Failover Issues
Failover helps to avoid the single point of failure in your network and provides the constant security to your network. The stateful failover feature provides a seamless connectivity experience through the firewall for the end users. As of the writing of this book, FWSM operates in Active/Standby mode, which means that at any point in time, one unit will be active and the other unit will be standby. Only one unit can be a standby unit for an active unit. Unlike the PIX firewall, FWSM can function only in LAN-based Failover mode, in which a LAN interface carries the failover messages from one unit to the other. As there is no dedicated serial cable available for the LAN-based Failover, the active unit is selected based on configuration of the FWSM. You can configure one unit as primary and other unit as secondary. When both units boot up at the same time, the primary will become active and the secondary will becomes standby. However, if the secondary boots up before the primary, the secondary becomes active, and stays as active until it fails or you manually make the active unit primary. There is no automatic preemption.
Failover for FWSM can be deployed in one of the following two ways, as shown in Figure 4-6:
-
Intra Chassis Redundancy
-
Inter Chassis Redundancy
Figure 4-6. Intra/Inter Chassis Redundancy
-
Intra Chassis Redundancy (Single Chassis) For Intra Chassis Failover setup, two FWSMs are inserted into the same chassis. One of the FWSMs acts as the primary and the other FWSM acts as the secondary unit. From a network point of view, there is no issue in supporting Active and Standby Firewall blades in the same chassis, but the risk is the single point of failure. Note that there is a dedicated failover interface between active and standby units.
-
Inter Chassis Redundancy (Multi Chassis) As shown in Figure 4-6, for Inter Chassis setup (the figure on the right), the Catalyst Switch on the left has the Active Firewall, whereas the one on the right has the Standby Firewall unit. All Firewall interfaces between active and standby Firewall are Layer 2 apart, which requires a 6 Gb dot1q Etherchannel link between the two switches. The 6 Gb channel is not mandatory, because all Firewall interfaces are virtual. It also can be of smaller bandwidth, with the obvious side effect of degradation in bandwidth after switchover. In this case, this link can be a bottleneck after switchover. Also it is not mandatory to have an Etherchannel link between Active and Standby Firewall modules. The only requirement is to have all corresponding interfaces of Active and Standby Firewall Layer 2 of OSI model apart.
Both FWSMs (with Active and Standby Firewall modules) should have identical definitions of the firewall and normal router interfaces on MSFC. After switchover, that is, when the Active Firewall fails and the Standby unit becomes the new Active Firewall, all (and only) the Firewall traffic is bridged to the active Firewall over the Etherchannel between the two switches. Traffic coming out of Firewall will have to cross Etherchannel (or any other layer 2 connectivity to the other switch for Firewall interfaces) to go to the actual hosts.
It is extremely important to understand how failover operates, before delving into the details of configuration and troubleshooting of failover on FWSM. This section covers the following three items: