Configure PIX Security Appliance Failover
Failover requirements

The Cisco PIX Security Appliance 515/515E, 525, 535 and the Adaptive Security Appliance 5510, 5520, and 5540 can be used for failover. In order for failover to work, a pair of devices must be identical in the requirements shown in Figure .

One important factor for the PIX Security Appliance is failover licensing. The primary failover units must have an unrestricted (UR) license, while the secondary can have an UR or a failover (FO) license. The PIX failover (FO) license can be either an active/standby only or an active/active failover only. To perform active/active failover on a PIX with a failover license, the failover license must be an active/active only failover license. A restricted license cannot be used for failover, and two units with FO licenses cannot be used in a single failover pair.

NOTE:

Neither the Security appliance 501 nor the Security appliance 506E can be used for failover.

Failover Interface Test
Both the primary and secondary PIX Security Appliances send special failover hello packets to each other over all network interfaces and the failover cable every fifteen seconds to make sure that everything is working. When a failure occurs in the active PIX, and it is not because of a loss of power in the standby PIX, failover begins a series of tests to determine which security appliance has failed. The purpose of these tests is to generate network traffic to determine which, if either, security appliance has failed.

At the start of each test, each PIX clears its received packet count for its interfaces. At the conclusion of each test, each PIX looks to see if it has received any traffic. If it has, the interface is considered operational. If one PIX receives traffic for a test and the other PIX does not, the PIX that did not receive traffic is considered failed. If neither PIX has received traffic, the tests then continue.

The following are the four different tests used to test for failover:

  • LinkUp/Down – This is a test of the NIC itself. If an interface card is not plugged into an operational network, it is considered failed. For example, the hub or switch has failed, has a failed port, or a cable is unplugged. If this test does not find anything, the network activity test begins.
  • Network Activity – This is a received network activity test. The PIX Security Appliance counts all received packets for up to five seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins.
  • ARP – The ARP test consists of reading the ARP cache of the PIX Security Appliance for the ten most recently acquired entries. The PIX sends ARP requests one at a time to these machines, attempting to stimulate network traffic. After each request, the PIX counts all received traffic for up to five seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.
  • Broadcast Ping – The ping test consists of sending out a broadcast ping request. The PIX Security Appliance then counts all received packets for up to five seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the testing starts over again with the ARP test.

Failover Cabling
The failover PIX Security Appliances communicate failover information between the PIX units. The communications identifies the unit as primary or secondary, identifies the power status of the other unit, and serves as a link for various failover communications between the two units. The majority of the failover communications are passed over dedicated failover links. There are three types of failover links :

  • Serial failover cable – The serial failover cable is a modified RS-232 serial link cable that transfers data at 115 Kbps.
  • LAN-based failover cable – PIX Security Appliance Software Version 6.2 introduced support for LAN-based failover, so a special serial failover cable is no longer required to connect the primary and secondary units. LAN-based failover overcomes the distance limitations imposed by the six-foot length of the serial failover cable. With LAN-based failover, failover messages are transmitted over Ethernet connections. LAN-based failover provides message encryption and authentication using a manual pre-shared key for added security. LAN-based failover requires an Ethernet connection to be used exclusively for passing failover communications between two PIX units.
  • Stateful cable – The stateful failover cable passes per-connection stateful information to the standby unit. Stateful failover requires an Ethernet interface with a minimum speed of 100 Mbps full duplex to be used exclusively for passing state information between the two PIX Security Appliance units. The stateful failover interface can be connected to either a 100BASE-TX or 1000BASE-TX full duplex on a dedicated switch or dedicated VLAN of a switch.

Data is passed over the dedicated interface using IP Protocol 8. No hosts or routers should be on this interface.