Configure PIX Security Appliance Failover
Understanding failover

The failover function for the PIX Secure Security appliance provides a safeguard in case a PIX fails. Specifically, when one PIX fails, another immediately takes its place. In the failover process, there are two PIX units. These are the primary PIX and the secondary PIX. The primary PIX functions as the active PIX, performing normal network functions. The secondary PIX functions as the standby PIX, ready to take control should the active PIX fail to perform. When the primary PIX fails, the secondary PIX becomes active while the primary PIX goes on standby. This entire process is called failover.

There are two types of hardware failover, active/standby and active/active. In active/standby, one PIX Security Appliance is the actively processing traffic while the other is a hot standby. All traffic flows through the active PIX. In the example in Figure , the active/standby scenario consists of two PIX units, the primary and secondary. When the primary fails, the secondary becomes active and processes all the traffic. The primary PIX becomes the standby unit.

In active/active, an administrator logically divides a PIX Security Appliance into multiple contexts. Each PIX can process traffic and serve as backup units. In the example in Figure , each PIX is composed of two contexts. Under normal conditions, each PIX has one active and one standby context. The active context processes approximately 50% on the traffic load while the other context is a standby unit for the other PIX.

In the active/active example in Figure , the primary PIX Security Appliance on the left fails, so the standby context in the secondary PIX becomes active. In the secondary PIX both contexts are active, active/active. The PIX on the right handles 100% of the traffic utilizing both contexts.

A failover occurs when one of the following situations takes place:

  • A power-off or a power-down condition occurs on the active PIX Security Appliance.
  • The active PIX Security Appliance is rebooted.
  • A link goes down on the active PIX Security Appliance for more than 30 seconds.
  • The command failover active is typed on the standby PIX Security Appliance, which forces control back to that unit.
  • Block memory exhaustion occurs for 15 consecutive seconds or more on the active PIX Security Appliance.

There are two types of failover :

  • Hardware failover – Hardware failover provides hardware redundancy. When the active PIX Security Appliance fails, the standby PIX becomes active. All connections are lost, and client applications must perform a new connection to restart communication through the PIX. The disconnection happens because the active PIX does not pass the stateful connection information to the standby PIX. Failover messages are exchanged over a serial failover cable or a LAN-based failover connection.
  • Stateful failover – The stateful failover feature passes per-connection stateful information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. End-user applications are not required to do a reconnect to keep the same communication session. The state information passed to the standby unit includes information such as the global pool addresses and status, connection and translation information and status, the negotiated H.323 UDP ports, the port allocation map for PAT, and other details necessary to let the standby unit take over processing if the primary unit fails.

Depending on the failure, the PIX Security Appliance switchover takes from 15 to 45 seconds. Applications not handled by stateful failover will then require time to reconnect before the active unit becomes fully functional.