14-13
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 14 Configuring Failover
Understanding Failover
The following commands are not replicated to the standby unit:
•
all forms of the
copy
command except for
copy running-config startup-config
•
all forms of the
write
command except for
write memory
•
debug
•
failover lan unit
•
firewall
•
mode
•
show
You can use the
write standby
command to resynchronize configurations that have become out of sync.
For Active/Active failover, the
write standby
command behaves as follows:
•
If you enter the
write standby
command in the system execution space, the system configuration
and the configurations for all of the security contexts on the security appliance is written to the peer
unit. This includes configuration information for security contexts that are in the standby state. You
must enter the command in the system execution space on the unit that has failover group 1 in the
active state.
Note
If there are security contexts in the active state on the peer unit, the
write standby
command
causes active connections through those contexts to be terminated. Use the
failover active
command on the unit providing the configuration to make sure all contexts are active on that
unit before entering the
write standby
command.
•
If you enter the
write standby
command in a security context, only the configuration for the security
context is written to the peer unit. You must enter the command in the security context on the unit
where the security context appears in the active state.
Replicated commands are not saved to the Flash memory when replicated to the peer unit. They are
added to the running configuration. To save replicated commands to Flash memory on both units, use
the
write memory
or
copy running-config startup-config
command on the unit that you made the
changes on. The command is replicated to the peer unit and cause the configuration to be saved to Flash
memory on the peer unit.
Failover Triggers
In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:
•
The unit has a hardware failure.
•
The unit has a power failure.
•
The unit has a software failure.
•
The
no failover active
or the
failover active
command is entered in the system execution space.
Failover is triggered at the failover group level when one of the following events occurs:
•
Too many monitored interfaces in the group fail.
•
The
no failover active group
group_id
or
failover active group
group_id
command is entered.
You configure the failover threshold for each failover group by specifying the number or percentage of
interfaces within the failover group that must fail before the group fails. Because a failover group can
contain multiple contexts, and each context can contain multiple interfaces, it is possible for all
interfaces in a single context to fail without causing the associated failover group to fail.
Summary of Contents for 500 Series
Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Page 45: ...P A R T 1 Getting Started and General Information ...
Page 46: ......
Page 277: ...P A R T 2 Configuring the Firewall ...
Page 278: ......
Page 561: ...P A R T 3 Configuring VPN ...
Page 562: ......
Page 891: ...P A R T 4 System Administration ...
Page 892: ......
Page 975: ...P A R T 5 Reference ...
Page 976: ......