1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. FirePOWER 7000
  6. Manual

Device High Availability State Sharing - Cisco FirePOWER 7000 Manual

7000 and 8000 series device high availability
Hide thumbs
Table of Contents

Advertisement

7000 and 8000 Series Device High Availability
Procedure
Step 1
Choose Devices > Device Management.
Step 2
Next to the stack member you want to place into maintenance mode, click the toggle maintenance mode icon
(
).
Step 3
Click Yes to confirm maintenance mode.
Step 4
Click the replace device icon (
Step 5
Choose the Replacement Device from the drop-down list.
Step 6
Click Replace to replace the device.
Step 7
Click the toggle maintenance mode icon (
Note

Device High Availability State Sharing

Device high availability state sharing allows devices or stacks in high-availability pairs to synchronize as
much state as necessary, so that if either device or stack fails, the other peer can take over with no interruption
to traffic flow. Without state sharing, the following features may not fail over properly:
• Strict TCP enforcement
• Unidirectional access control rules
• Blocking persistence
Note, however, that enabling state sharing slows system performance.
You must configure and enable HA link interfaces on both devices or the primary stacked devices in the
high-availability pair before you can configure high availability state sharing. Firepower 82xx Family and
83xx Family devices require a 10G HA link, while other model devices require a 1G HA link.
You must disable state sharing before you can modify the HA link interfaces.
Note
If paired devices fail over, the system terminates all existing SSL-encrypted sessions on the active device.
Even if you establish high availability state sharing, these sessions must be renegotiated on the standby device.
If the server establishing the SSL session supports session reuse and the standby device does not have the
SSL session ID, it cannot renegotiate the session.
Strict TCP Enforcement
When you enable strict TCP enforcement for a domain, the system drops any packets that are out of order on
TCP sessions. For example, the system drops non-SYN packets received on an unestablished connection.
With state sharing, devices in the high-availability pair allow TCP sessions to continue after failover without
).
You do not need to re-deploy the device configuration.
) again to bring the stack immediately out of maintenance mode.
7000 and 8000 Series Device High Availability
Device High Availability State Sharing
11

Advertisement

Table of Contents
loading

Related Manuals for Cisco FirePOWER 7000

Related Content for Cisco FirePOWER 7000

This manual is also suitable for:

Firepower 8000

Table of Contents