Failover Health Monitoring - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 14
Configuring Failover
•
•
•
•
•
•
The information that is not passed to the standby unit when Stateful Failover is enabled includes the
following:
•
•
•
•
•
Note
If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call
session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone
client loses connection with the Call Manager. This occurs because there is no session information for
the CTIQBE hangup message on the standby unit. When the IP SoftPhone client does not receive a
response back from the Call Manager within a certain time period, it considers the Call Manager
unreachable and unregisters itself.
Failover Health Monitoring
The security appliance monitors each unit for overall health and for interface health. See the following
sections for more information about how the security appliance performs tests to determine the state of
each unit:
•
•
Unit Health Monitoring
The security appliance determines the health of the other unit by monitoring the failover link. When a
unit does not receive three consecutive hello messages on the failover link, the unit sends an ARP request
on all interfaces, including the failover interface. The action the security appliance takes depends on the
response from the other unit. See the following possible actions:
•
•
•
OL-10088-01
UDP connection states.
The ARP table.
The Layer 2 bridge table (when running in transparent firewall mode).
The HTTP connection states (if HTTP replication is enabled).
The ISAKMP and IPSec SA table.
GTP PDP connection database.
The HTTP connection table (unless HTTP replication is enabled).
The user authentication (uauth) table.
The routing tables.
State information for Security Service Modules.
DHCP server address leases.
Unit Health Monitoring, page 14-15
Interface Monitoring, page 14-16
If the security appliance receives a response on the failover interface, then it does not fail over.
If the security appliance does not receive a response on the failover link, but receives a response on
another interface, then the unit does not failover. The failover link is marked as failed. You should
restore the failover link as soon as possible because the unit cannot fail over to the standby while
the failover link is down.
If the security appliance does not receive a response on any interface, then the standby unit switches
to active mode and classifies the other unit as failed.
Cisco Security Appliance Command Line Configuration Guide
Understanding Failover
14-15
Advertisement
Table of Contents
Troubleshooting
