User Guide for Cisco Security Manager 4.4
Chapter 49 Configuring Failover
Failover Policies
Field Reference
Failover Page (Security Context)
The Failover page for individual ASA and PIX 7.0+ security contexts presents the Interface
Configuration table, which lists all available named interfaces.
You can select an interface in the table and click the Edit Row button to open the Edit Failover Interface
Configuration Dialog Box, page 49-23, where you can specify a standby IP address and an ASR group
number, and enable or disable monitoring of the interface.
For individual transparent-mode contexts on ASA 8.4.1+ devices, the Failover page also presents the
Bridge Group Configuration table, which lists all currently defined failover bridge groups.
Table 49-10 Edit Failover Group Dialog Box
Element Description
Preferred Role Specifies the unit in the failover pair, primary or secondary, on which
this failover group appears in the active state when both units start up
simultaneously, or when the Preempt option is selected. Choose
Primary or Secondary.
You can have both failover groups in the active state on a single unit in
the pair; however, a more typical configuration is to assign each
failover group a different role to make each one active on a different
unit, balancing the traffic across the devices.
Poll time interval for
monitored interfaces
Specify the amount of time between polling of monitored interfaces.
Valid values are from 3 to 15 seconds (or 500 to 999 milliseconds if
msec is checked).
Hold Time Specify the time period within which the group must receive a hello
message, after which the other group is declared failed. Valid values are
from 5 to 75 seconds.
Preempt after Reboot Specifies the number of seconds that the preferred failover device
should wait after rebooting before taking over as the active unit for this
failover group. Valid values are from 0 to 1200 seconds.
Enable HTTP Replication Indicates whether active HTTP sessions are copied to the standby
device for this failover group as part of Stateful failover. If you do not
allow HTTP replication, HTTP connections are disconnected at
failover. Disabling HTTP replication reduces the amount of traffic on
the state link. This setting overrides the HTTP replication setting on the
Failover page.
Failover Criteria Select a failed-interfaces criterion for this group and specify the
appropriate value:
• Number of failed interfaces – When this number of interfaces
have failed, failover is triggered. Valid values are 1 to 250.
• Percentage of failed interfaces – When this percentage of the total
number of interfaces have failed, failover is triggered. Valid values
are 1 to 100.
MAC Address Mapping
This table displays interfaces to which active and standby MAC addresses are mapped.