Traditionally, the two PIX Firewall units are connected by a
special high-speed serial cable when using cable-based failover, although a
faster solution involves a dedicated Ethernet connection to a dedicated
switch/hub (or VLAN) for LAN-based failover. When using stateful failover, a
separate, dedicated 100 Mbps or Gigabit Ethernet connection is required for
cable-based failover and is recommended for LAN-based failover.
Once the primary unit is configured and the necessary cabling
attached, the primary unit automatically copies the configuration to the standby
unit when it’s powered up.
If the failover feature is enabled, the ACT indicator light on the
front of the PIX 515e, PIX 525, and PIX 535 is lighted when the unit is the
active unit and it’s off when the device is the standby unit.
Figure 22-17 shows a simple failover system without
protected DMZ(s). Each firewall connects to an inside and an outside switch,
while the failover serial cable connects the two directly together. If a
protected DMZ existed, each firewall’s perimeter interface would have to connect
to a switch in the DMZ.
Identical Units
The two PIX units hardware must be configured exactly the
same to appear as a single unit to the network. Failover requires two units that
are identical in the following respects:
Software licensing is an issue when choosing units to create a
failover pair. At least one of the failover pair must have an Unrestricted (UR)
license. The second unit can have either a Failover (FO) or a UR license.
Restricted (R) units can’t be used as any part of a failover pair and two FO
licensed units can’t be used to create a failover pair. PIX 501/506/506E units
don’t support the failover features.
|
Note |
Cisco’s pricing strategy for failover units means a
substantial financial savings exists when an unrestricted/failover pair is used
compared to two unrestricted units. The failover unit can cost one third as much
as an unrestricted unit. |
Communicating a Failover
The two PIX failover devices can maintain communication and
facilitate rapid failover transitions using either of the following:
This connection allows the units to exchange unit identification,
and to monitor the power status of the other unit and other failover related
communications. Power or cable failure is detected within 15 seconds and
triggers a failover switch.
The failover pair uses the failover connection and all network
interfaces to exchange special failover “hello” packets every 15 seconds. If two
consecutive hello packet cycles are missed, the failover process starts testing
the interfaces to determine which unit failed and transfers active control to
the secondary unit, if appropriate.
The default 15-second hello cycle can be modified with the failover poll seconds
command. The minimum value is 3 seconds and the maximum is 15 seconds. A shorter
poll time can allow the PIX Firewall to detect a failure faster and trigger the
handoff, but it could be fooled by temporary network congestion.
Failover Serial Cable
The special serial failover cable ends are labeled, and they
define the primary and secondary units. If the failover cable connection is
presently identifying the unit as primary, the unit becomes the active unit and
the configuration is copied to the standby unit. If a PIX unit comes up without
a failover cable, then it automatically becomes the active unit.
The serial failover cable allows each unit to detect if the cable
is connected at both ends, connected locally but disconnected at the other end,
or disconnected locally and the other end is unknown. In addition, the cable can
tell if the power is interrupted at the other end. A failure of any of these
parameters on the active unit causes the standby unit to trigger a failover.
Because both units will have identical IP and MAC addresses,
if both units are powered down, it’s critical that the failover cable be in
place when power is restored. If not, both units will come up active and create
duplicate address problems.
Configuration Replication
The two PIX Firewall units should be exactly the same and
running the same software release. Unless stateful failover is configured, only
the primary unit is configured by the administrator. That configuration is
replicated over the failover cable from the active unit to the standby unit in
three ways:
-
After the standby unit boots up, the active unit replicates
its configuration via the failover cable to the standby unit.
-
Commands entered on the active unit are automatically
replicated via the failover cable to the standby unit.
-
The write standby command on the active
unit sends the entire configuration in memory via the failover cable to the
standby unit.
Configuration replication only occurs from Flash memory to
Flash memory so, after making configuration changes, use the write
memory command to write the configuration into Flash memory. Because the
failover cable is a serial link, the replication can take a while with a large
configuration.
When the Primary Fails
If a primary unit failure occurs, Syslog messages are sent
indicating the cause of the failure, and then the switchover occurs. The standby
unit assumes the IP and MAC addresses of its immediate predecessor and starts
accepting traffic. After the primary unit is fixed and placed back online, it
can’t automatically resume as the active unit because of the duplicate
addresses, so it comes up as the standby unit.
A switchover can be manually initiated from either unit. The
failover active command on the primary unit or the no failover active command on the secondary unit triggers the
change. When a failover occurs and both devices are operational, each will
assume the IP address and MAC address of its immediate predecessor. The new
active unit will start accepting traffic.
Stateful Failover
Since PIX OS v5.1, stateful failover allows per-connection
state table information to be continuously sent to the standby unit. If a
failover occurs, both devices have same connection state information allowing
end user sessions to be transferred without interruption. With systems not using
stateful failover links, the standby unit does not have the state information
requiring all active connections to be dropped until they can be
reestablished.
Stateful failover can be triggered by any of the following
situations:
-
The active PIX Firewall loses power or is turned off
-
The stateful failover dedicated link goes down for two
“hello” cycles as defined by the failover poll command (default 30 seconds)
-
The failover active command is used on the
standby unit
-
The no failover active command is used on
the active unit
-
The active PIX Firewall is rebooted, including a reload command
-
Block memory exhaustion for 15 consecutive seconds or more
on the active unit
After a stateful failover, the standby unit will assume the active
unit configuration, TCP connection table, including the timeout information of
each connection, xlate table, and system up time. What won’t be assumed by the
new active unit are the user authentication (uauth) table, the ISAKMP and IPSec
SA table, the ARP table, and the routing information.
Stateful Failover Hardware Requirements
Stateful failover requires a dedicated 100 Mbps or Gigabit
Ethernet link between the units with a MTU set to 1500 to be used exclusively
for passing state information between the two PIX Firewall units. No hosts or
routers should be connected to this link. The interface implementations that can
be used for this dedicated stateful failover link include the following:
-
Cat 5 crossover cable directly connecting the two units
-
100BaseTX half-duplex switch using straight Cat 5 cables
-
Full-duplex 100BaseTX using a dedicated switch or a
dedicated VLAN on a switch
-
Full-duplex 1000BaseTX using a dedicated switch or a
dedicated VLAN on a switch
The failover serial cable must be installed and working
properly.
Figure 22-18 shows the same simple design as earlier
with a stateful failover link installed using crossover cable.
Stateful failover is a new feature, so requirements and
configuration commands are in transition. Be sure to check the correct
documentation for the Firewall OS version. Early versions didn’t support the
crossover cable and v6.1 didn’t support half-duplex failover
links.
Sections
Comments (0 posted)
Syndication
