Cisco Cisco Web Security Appliance S360 User Guide
2-21
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 2 Connect, Install, and Configure
Configuring Failover Groups for High Availability
Configuring Failover Groups for High Availability
Using the Common Address Redundancy Protocol (CARP), the WSA allows multiple hosts on your
network to share an IP address, providing IP redundancy to ensure high availability of services provided
by those hosts.
network to share an IP address, providing IP redundancy to ensure high availability of services provided
by those hosts.
Failover is available only for the proxy service. The proxy automatically binds to the failover interface
when the failover group is created. Thus, if the proxy goes down for any reason, failover is triggered.
when the failover group is created. Thus, if the proxy goes down for any reason, failover is triggered.
In CARP there are three states for a host:
•
master – there can be only one master host in each failover group
•
backup
•
init
The master host in the CARP failover group sends regular advertisements to the local network so that
the backup hosts know it’s still “alive.” (This advertisement interval is configurable on the WSA.) If the
back-up hosts don’t receive an advertisement from the master for the specified period of time (because
the proxy is down, or the WSA itself has gone down, or the WSA is disconnected from the network),
then failover is triggered and one of the back-ups will take over the duties of master.
the backup hosts know it’s still “alive.” (This advertisement interval is configurable on the WSA.) If the
back-up hosts don’t receive an advertisement from the master for the specified period of time (because
the proxy is down, or the WSA itself has gone down, or the WSA is disconnected from the network),
then failover is triggered and one of the back-ups will take over the duties of master.
Add Failover Group
Before You Begin
•
Identify a virtual IP address that will be used exclusively for this failover group. Clients will use this
IP address to connect to the failover group in explicit forward proxy mode.
IP address to connect to the failover group in explicit forward proxy mode.
•
Configure all Appliances in the failover group with identical values for the following parameters:
–
Failover Group ID
–
Hostname
–
Virtual IP Address
•
If you are configuring this feature on a virtual appliance, ensure that the virtual switch and the
virtual interfaces specific to each appliance are configured to use promiscuous mode. For more
information, see the documentation for your virtual hypervisor.
virtual interfaces specific to each appliance are configured to use promiscuous mode. For more
information, see the documentation for your virtual hypervisor.
Step 1
Choose Network > High Availability.
Step 2
Click Add Failover Group.
Step 3
Enter a Failover Group ID in the range 1 to 255.
Step 4
(Optional) Enter a Description.
Step 5
Enter the Hostname, for example www.example.com.
Step 6
Enter the Virtual IP Address and Netmask, for example 10.0.0.3/24 (IPv4) or 2001:420:80:1::5/32
(IPv6).
(IPv6).
Step 7
Choose an option from the Interface menu. The Select Interface Automatically option will select the
interface based on the IP address you provided.
interface based on the IP address you provided.
Note
If you do not select the Select Interface Automatically option, you must choose an interface in the same
subnet as the virtual IP address you provided.
subnet as the virtual IP address you provided.