Configuration Replication
Configuration changes, including initial failover configurations to the Cisco Security
Appliance, are done on the primary unit. The standby unit keeps the current configuration
through the process of configuration replication. For configuration replication to occur, the
two Security Appliance units should be running the same software release. Configuration
replication usually occurs when
■ The standby unit completes its initial bootup and the active unit replicates its entire
configuration to the standby unit.
■ Configurations are made (commands) on the active unit and the commands/changes are
sent across the failover cable to the standby unit.
■ Issuing the write standby command on the active unit forces the entire configuration in
memory to be sent to the standby unit.
When the replication starts, the Security Appliance console displays the message Sync
Started. When the replication is complete, the Security Appliance console displays the
message Sync Completed. During the replication, information cannot be entered on the
Security Appliance console.
Stateful Failover 311
The write memory command is important, especially when failover is being configured for
the first time. During the configuration replication process, the configuration is replicated
from the active unit’s running configuration to the running configuration of the standby unit.
Because the running configuration is saved in RAM (which is unstable), you should issue the
write memory command on the primary unit to save the configuration to Flash memory.
In addition to configuration replication, operating system (OS) upgrades are required from
time to time as maintenance releases are deployed by Cisco. Beginning with software version
7.0(1), the zero-downtime software upgrade feature has been added to give an administrator
the ability to perform software upgrades of failover pairs without impacting network uptime
or connections flowing through the units. Security Appliances have the ability to do interversion
state sharing between failover pairs, as long as both pairs use software version 7.0 or
later. Inter-version state sharing makes it possible for an administrator to perform software
upgrades to new maintenance releases without impacting the traffic flow over either Security
Appliance.