CSS active-active stateful failover

Similar Messages

• CSS 11051 Stateful Failover

  We have received a note concerning stateful failover of the CSS series of products, where the CSS 110XX series doesn't support stateful failover, however the CSS 115XXX will. Here is the digest of the message;
  On 3/6, Hosting Engineering and Operations issued an alert regarding the
  CSS 11000 load balancer. This is an update to that alert.
  Since that time, we have experienced another hardware failure of this
  model device.
  In response to this situation, the following has occured:
  * Platform Engineeringis in the process of removing the CSS 11000
  from the SOE. Itis on target to be removed in April.
  * Operations hasre-inforced our escalation procedures with CISCO.
  Qwest is to beissued a RMA immediately for this model.
  * For newconfigurations including a CSS 11000, CCAR will require
  an Individual CaseBasis (ICB) review and approval.
  * For existing premiumand above customers whoes configurations
  include a CSS 11000, HostingOperations is planning to replace them with
  compatible device. These changes have been pre-approved by CCAR as long
  as:
  * the networktopology remains the same
  * redundancy ispreserved
  * CCAR gets notifiedof the replacement model so we can update our
  records
  * For existing basicand enhanced customers, we are drafting a
  communique that alerts them tothe performance issues exerienced by Qwest
  and providing suggestedalternative solutions.
  In response to recent questions from the field.....
  Stateful failover with redundant CSS 11000 Series Load Balancers:
  The Bottom Line: Cisco CSS 11000 Series Load Balancers do not support
  stateful
  failover.
  Will Cisco ever support this?: Yes, this is supported in the CSS 11500
  Series,
  known as Adaptive Session Redundancy (ASR)
  I need this today, what can I do?: Choose an alternative product. The
  F5 BIG-IP
  load balancers support this functionality.
  What is stateful failover anyhow?
  Stateful failover is a technology that can maintain state information
  between
  the active load-balancer and the standby load-balancer. This state
  information
  can include: persistence mapping, telnet sessions, ftp sessions, tcp
  session
  state, etc...
  Why should I be concerned?
  Without state synchronization applications can break if there is a
  failover from
  the active to standby unit. FTP Sessions will be broken, Telnet
  sessions will
  be broken, and most importantly persistence state mapping will be lost.
  What do I need to listen for to determine if stateful failover is
  important?
  1. E-commerce applications that require persistence mapping.
  Persistence
  mapping will keep a client session mapped to the same server for a
  specified
  amount of time. This is often important with shopping cart and other
  e-commerce
  applications.
  2. Long-lived sessions. Whether they are planning to transfer large
  files via
  FTP or long-lived telnet sessions. Anytime a connection will be
  required for a
  long time and starting over is not an acceptable condition, then
  stateful
  failover is important.
  Does this sound correct or is this a bunch of hot air?

  Yes. Stateful failover, or ASR as it is sometimes called, is available on the CSS 11500 and Catalyst 6500 Content Switch Modules (CSM) load balancing platforms. It is not supported on the CSS 11000 due to architectural limitations of that platform.
  Stateful failover is available on these Cisco platforms today.
  mikep

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• To apply license in FWSM (Active-Active mode) and disable failover

  Dear Team
  I want to apply license to increase security context in FWSM which is running in Active-Active mode on VSS Core switches
  As per below document, first we need to disable failover by entering 'no failover' command on active FWSM and then apply the license seperately on both FWSM.
  I just want to know when i will disable the failover then standby move to pseudo-standby state. 
  Will there be any services impact which are running behind the FWSM when disbaling the failover and then re-enabling the failover.
  http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg/swcnfg_f.html#wp1073226
  Appreciate your response.

  Hi,
  I think in your case as it is Active/Active , there is one extra step required.
  You need to make all the contexts active on one unit and on the other one all should be standby.
  Then disable the failover and update the license and re-enable the failover.
  Thanks and Regards,
  Vibhor Amrodia

• FWSM 4.0: switch from active/standby to active/active failover mode

  Hello,
  I have a pair of FWSM's running version 4.0 currently in active/standby failover mode, and I'd like to switch them to be active/active.  Is there a documented procedure for doing this?  What are the implications for any contexts switched to be primary on the FWSM that is currently acting as a standby (i.e., what kind of outage time can we expect)?
  Thanks in advance,
  Mike

  Hi Bro
  Thanks for the update, but still you'll need to create 2 contexts, each context will be ACTIVE on different Cisco ASA FW units. Hence, there will be some cut, copy and paste effort, not forgetting recabling, if that's needed. Here's a Cisco document to configure ACTIVE/ACTIVE for those who can't seem to find this document http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#req
  Conclusion: There will be some network downtime. I'm guessing 15min, if it was me :-)
  P/S: If you think this comment is helpful, please do rate it nicely :-)

• JDBC for Active-Active Oracle Primary/Failover DB

  Hi,
  Currently for our application we use an Oracle Primary (Active) and FailOver (Passive) setup. To connect to these databases, we use two JNDIs and use JDBC thin driver. Say when a Failover (FO) occurs, we have a logic to use the FO JNDI and connect to the FO DB.
  But in future we are planning to have both Primary and FO as Active-Active configuration. So accd to Websphere there should be one URL (JDBC thin driver), but it should be able to connect to two datasources. I came to know that the driver will take care of this. Is this possible? If so please explain how? Thank you!

  If your oracle database is using RAC, you can use the Oracle's OCI or thin JDBC driver.
  FAILOVER Examples
  jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=dbhost1)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=dbhost2)(PORT=1521))(FAILOVER=on)(LOAD_BALANCE=off))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=dbservice)))
  Load balancing example:
  jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=dbhost1)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=dbhost2)(PORT=1521))(FAILOVER=off)(LOAD_BALANCE=on))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=dbservice)))
  Also see http://download-west.oracle.com/docs/cd/B14117_01/rac.101/b10768/example.htm#RACDP202

• CSS 11503 in Active Active mode

  Can we configure CSS 11503 in Active/Active mode, means can multiple context would be configured?
  Thanks & Regards,
  Shahzad.

  Here you go
  Assumptions:
  VIP 10.10.10.100 is Master on the CSS 2 and backup on the CSS1
  VIP 10.10.10.101 is Master on the CSS1 and backup on the CSS1
  Vlan 10 is the Server Vlan (Redundant Interfaces here)
  Vlan 20 is the Client vlan (Redundant Vips here)
  Services for VIP 10.10.10.100 (real server) have default gateway pointing to redundant interface 172.20.40.253
  Services for VIP 10.10.10.101 (real server) have default gateway pointing to redundant interface 172.20.40.254
  CSS #1
  circuit VLAN10
  ip address 172.20.40.1 255.255.255.0
  ip virtual-router 1 priority 101 preempt
  ip virtual-router 2
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.1 255.255.255.0
  ip virtual-router 3 priority 101 preempt
  ip virtual-router 4
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  CSS #2
  circuit VLAN10
  ip address 172.20.40.2 255.255.255.0
  ip virtual-router 1
  ip virtual-router 2 priority 101 preempt
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.2 255.255.255.0
  ip virtual-router 3
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  More details at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1112245
  Syed Iftekhar Ahmed

• CSS ACTIVE/ACTIVE SCENARIO WITH JUST TWO SERVERS ??? POSSIBLE??

  Hi
  I'm gonna have a setup of TWO CSS11503 Content Switches with standard WEBNS feature set
  in an ACTIVE / ACTIVE VIP and Virtual interface redundancy scenario for load-balancing just
  two web servers initially.
  Can I hv this setup up & running if I configure the two servers with different default
  gateway addresses on the private side and two static routes in the private side Layer3
  for two different VIP addresses in the public side ??
  Any better suggestions for this scenario.
  Thanx

  Firstly - what Gilles said.
  Having said that, I'm using some content switches in active/active modes in a couple of places in a geographically distributed gateway. Active/Active lets us improve our redundancy characteristics and allow for device failures as well as link failures between the gateways.
  There are lots of complexities that arise if you take this path - you will need to do a lot of logical math and testing about traffic symmetry under all of the different failure conditions, because you introduce the possibility that response traffic could come back at L2/L3 through a different CSS than the request traffic.

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• RAC Active Active cluster failover time

  Hi,
  In a RAC active active cluster , how long does it take to failover to the surviving instance.
  As per the docu I understand that rollback is done just for the select statements and not others. Is that correct?

  RAC is an active-active cluster situation by design.
  A failover from a session from a stopped/crashed instance to a surviving one can be implemented in several ways.
  The most common way to do failover is using TAF, Transparent Application Failover, which is implemented on the client (using settings in the tnsnames.ora file)
  When an instance of a RAC cluster is crashed, the surviving instances (actually the voted master instance) will detect an instance is crashed, and recover the crashed instance using its online redologfiles. Current transactions in that instance will be rolled back. The time it will take is depended on activity in the database, thus the amount to recover.

• FWSM Active/Active Failover ICMP replication

  I have an issue with WS-SVC-FWM-1 module - in the active/active failover it doesn't make ICMP connection state replication with asr-groups configured on the respective interfaces. Although other connections are working just fine (asymmetric routing is verified with 'show ip cef' on the MSFC) it seems that only newer ASAs are doing ICMP replication in failover, but I couldn't find any documentation describing replication behavior for the FWSM. Can anyone
  clearly describe FWSM's behavior for this?

  What FWSM version are you running?
  Please remember to rate and select a correct answer

• ASA active/active failover back to back

  Hi,
        for HA  I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
  The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
  Is this possible and what would you need to do it  ie a switch or two in between ?
  I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
  Would you put 2 switches trunked together carrying two vlans, one for each context ?
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
                 |  |                                |  |
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
  Thanks in advance.

  Your latest attachment is pretty close to what I was thinking.
  I would add a second interface on each ASA to the switches.
  So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
  An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
  You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

• 5510 to 5505 failover (active/active)

  Hello,
  We have both a 5510 and a 5505, and they are both running the security plus licenses. At this time, the 5510 is connected to our primary (and much faster) ISP connection. We also have a DSL connection available that I could connect to the 5505. A different ISP supplies each device (Charter and AT&T, respectively). Each are assigned a single, public IP address via DHCP from the respective ISP.
  Is it possible to configure the 5505 to accept the connection and become primary in the event that the 5510 goes offline (either due to outage or failure)?
  If so, what are the steps I would take to configure this? Examples of commands to issue would be very helpful.
  Many Thanks in Advance!
  -Rob

  You cannot configure a direct Failover/HA setup with two different ASA models.
  For a solution to your problem, I'd suggest using IP SLA on a router or L3 switch that both ASAs plug into - that way if one link/ASA goes down, the default route will change to the other ASA.
  EDIT: By the way, the failover setup you describe is Active/Standby. Active/Active refers to two separate ASAs running multi-context, with one ASA being active for "context1" and the other ASA being active for "context2". ASA 5505's do not support multi-context.

• Failover Under ASDM shows Active/Active

  Hi everyone,
  ASA  is config for failover which is Active /standby.Command line shows failover as active and standby.
  But under ASDM,Licensing ,Activation key it show as
  Failover
  Active/Active
  Is this by design that it show as active/active?
  Regards
  Mahesh

  Hi Mahesh,
  I think it means that the ASA is licensed to be able to support Active/Active while you have actually set up the ASAs to do Active/Standby
  To my understanding for example the ASA5505 model could only support Active/Standby Failover since it doesnt Security Contexts as those are required for an Active/Active setup.
  - Jouni

• Does VPN works in Firewall Active Active failover mode?

  i want to clarify these two things!
  1. Does VPN works in failover mode in Active/Active mode?
  2. What about in Failover mode Active/Pasive?
  Regards!

  Hi,
  Using an Active/Active Failover means that the Firewalls will be in Multiple Context mode. In other words virtual firewalls.
  This means that you can ONLY use IPsec L2L VPN connections on the virtual firewalls if you are running 9.x software level on the firewalls. Any form of Client and Clientless VPN isnt supported in Multiple Context Mode at the moment.
  Now with Active/Standby we have to make a distinction (if that was the word).
  IF you run a normal Active/Standby Failover pair of ASAs that IS NOT in Multiple Context mode YOU CAN use any type of VPN the ASAs support.
  IF you run a a pair of ASAs in Multiple Context Mode and in Active/Standby Mode you will naturally run into the limitation of VPN support in Multiple Context Mode and WILL NOT be able to use any other VPNs other than IPsec L2L VPN connections provided you are running 9.x software that supports it.
  Hope this helps
  - Jouni