Chapter 14
Configuring Failover
•
•
Active/Active Failover Overview
Active/Active failover is only available to FWSMs in multiple context mode. In an Active/Active
failover configuration, both FWSMs can pass network traffic.
In Active/Active failover, you divide the security contexts on FWSM into failover groups. A failover
group is simply a logical group of one or more security contexts. You can create a maximum of two
failover groups on FWSM. The admin context is always a member of failover group 1, and any
unassigned security contexts are also members of failover group 1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring,
failover, and active/standby status are all attributes of a failover group rather than of the unit. The MAC
address of the primary unit is used by all interfaces in the active contexts.
When an active failover group fails, it changes to the standby state while the associated standby failover
group becomes active. The interfaces in the failover group that becomes active assume the MAC address
and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group
that is now in the standby state take over the standby MAC address and IP addresses.
A failover group failing on a unit does not mean that the unit has failed. The unit may still have another
Note
failover group passing traffic on it.
When creating the failover groups, you should create them on the unit that will have failover group 1 in
the active state.
Primary/Secondary Status and Active/Standby Status
As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit,
and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate
which unit becomes active when both units start simultaneously. Instead, the primary/secondary
designation determines which unit provides the running configuration to the pair and on which unit each
failover group appears in the active state when both units start simultaneously.
Each failover group in the configuration is given a primary or secondary unit preference. This preference
determines on which unit in the failover pair the contexts in the failover group appear in the active state
when both units start simultaneously. You can have both failover groups be in the active state on a single
unit in the pair, with the other unit containing the failover groups in the standby state. However, a more
typical configuration is to assign each failover group a different role preference to make each one active
on a different unit, balancing the traffic across the devices.
Note
FWSM does not provide load balancing services. Load balancing must be handled by a router passing
traffic to FWSM.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Failover Triggers, page 14-15
Failover Actions, page 14-16
Understanding Failover
14-13