Hi,
I was wondering whether anyone knew how you can configure failover on subinterfaces. I only want failover to work if the physical interface goes down (I would think it would be impossible for the firewall to detect it the subinterface went down). For example, we have a DMZ interface (Ethernet2) that is subinterfaced into E2.10, E2.20 etc for different DMZs, but failover doesn't work on the parent interface (Ethernet2) - indicated by the Not-Monitored below. I tried naming the parent interface via nameif command, but the 'sh fail' had the interface as Normal (Waiting) - I assume for an IP address... would putting an IP address on the parent interface enable the failover to work for that interface? I didn't want to try it since it is a production firewall so I don't want to bring anything down:
firewall# sh fail
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover Ethernet5 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Last Failover at: 03:14:11 AEST May 12 2007
This host: Primary - Active
Active time: 2678175 (sec)
Interface outside (10.1.1.1): Normal
Interface inside (172.16.0.1): Normal
Interface dmz1 (192.168.1.1): Normal (Not-Monitored)
Interface dmz2 (192.168.2.1): Normal (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (10.1.1.2): Normal
Interface inside (172.16.0.2): Normal
Interface dmz1 (192.168.1.2): Normal (Not-Monitored)
Interface dmz2 (192.168.2.2): Normal (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : failover Ethernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 10091425 0 357086 0
sys cmd 357086 0 357086 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 6216575 0 0 0
UDP conn 3485909 0 0 0
ARP tbl 29399 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 1116 0 0 0
VPN IPSEC upd 1340 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 4 357086
Xmit Q: 0 4 17259324
Thanks,
goulin1
I was wondering whether anyone knew how you can configure failover on subinterfaces. I only want failover to work if the physical interface goes down (I would think it would be impossible for the firewall to detect it the subinterface went down). For example, we have a DMZ interface (Ethernet2) that is subinterfaced into E2.10, E2.20 etc for different DMZs, but failover doesn't work on the parent interface (Ethernet2) - indicated by the Not-Monitored below. I tried naming the parent interface via nameif command, but the 'sh fail' had the interface as Normal (Waiting) - I assume for an IP address... would putting an IP address on the parent interface enable the failover to work for that interface? I didn't want to try it since it is a production firewall so I don't want to bring anything down:
firewall# sh fail
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover Ethernet5 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Last Failover at: 03:14:11 AEST May 12 2007
This host: Primary - Active
Active time: 2678175 (sec)
Interface outside (10.1.1.1): Normal
Interface inside (172.16.0.1): Normal
Interface dmz1 (192.168.1.1): Normal (Not-Monitored)
Interface dmz2 (192.168.2.1): Normal (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (10.1.1.2): Normal
Interface inside (172.16.0.2): Normal
Interface dmz1 (192.168.1.2): Normal (Not-Monitored)
Interface dmz2 (192.168.2.2): Normal (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : failover Ethernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 10091425 0 357086 0
sys cmd 357086 0 357086 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 6216575 0 0 0
UDP conn 3485909 0 0 0
ARP tbl 29399 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 1116 0 0 0
VPN IPSEC upd 1340 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 4 357086
Xmit Q: 0 4 17259324
Thanks,
goulin1