Active-Active Failover Setup
Active-active failover is done at a context basis, compared to active-standby in which failover
is handled on a unit basis. Each Security Appliance monitors any failover peers for failure.
With active-active failover logic, a failure can be unit based or virtual context-based. If a
Security Appliance detects a failure state in a peer, the Security Appliance will gradually
transition the standby context to active. The Security Appliance will then have two active
contexts passing traffic. Failover groups must be active, and the contexts participating in
active-active failover must be grouped together to function properly.
Failover Group
Failover groups are designed to combine one or more contexts into a failover group. A
security appliance uses failover groups to manage virtual contexts as explained in Chapter 9,
“Security Contexts.” A Security Appliance can only support up to two failover groups. Each
failover group in a Security Appliance contains separate state machines that keep track of a
failover group’s contexts failover state.
In Figure 12-2, Context 1 on the primary and secondary Security Appliances are grouped
together into failover Group 1. Context 2 of each Security Appliance is grouped into failover
Group 2.
NOTE Serial cable-based failover can support active-active failover mode.