FWSM Active/Standby configuration.

FrankGuthrieFrankGuthrie Member Posts: 245
If I have 2 firewalls, 1 active, 1 standby and I need to create an VLAN interface on them, how can I add 2 non-duplicate IP addresses.

If I'm logging in on the 2 different firewall, I always end up with the name of the active one and the configuration of the active one. The only reason I know I'm on the standby is by using the #sh fail command.

However when looking at the running config I see the same exact config on both firewall, which makes sense because the other will take over if 1 goes down. The problem is, when I create a new VLAN interface, do I need to do this on both firewalls. And how to do this?

When I create the VLAN interface on the active 1 I'll use the following command for IP assignement:
#ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

The problem is when logging on the failover, I don't see the 192.168.1.2 address as primary IP address, but I see the same IUP addresses as the one on the active firewall. This is probably because the primary is syncing to the secondary. How can I see the true /actual config on the failover?

Because when I log in on the failover and check the same VLAN interface I see
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

On the failover I would expect to see this:
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.1

Comments

  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Been a while since i've played with the fwsm but from what i remember:
    1) Once both fwsm's are synched you only config on the active
    2) When configuring the vlan interface, the config is applied only to the active, the standby will be told what ip address to use if the active fails, the only config relevant on the standby is the config that is used to synch to the active.
    3) You need to stop looking at this failover pair as 2 separate entities, once synched, it's the same logical entity.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • FrankGuthrieFrankGuthrie Member Posts: 245
    Hi Ed,

    So I don't need to use 2 set of IP addresses when I deploy 2 Firewall in an active/standby configurations, just 1 set IP addresses, and 2 pieces of hardware, correct?

    The strange thing is thht i've seen somewhere in our network we had the same setup, but the failover firewall had different IP addreses. I was told that this was done to not have duplicate IP address in the network. When the active fails, the failover takes over the IP addresses of the Active and drop it's own IP addresses.
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
    Assigns 192.168.1.1 to the active and 192.168.1.2 to the standby. It's possible that there is another way to set this up, its been a year since i played with it, so i cant remember. FWSM is end of life, so i wouldn't waste too much time on it.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
Sign In or Register to comment.