Cisco Systems CL-28826-01 Adding a Security Context to Failover Group 2

49-7

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter4 9 Configuring Failover

Basic Failover Configuration

e. Enter the Subnet Mask for both IP addresses. Both must be on the same subnet.

Step 10 (Optional) Follow these steps to enable and configure an interface for Stateful Failover communications

between the two devices:

a. Assign a device Interface for update communications, and then press the Tab key on your keyboard

to update the page.

You can type in a port ID (e.g., gigabitethernet1), or you can choose the port if you have already

defined the interface; note that this cannot be a Named interface.

Note On an FWSM, this is a VLAN interface.

b. Provide a Logical Name for this interface.

c. Enter the Active IP address for connection updates.

d. Enter a Standby IP address for update communications.

e. Enter the Subnet Mask for both IP addresses. Both must be on the same subnet.

f. Select Enable HTTP Replication to preserve HTTP connection information.

Connection information is communicated to the standby unit for all TCP protocols except HTTP,

because HTTP connections are generally short-lived. Select this option to maintain HTTP

connections during failover.

Step 11 Provide a communications-encryption key: enter a Shared Key and then repeat it in the Confirm field.

Be sure to enter the same key on both devices. (Not available on FWSM versions prior to 3.1)

The Shared Key can be any arbitrary string of up to 63 alphanumeric characters. If HEX is checked, the

Shared Key is an arbitrary string of exactly 32 hexadecimal characters. (The HEX option is available

only on PIX/ASA version 7.0.5 and later, and FWSM versions 3.1.3 and later.)

Note This step is optional, but we strongly recommend encrypting failover communications.

Step 12 To specify a failover reconnect timeout value for asymmetrically routed sessions, enter a length of time

in the Timeout field, in the form hh:mm:ss (the minutes and seconds values are optional). If the field is

blank (the default), or contains a zero, reconnections are prevented. Setting this value to -1 disables the

timeout, allowing connections to reconnect after any amount of time.

Step 13 (FWSM only) – Configured interfaces are listed in the Interface Configuration table. To edit the failover

configuration for a listed interface, select it and click the Edit Row button to open the Edit Failover

Interface Configuration Dialog Box, page 49-23.

Adding a Security Context to Failover Group 2

To add a new security context to an existing failover group 2, you must save the new context

configuration to a deployment file and then manually add it to the appropriate device. Otherwise, until

the first successful deployment, Security Manager will attempt to communicate with the new context

through the device’s Admin context. This will fail since group 2 cannot be reached through the Admin

context (unless both group 1 and 2 are active on the same device).