49-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter4 9 Configuring Failover
Basic Failover Configuration
NAT translation table
TCP connection table (except for HTTP), including the timeout connection
HTTP connection states (if HTTP replication is enabled)
H.323, SIP and MGCP UDP media connections
The system clock
The ISAKMP and IPsec SA table
The following information is not copied to the standby unit when stateful failover is enabled:
HTTP connection table (unless HTTP replication is enabled)
The user authentication (UAUTH) table
The ARP table
Routing tables
Basic Failover Configuration
The following steps describe basic failover configuration. Please note the following caveats when
assigning an interface as a failover link:
You can define the interface in the Add/Edit Interface dialog box, but do not configure it. In
particular, do not specify an interface Name, as this parameter disqualifies the interface from being
used as the failover link.
On an ASA 5505, an interface assigned as the backup for another interface cannot be used as a
failover link (although no checking is performed to prevent this).
Do not assign a PPPoE-enabled interface as a failover link. PPPoE and Failover should not be
configured on the same device interface (although no checking is performed to prevent this).
A Failover interface cannot use the same IP address as another interface, especially the Management
IP address (although no checking is performed to prevent this).
Note When you save a failover configuration, it is applied to both the security appliance and the failover peer.
Before You Begin
Licenses installed on the device must allow failover configurations. On ASA 5505 and 5510 devices, this
failover license is an optional license. You must install the failover license outside of Security Manager,
using ASDM or the device CLI, and ensure that the License Supports Failover option is selected in the
General page of the device properties (right-click the device and select Device Properties). If the license
is installed when you add the device to the inventory, or you install the license and then rediscover device
policies, Security Manager can identify the license and set this option appropriately.
If the option is selected and the license is not in fact installed, you will see deployment failures. If the
option is not selected, Security Manager will not deploy the failover policy to the device even if you
configure the policy.
Related Topics
Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14
Understanding Failover, page49-1