANS that I tried to define the interface of layer 3 to on the switch with the active FWSM. I turned on MLS.

  If anyone has experienced this and solved, or knows what is happening, I would be grateful for any ideas.

  Thank you.

  Keith

  Keith, are you running etherchannel distributed on of your 6513?

• How to create a network redundant ISP failover using 2 Airport Extreme

  Hello friends,

  I have 2 different lines of rented ISP related to my Airport Extreme 2. Was curious to know if these 2 AEs can be interconnected somehow to create a network of ISP failover. Users on AE 1 traffic would be transparent reassigned to the AE 2 and vice versa, if corresponding ISP fails. When the access provider is in place, they will return to their AE in elementary school.

  Thank you.

  Not without a smart dual wan router. That is to say done good load sharing.

  Extreme is about as simple a router you can find... He has the absolute minimum of functionality.

  Users on AE 1 traffic would be reassigned transparent to the AE 2 and vice versa

  You can do this by using some manual intervention... a simple change of entry door is usually sufficient.