failover
Change or view access to the optional firewall feature. (Configuration mode.)
[no] failover [active] failover ip address if_name ip_address [no] failover link [stateful_if_name] failover poll seconds [no] failover replicate http [no] failover reset show failover
Syntax Description
active
Make a firewall the active unit. Use this command when you need to force control of the connection back to the unit you are accessing, such as when you want to switch control back from a unit after you have fixed a problem and want to restore service to the primary unit. Either enter no failover active on the secondary unit to switch service to the primary or failover active on the primary unit.
if_name
Interface on which the standby unit resides.
ip_address
The IP address used by the standby unit to communicate with the active unit. Use this IP address with the ping command to check the status of the standby unit. This address must be on the same network as the system IP address. For example, if the system IP address is 192.159.1.3, set the failover IP address to 192.159.1.4.
link
Specify the interface where a fast LAN link is available for Stateful Failover.
stateful_if_name
In addition to the failover cable, a dedicated fast LAN link is required to support Stateful Failover. Do not use FDDI because of its blocksize or Token Ring because Token Ring requires additional time to insert into the ring. The default interface is the highest LAN port with failover configured.
poll seconds
Specify how long failover waits before sending special failover "hello" packets between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly.
reset
Force both units back to an unfailed state. Use this command once the fault has been corrected. The failover reset command can be entered from either unit, but it is best to always enter commands at the active unit. Entering the failover reset command at the active unit will "unfail" the standby unit.
replicate http
The [no] failover replicate http command allows the stateful replication of HTTP sessions in a Stateful Failover environment. The no form of this command disables HTTP replication in a Stateful Failover configuration. When HTTP replication is enabled, the show failover command displays the failover replicate http configuration.
Usage Guidelines
Use the failover command without an argument after you connect the optional failover cable between the primary firewall and a secondary firewall. The default configuration has failover enabled. Enter no failover in the configuration file for the firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.
For Failover, firewall requires any unused interfaces be given IP addresses and connected to the standby unit for use in receiving failover checkup messages.
Set the Stateful Failover dedicated interface to 100 Mbps full duplex using the 100full option to the interface command.
Use the failover active command to initiate a failover switch from the standby unit, or the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit off line for maintenance. Because the standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.
Use the failover link command to enable Stateful Failover. The Stateful Failover interface can be either Ethernet or Token Ring interfaces FDDI interfaces are supported for non-Stateful Failover interfaces Enter the no failover link command to disable the Stateful Failover feature.
If a failover IP address has not been entered, show failover will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in "waiting" state. A failover IP address must be set for failover to work.
The failover poll seconds command allows you to determine how long failover waits before sending special failover "hello" packets between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds. Set to a lower value for Stateful Failover. With a faster poll time, firewall can detect failure and trigger failover faster. However, faster detection may cause unnecessary switchovers when the network is temporarily congested or a network card starts slowly.
When a failover cable connects two firewall units, the no failover command now disables failover until you enter the failover command to explicitly enable failover. Previously, when the failover cable connected two firewall units and you entered the no failover command, failover would automatically re- enable after 15 seconds.
If you reboot the firewall without entering the write memory command and the failover cable in connected, failover mode automatically enables.
You can also view the information from the show failover command using SNMP.
Examples
The following sample output shows that failover is enabled, and that the primary unit state is active:
show failover pixfirewall (config)# show failover Failover On Cable status:Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds failover replication http This host:Secondary - Standby Active time:0 (sec) Interface FailLink (172.16.31.2):Normal Interface 4th (172.16.16.1):Normal Interface int5 (192.168.168.1):Normal Interface intf2 (192.168.1.1):Normal Interface outside (209.165.200.225):Normal Interface inside (10.1.1.4):Normal Other host:Primary - Active Active time:242145 (sec) Interface FailLink (172.16.31.1):NormalCable status has these values:
Normal The active unit is working and that the standby unit is ready. Waiting Monitoring of the other unit's network interfaces has not yet started. Failed The firewall has failed. Stateful Obj has these values:
Xmit Number of packets transmitted. Xerr Number of transmit errors. Rcv Number of packets received. Rcv Number of receive errors. Each row is for a particular object static count:
General The sum of all stateful objects. Sys cmd Refers to logical update system commands, such as login or stay alive. Up time The value for firewall up time which the active firewall unit will pass on to the standby unit. Xlate The firewall translation information. Tcp conn The firewall dynamic TCP connection information. Udp conn The firewall dynamic UDP connection information. ARP tbl The firewall dynamic ARP table information. RIF tbl The dynamic router table information. You can view the IP addresses of the standby unit with the show ip address command:
show ip address System IP Addresses: ip address outside 209.165.201.2 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address perimeter 192.168.70.3 255.255.255.0 Current IP Addresses: ip address outside 209.165.201.2 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address perimeter 192.168.70.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the failover active unit. When the primary unit fails, the Current IP Addresses become those of the standby unit.
The standby Logical Update Statistics output that displays when you use the show failover command only describes Stateful Failover. The "xerrs" value does not indicate an error in failover, but rather the number of packet transmit errors.