49-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 49 Configuring Failover
Failover Policies
Enable Failover Check this box to enable failover on this device. Ensure that both
devices have the same software version, activation key type, flash
memory, and RAM.
On PIX devices with LAN Based chosen as the Failover Method, and
on all ASAs, you must next configure the logical LAN Failover
interface and, optionally, the stateful failover interface.
Bootstrap button Click to display the Bootstrap Configuration for LAN Failover dialog
box. See Bootstrap Configuration for LAN Failover Dialog Box,
page 49-26 for more information.
Settings button Click to display the Settings Dialog Box, page 49-20, used to define
when failover should occur.
Timeout The failover Timeout specifies the amount of time after a system boots
or becomes active that “nailed” sessions are accepted; used in
conjunction with static translation rules (see Static Rules Tab,
page 23-25 for more information).
Enter a value in this field to specify the failover reconnect timeout value
for asymmetrically routed sessions. The value is in the form hh:mm:ss
(hours:minutes:seconds); both minutes and seconds are optional.
Valid values for the number of hours are -1 to 1193; the default value is
0, which means connections cannot be re-established. Setting this value
to -1 disables the timeout, allowing reconnections after any amount of
time.
Configuration
This section is presented only for devices operating in multiple-context mode.
Active/Active In an Active/Active failover configuration, both security appliances
inspect network traffic, on a per-context basis. That is, for each context,
one of the appliances is the active device, while the other is the standby
device.
To enable Active/Active failover on the security appliance, you must
assign the security contexts to one of two failover groups. A failover
group is a simply a logical group of one or more security contexts. You
should specify failover group assignments on the unit that will have
failover group 1 in the active state. The admin context is always a
member of failover group 1. Any unassigned security contexts are also
members of failover group 1 by default. See Add/Edit Security Context
Dialog Box (PIX/ASA), page 57-7 for information about assigning a
context to a failover group.
Table 49-6 Failover Page (ASA/PIX 7.0+) (Continued)
Element Description
