FWSM Failover Pair Upgrade

I was told that it was necessary to completely disable a failover configuration before seperately reloading the pair to boot into the new software.
However, I'm not seeing that in any of the documentation...which simply says to install the software, make the secondary active, reload the primary, etc.
Is this correct that the failover has to be disabled?
Thanks.

My experience is that the Cisco documentation is correct (i.e., it is NOT necessary to disable failover).
I (carefully) followed the procedure described here successfully.

Similar Messages

Upgrading FWSMs in Failover Pair

Due to bug, we are upgrading our Dual Chassis FWSM Failover pair from 1.1.2 to 1.1.4. I want to minimize downtime, can anyone point me to some documentation or briefly explain the best process. From 2.2 documentation it appears I can upgrade between maintenance release while maintaining failover capabilities, was this the case with 1.1? Or is the "Replacement of Failover Unit after Hardware Failure" the best process to failover eventhough one unit has not failed?

The doc in FWSM 2.2 for the faulty module replacement can serve as guideline.
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_tech_note09186a0080531753.shtml
But as stated in FWSM FAQ -failover for ver 1.1 (http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item0900aecd800fa578.shtml), this might be your case. FWSM running ver2.2 provide more flexibility and minimize downtime with the 'online upgrade' features. This feature is not available in code 1.1.x.
Therefore, when performing the upgrade. rebooting both FWSM modules are inevitable, but at least with a very minimum downtime (time taken for the module to get online and working).
What you can do is to 'break' the standby FWSM from the failover process, and perform the upgrade. Repeat the same process for both blades. See attachment for details instruction.
HTH
AK

Upgrade firewall software in failover pair

I need to upgrade two firewalls (in failover pair) remotely. Could somene tell me what is the way to go forward? Do I need to worry about licenses and stuff?
Thanks,
Kashish

Since you are running dynamic routing protocols, the routing instand is only active on the primary active firewall, not both. That's the reason why you can't access the tftp server on the standby unit.
What you can do is upload the image to the primary active ASA, then failover the firewall to the secondary standby ASA. Once the secondary ASA becomes the Active ASA, then you can upload the image to this ASA.
Since you can only access the active unit, once you have configured the boot system with the new image, and save the config, then you can reload the ASA one at the time.
Reload the secondary after you have uploaded the image, this will cause failover to the primary. Monitor the status of secondary by issueing "show failover", and once the secondary is up, and the software has been upgraded, then you can reload the primary active unit.

FWSM Failover configuration - One Context

Hi,
Is it possible to configure only one context in H.A. in FWSM? , yesterday I tried to configure this but I can´t .
Please check my configuration and tell me your opinon, or not is possible , maybe I have to configure all context in H.A.
This message appears in the console when I active the FAILOVER
Nov 23 2011 19:20:04: %FWSM-1-105002: (Secondary) Enabling failover.
Nov 23 2011 19:20:08: %FWSM-1-105038: (Secondary) Interface count mismatch
Nov 23 2011 19:20:08: %FWSM-1-104002: (Secondary) Switching to STNDBY - Other unit has different set of vlans configured
Nov 23 2011 19:20:11: %FWSM-1-105001: (Secondary) Disabling failover.
Nov 23 2011 19:23:58: %FWSM-6-302010: 0 in use, 46069 most used
FWSM-Primario# show failover
Failover On
Failover unit PrimaryFailover LAN Interface: FAILLINK Vlan 1100 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 1 of 250 maximum
failover replication http
Config sync: active
Version: Ours 4.1(5), Mate 4.1(5)
Last Failover at: 19:18:35 UTC Nov 23 2011
        This host: Primary - Active
                Active time: 1125 (sec)
                admin Interface inside (10.1.1.1): Normal (Not-Monitored)
                admin Interface outside (20.1.1.1): No Link (Not-Monitored)
                FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.36): Normal (Waiting)
                GESTION-WAS Interface OUTSIDE (10.116.20.22): Normal (Not-Monitored)
                GESTION-WAS Interface U2000 (10.123.20.1): Normal (Not-Monitored)
        Other host: Secondary - Cold Standby
                Active time: 0 (sec)
                admin Interface inside (0.0.0.0): Unknown (Not-Monitored)
                admin Interface outside (0.0.0.0): Unknown (Not-Monitored)
                FW-GoB-Fija Interface WASOB2N-SISOB2N-Fija (10.115.30.37): Unknown (Waiting)
                GESTION-WAS Interface OUTSIDE (0.0.0.0): Unknown (Not-Monitored)
                GESTION-WAS Interface U2000 (0.0.0.0): Unknown (Not-Monitored)
Stateful Failover Logical Update Statistics
        Link : STATELINK Vlan 1101 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        AAA tbl         0          0          0          0
        DACL            0          0          0          0
        Acl optimization        0          0          0          0
        OSPF Area SeqNo         0          0          0          0
        Mamba stats msg         0          0          0          0
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0
FWSM-Primario#
FWSM-Primario#
The configuration in the SW-6500
SW-PRIMARY#sh run | in fire
firewall multiple-vlan-interfaces
firewall module 3 vlan-group 1,2
firewall vlan-group 1 10,20,25,400,1709
firewall vlan-group 2 1100,1101,1111,1112
SW-SECUNDARY#sh run | in fire
firewall multiple-vlan-interfaces
firewall module 3 vlan-group 1,2
firewall vlan-group 1 900,1709
firewall vlan-group 2 1100,1101,1111,1112
ip subnet-zero
FWSM-Primario(config)# sh run
: Saved
FWSM Version 4.1(5) <system>
resource acl-partition 12
hostname FWSM-Primario
hostname secondary FWSM-Secundario
domain-name cisco.com
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan10
interface Vlan29
shutdown
interface Vlan400
interface Vlan1100
description LAN Failover Interface
interface Vlan1101
description STATE Failover Interface
interface Vlan1111
description FWSW_7200_GoB_Fija
interface Vlan1112
description FWSW_7200_GoB_BA
interface Vlan1709
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FAILLINK Vlan1100
failover replication http
failover link STATELINK Vlan1101
failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
failover group 1
preempt
replication http
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
allocate-interface Vlan10
allocate-interface Vlan29
config-url disk:/admin.cfg
context GESTION-WAS
allocate-interface Vlan1709
allocate-interface Vlan400
config-url disk:/GESTION-WAS
context FW-GoB-Fija
allocate-interface Vlan1111
allocate-interface Vlan1112
config-url disk:/FW-GoB-Fija.cfg
join-failover-group 1
prompt hostname context
Cryptochecksum:8b5fabc676745cfbafd6569c623a98b1
: end
SECUNDARY FIREWALL.
FWSM# sh run
: Saved
FWSM Version 4.1(5) <system>
resource acl-partition 12
hostname FWSM
domain-name cisco.com
enable password S13FcA2URRiGrTIN encrypted
interface Vlan100
shutdown
interface Vlan900
interface Vlan1100
description LAN Failover Interface
interface Vlan1101
description STATE Failover Interface
interface Vlan1111
interface Vlan1112
interface Vlan1709
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
no failover
failover lan unit secondary
failover lan interface FAILLINK Vlan1100
failover replication http
failover link STATELINK Vlan1101
failover interface ip FAILLINK 10.115.30.17 255.255.255.252 standby 10.115.30.18
failover interface ip STATELINK 10.115.30.21 255.255.255.252 standby 10.115.30.22
failover group 1
preempt
replication http
no asdm history enable
arp timeout 14400
console timeout 0
admin-context PCBA-NAT
context PCBA-NAT
allocate-interface Vlan1709
allocate-interface Vlan900
config-url disk:/PCBA-NAT
context FW-GoB-Fija
allocate-interface Vlan1111
allocate-interface Vlan1112
config-url disk:/FW-GoB-Fija
join-failover-group 1
prompt hostname context
Cryptochecksum:c7529707b6d10d02c296a57253a925b2
: end
FWSM#
I WILL APRECIATE YOUR COMMENTS, BECAUSE IT´S IMPORTANT , THE FWSM SUPPORT FOR DEFAULT 3 CONTEXT.
Regards,
Robert Soto.

Hi Robert,
Unfortunately no, this is not possible.
Since you enable failover at the system level, all contexts will particpate in failover and there is no way to change this.
Additionally, both firewalls in the failover pair must have identical licenses, VLANs, and software versions in order for failover to work properly.
-Mike

Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

With Prashanth Goutham R.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.
Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
Remember to use the rating system to let Prashanth know if you have received an adequate response.
Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Hello John,
This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one class-map Tunnel_Policy2     match access-list tunnel_two class-map Tunnel_Policy3     match access-list tunnel_three class-map Tunnel_Policy4     match access-list tunnel_four policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000 policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400 policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
You might want to watch out for the following changes in values:
HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
The Final outputs of the configured values were :
    Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps
Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
Hope that helps..

MAC addresses of redundant interfaces on failover pair of CSS.

Helo all, I wanted to know what happens to the MAC addresses of the failover interfaces on the two CSS devices configured as a failover pair when a failover occurs?
Also what happens in a failover event in general? Can anyone point me to some documents describing the failover process.
Thank you,
Dmitry.

Hi Dimitry,
Here is the URL for the configuration for the Configuring VIP and Virtual IP Interface Redundancy follow the configuration guide which may help you
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/ASR.html
Configuring Box to box redundancy:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/Redndncy.html
CSS 11500 Active-Active Stateful Failover ASR in One-Armed Mode Configuration Example
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00802206a3.shtml
Box-to-Box Redundancy on the CSS 11xxx Configuration Example - Ciscowiki
http://supportwiki.cisco.com/ViewWiki/index.php/Box-to-Box_Redundancy_on_the_CSS_11xxx_Configuration_Example
Kindly find full range of configuration examples on CSS here :
Cisco CSS 11500 Series Content Services Switches
Configuration Examples and TechNotes
http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
Cisco CSS 11500 Series Content Services Switches
http://supportwiki.cisco.com/ViewWiki/index.php/Category:Cisco_CSS_11500_Series_Content_Services_Switches
Kindly see URL given below for my other articles
http://boardreader.com/fp/Cisco_Systems_Networking_Profe_309110/Application_Networking_543840.html#hot_threads
If possible plz rate sothat I can be helpful to other people also as it will enhance my credibility.
Sachinga.hcl

Fwsm failover times in real crash

Hi,
I have got two cat6k vss and two servis modelu FWSM
How fast FWSM will be switch over to back up Firewall, after active-fw crash/down power?
Sent from Cisco Technical Support iPad App

Hi,
The initial 15 seconds detection time can be reduced to 3 seconds, by tuning failover polltime and holdtime to the following:
"failover polltime unit 1 holdtime 3"
Also keep in mind after switchover new active will establish nbr relation with nbr router. At any point of time standby does not participate in OSPF process. so in short new active have to re-establish adjacencies.
Hope that helps.
Thanks,
Varun

FWSM Failover - Possible with different hardware versions?

Hi, I need to replace a FWSM module currently running as the primary unit in a failover configuration installed in two 6509s. The replacement FWSM module is a newer hardware version than the current module it is to replace. Obviously I will ensure the same IOS and licenses are installed on the new module but will having a difference in the hardware versions affect the failover configuration?
The faulty module being replaced has the following hardware config:
HW 3.0
FW 7.2(1)
The replacement module has the following config:
HW 4.2
FW 7.2(1)
Thanks in advance for any help..

Daniel, this is a good question for TAC. I do not see any ducumentation on FWSM requiering to be same Hardware version, the failover requires same code and you are correct on that one. I don't think hardware version diferences may affect failover, I would suggest to have it cleared by TAC.
Jorge

SW-6509-FWSM failover Troubleshooting First aid

Fault Description：
（1）
active FWSM and standby FWSM inside interface Between，ping fails。
on side FWSM---active： ping 172.17.1.50 -------OK，ping 172.17.1.49------ping fails；
on side FWSM---standby： ping 172.17.1.49--------OK，ping 172.17.1.50-------ping fails；
but,active FWSM and standby FWSM outside interface between，ping OK。
on side FWSM---active：ping 172.17.1.36 、 ping 172.17.1.37、ping 172.17.1.35/33/34/、ping www.baidu.com -----------All OK；
on side FWSM---standby：ping 172.17.1.36 、 ping 172.17.1.37 、ping 172.17.1.35/33/34/、ping www.baidu.com-----------All OK；
（2）
Another problem：
active FWSM and standby FWSM inside interface，ping 7706-------All fails。
Summary：May be caused fwsm。
Topology ：Attachment
FWSM :
FWSM#                       show failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
    Interface config Syncing - STANDBY
    Sync Done
====Communication State===
    Mac set
=========Failed Reason==============
My Fail Reason:
    Ifc Failure
Other Fail Reason:
    Comm Failure
FWSM# show failover
Failover On
Failover unit Primary
Failover LAN Interface: lan Vlan 997 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 50%
Monitored Interfaces 42 of 250 maximum
Config sync: active
Version: Ours 4.0(13), Mate 4.0(13)
Last Failover at: 19:08:24 Beijing Dec 2 2013
    This host: Primary - Active
        Active time: 358944 (sec)
    Interface outside (172.17.1.36): Normal
    Interface inside (172.17.1.49): Normal (Not-Monitored)
    Other host: Secondary - Standby Ready
        Active time: 0 (sec)
    Interface outside (172.17.1.37): Normal
    Interface inside (172.17.1.50): Normal (Not-Monitored)
(Not-Monitored) -----------------??????

That's what I thought but the again, from the 6500 config prompt I actually get echo replys(!) from the FWCTX, with capture enabled as:
     access-list CAP permit ip any any
     capture mgmt access-list CAP interface MGMT packet-length 1500 circular-buffer
But it shows blank and no hit counts. Same happens usind RTMonitor in ASDM (6.2.(2f)) some packets that are permited and routed correctly aren't actually noticed. I don't get any logging for the missing/dropped/denied echo replies from the FWCTX to the 6500 MSFC nor for the successful replies from the 6500 to the FWCTX withh ASDM Debugging logging on.

FWSM failover

Guys,
I have a dought about failover with FWSM.
I have 2 Cisco 6500 with FWSM board. They work with Active (Primary) /Standby (Standby).
This days, I had a problem with Active, then, the Standby was changed to Active, ok.
When the Primary returned, I checked that the Secondary FWSM configuration had a line: "no failover"
I didn't understood why the Secondary changed this line, because before of problem this line was "failover".
So, i had to change this line putting: failover and them normalize.
Someone knows why the Secondary FWSM changed the line failover to no failover? Is normal? I could to configure it to don't change?
Thank you!
Anderson.

Hi Anderson,
The most common cause of this is if you have a different set of VLANs passed to the FWSMs. Check the output of 'show run | i firewall' on both 6500s and make sure the output matches exactly on both sides.
-Mike

FWSM Failover times

Hi Folks
I have 2 6509's with fwsm in them. They are xconfigured in active standby failover.... default values
the 6500's are OSPF routers also. Everything is redundant HSRP, FWSM etc.
when we reboot one of the 6500's it takes approximately 45 seconds for the standby FWSM to become active.
Is this normal? can the time be shortened?
any comments appreciated.

Hi,
The initial 15 seconds detection time can be reduced to 3 seconds, by tuning failover polltime and holdtime to the following:
"failover polltime unit 1 holdtime 3"
Also keep in mind after switchover new active will establish nbr relation with nbr router. At any point of time standby does not participate in OSPF process. so in short new active have to re-establish adjacencies.
Hope that helps.
Thanks,
Varun

FWSM failover 6500

Hi Folks,
Firstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.
I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?
Thanks,
Netter

Hi Jennifer,
Great, yes we have a group 1 and a group 2 and some contexts live on each 6500. I cannot failover the whole group as its operational and I just want to failover the test context I am working on.
So I will have to move the context from one failover group to the next as you suggested. What is the best way to do this? Which admin context do I change it on first or does it matter? Should I change it on the context where it is currently live and then hop on the other 6500 and change it there?
do I need to do a no command first like this?
no join-failover-group 2
then
join-failover-group 1
on both admin contexts.

FWSM Failover configuration

Dear,
I have two FWSM and we want to install the failover in the two FWSM, My FWSM has 20 interfaces are monitoring but We want only put 9 nine interfaces VLAN with standby IP address the Other NO, I check the configuration the guideconfiguration and see for all interfaces VLAN has a Standby IP , Can I install my FWSM olny for nine interfaces with standby IP or must configuration all interfaces with standby IP.?
I will apreciate your answer.
Thanks,
Robert Soto

Hi Robert,
better would be this message to be posted in the Security section https://supportforums.cisco.com/community/netpro/security/firewall.
As to your question you can have the FWSM with some interfaces configured with the standby IP address and some other without. However in the process of detecting if the mate is really down only the interfaces with the standby IP address will be used.
Moreover I expect the interfaces with no standby IP address not to swap the MAC addresses after the failover.
HTH
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ASA 5510 8.3(2.25) Failover Pair AnyConnect Sessions not Idle-Timing Out

Hi guys,
I have an Active/Standby pair of ASA 5510's running 8.3(2.25) software that are showing AnyConnect sessions running at 10 days +.
The users in question are not connected...
I have configured the profile's policy to idle-timeout after 90 minutes.
Is this a bug?
Kind regards, Ash.

Hi guys,
I have an Active/Standby pair of ASA 5510's running 8.3(2.25) software that are showing AnyConnect sessions running at 10 days +.
The users in question are not connected...
I have configured the profile's policy to idle-timeout after 90 minutes.
Is this a bug?
Kind regards, Ash.

ASA 5520 Anyconnect License on Active/Standby Failover pair

Hi
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
Any help would be much appreciated on this one please
Regards
Graham

Thanks Marvin
Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
We previously had the VPN Plus License, and it still shows VPN Plus
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                     : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts           : 2
GTP/GPRS                     : Disabled
VPN Peers                   : 750
WebVPN Peers                 : 2
AnyConnect for Mobile       : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions           : 2
This platform has an ASA 5520 VPN Plus license.

FWSM Failover Pair Upgrade

Similar Messages

Maybe you are looking for