The Cisco PIX Security Appliance 515/515E, 525, 535 and the
Adaptive Security Appliance 5510, 5520, and 5540 can be used for failover. In
order for failover to work, a pair of devices must be identical in the
requirements shown in Figure
.
One
important factor for the PIX Security Appliance is failover licensing. The
primary failover units must have an unrestricted (UR) license, while the
secondary can have an UR or a failover (FO) license. The PIX failover (FO)
license can be either an active/standby only or an active/active failover only.
To perform active/active failover on a PIX with a failover license, the
failover license must be an active/active only failover license. A restricted
license cannot be used for failover, and two units with FO licenses cannot be
used in a single failover pair.
 |
NOTE:
Neither the Security appliance 501 nor the Security appliance 506E can
be used for failover.
|
Failover Interface Test
Both the primary and secondary PIX
Security Appliances send special failover hello packets to each other over all
network interfaces and the failover cable every fifteen seconds to make sure
that everything is working. When a failure occurs in the active PIX, and it is
not because of a loss of power in the standby PIX, failover begins a series of
tests to determine which security appliance has failed. The purpose of these
tests is to generate network traffic to determine which, if either, security
appliance has failed.
At the start of each test, each PIX clears its
received packet count for its interfaces. At the conclusion of each test, each
PIX looks to see if it has received any traffic. If it has, the interface is
considered operational. If one PIX receives traffic for a test and the other
PIX does not, the PIX that did not receive traffic is considered failed. If
neither PIX has received traffic, the tests then continue.
The following
are the four different tests used to test for failover:
-
LinkUp/Down – This is a test of the NIC itself. If an interface card
is not plugged into an operational network, it is considered failed. For
example, the hub or switch has failed, has a failed port, or a cable is
unplugged. If this test does not find anything, the network activity test
begins.
-
Network Activity – This is a received network activity test. The PIX
Security Appliance counts all received packets for up to five seconds. If any
packets are received at any time during this interval, the interface is
considered operational and testing stops. If no traffic is received, the ARP
test begins.
-
ARP – The ARP test consists of reading the ARP cache of the PIX
Security Appliance for the ten most recently acquired entries. The PIX sends
ARP requests one at a time to these machines, attempting to stimulate network
traffic. After each request, the PIX counts all received traffic for up to five
seconds. If traffic is received, the interface is considered operational. If no
traffic is received, an ARP request is sent to the next machine. If at the end
of the list no traffic has been received, the ping test begins.
-
Broadcast Ping – The ping test consists of sending out a broadcast
ping request. The PIX Security Appliance then counts all received packets for
up to five seconds. If any packets are received at any time during this
interval, the interface is considered operational and testing stops. If no
traffic is received, the testing starts over again with the ARP test.
Failover Cabling
The failover PIX Security Appliances
communicate failover information between the PIX units. The communications
identifies the unit as primary or secondary, identifies the power status of the
other unit, and serves as a link for various failover communications between
the two units. The majority of the failover communications are passed over
dedicated failover links. There are three types of failover links
:
-
Serial failover cable – The serial failover cable is a modified
RS-232 serial link cable that transfers data at 115 Kbps.
-
LAN-based failover cable – PIX Security Appliance Software Version
6.2 introduced support for LAN-based failover, so a special serial failover
cable is no longer required to connect the primary and secondary units.
LAN-based failover overcomes the distance limitations imposed by the six-foot
length of the serial failover cable. With LAN-based failover, failover messages
are transmitted over Ethernet connections. LAN-based failover provides message
encryption and authentication using a manual pre-shared key for added security.
LAN-based failover requires an Ethernet connection to be used exclusively for
passing failover communications between two PIX units.
-
Stateful cable – The stateful failover cable passes per-connection
stateful information to the standby unit. Stateful failover requires an
Ethernet interface with a minimum speed of 100 Mbps full duplex to be used
exclusively for passing state information between the two PIX Security
Appliance units. The stateful failover interface can be connected to either a
100BASE-TX or 1000BASE-TX full duplex on a dedicated switch or dedicated VLAN
of a switch.
Data is passed over the dedicated interface using IP Protocol 8. No
hosts or routers should be on this interface.