Configuring Failover
The standby IP address must be in the same subnet as the active IP address. You do not need to identify
the standby address subnet mask.
The state link IP address and MAC address do not change at failover. The active IP address always stays
with the primary module, while the standby IP address stays with the secondary module.
(Stateful failover only—Optional), To allow HTTP connections to be included in the state information,
Step 5
enter the following command:
primary(config)# failover replication http
If you do not allow HTTP replication, then HTTP connections are disconnected at failover. HTTP
connections are brief and frequent, and the state information, although updated constantly, might not
include the latest HTTP states at failover. For this reason, you might want to disable HTTP replication
to reduce the amount of traffic on the state link.
Step 6
To set the threshold for monitored interface failure, enter the following command:
primary(config)# failover interface-policy number [%]
When the number of failed monitored interfaces meets the value you set with this command, then the
FWSM fails over. You can set the following arguments:
number—An absolute value.
•
number%—A percentage of all monitored interfaces.
•
To set this FWSM as the primary module, enter the following command:
Step 7
primary(config)# failover lan unit primary
This command is the only configuration difference between the primary and secondary modules,
Note
although you need to set other failover commands on the secondary module before the FWSM can
replicate the active configuration.
(Optional) To set how often hello messages are sent on the failover link and how long to wait before
Step 8
testing the peer for failure if no hello messages are received, enter the following command:
primary(config)# failover polltime [unit] [msec] number [holdtime seconds ]
See the following arguments:
polltime unit [msec] number—The amount of time between hello messages. Set the time in seconds
•
between 1 and 15. The default is 1 second. If you specify msec, you can set the time between 500
and 999 milliseconds.
holdtime number—Sets the time during which a module must receive a hello message on the
•
failover link, or else the module begins the testing process for peer failure. Set the time in seconds
between 15 and 45. The default is the greater of 15 seconds or 3 times the polltime. You cannot enter
a value that is less than 3 times the polltime.
For example, if the polltime is 1 second, then a 15 second holdtime means 15 hello messages are
missed before the module is tested for failure.
The interval between stateful information updates is 10 seconds, but if you set the polltime to be greater
Note
than 10, then that interval is used.
(Optional) To set the time in seconds between hello messages on monitored interfaces, enter the
Step 9
following command:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
15-16
Chapter 15
Using Failover
OL-6392-01