Configuring Failover
3.
4.
If all network tests fail for an interface, but this interface on the other unit continues to successfully pass
traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a
failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the
"Unknown" state and do not count towards the failover limit.
An interface becomes operational again if it receives any traffic. A failed FWSM returns to standby mode
if the interface failure threshold is no longer met.
If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering
Note
the failover reset command. If the failover condition persists, however, the unit will fail again.
Rapid Link Failure Detection
Detecting and responding to a failover condition can take up to 45 seconds. However, if you are using
Catalyst operating system software Release 8.4(1) and higher or Cisco IOS software Release
12.2(18)SXF5 and higher on the switch, you can use the autostate feature to bypass the interface testing
phase and provide sub-second failover times for interface failures.
With autostate enabled, the supervisor engine sends autostate messages to the FWSM about the status of
physical interfaces associated with FWSM VLANs. For example, when all physical interfaces associated
with a VLAN go down, the autostate message tells the FWSM that the VLAN is down. This information
lets the FWSM declare the VLAN as down, bypassing the interface monitoring tests normally required
for determining which side suffered a link failure.
In Cisco IOS software, autostate messaging is disabled by default. The Catalyst operating system
software has autostate messaging enabled by default, and it is not configurable.
For more information about enabling autostate, see the
Failure Detection" section on page
Configuring Failover
This section describes how to configure failover and includes the following topics:
•
•
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
14-20
ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time,
the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each
request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is
considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the
end of the list no traffic has been received, the ping test begins.
Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then
counts all received packets for up to 5 seconds. If any packets are received at any time during this
interval, the interface is considered operational and testing stops.
Failover Configuration Limitations, page 14-21
Using Active/Standby Failover, page 14-21
Using Active/Active Failover, page 14-26
Configuring Failover Communication Authentication/Encryption, page 14-31
Verifying the Failover Configuration, page 14-31
"Enabling Autostate Messaging for Rapid Link
2-9.
Chapter 14
Configuring Failover
OL-20748-01