Installing Failover

Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have already configured. As soon as the PIX Firewall detects the presence of the failover cable, the system software enables failover mode and the PIX Firewall unit assumes active status.

Step 4 Connect the Secondary end of the failover cable to the Standby unit.

Step 5 Connect the Standby unit's power cord to the power connector on the rear panel of the unit, and to a power outlet.

Connect one of the following between the dedicated interfaces on the PIX Firewall units:

(a) Cat 5 crossover cable directly connecting the Primary unit to the Secondary unit.

(b) 100BaseTX half-duplex hub using straight Cat 5 cables.

(c) 100BaseTX full-duplex on a dedicated switch or dedicated VLAN of a switch.

On the PIX 520, you can use Token Ring interfaces with Stateful Failover if the dedicated interface is 100BaseTX.

Step 7 Turn on the Standby unit using the power switch at the back of the unit.

Within a few seconds, the Active unit automatically downloads its configuration to the Standby unit. The two units are now operating in failover mode. The first PIX Firewall (the one you configure) is the Primary unit, and is active by default. The second PIX Firewall is the Secondary unit, acting as failover Standby.

If the primary unit fails, the secondary unit automatically becomes active.

---

Note Only configure the Active unit. On a PIX 515, the Active unit is indicated by the ACT LED on the front of the unit. On a PIX 520, you can access the console and determine which unit is active with the show failover command.

---

The Active unit automatically updates the configuration on the Standby unit. If the Standby unit has failed, updating takes place as soon as the Standby unit is brought back into operation.

• Can the failover feature work without using the failover cable?

No, failover will not work without the cable. If you run without the failover cable you are essentially running two separate PIX Firewall units. This will result in a bridge loop and flood the network. The failover cable is an essential part of failover.

• Can I extend the length of the failover cable with modems or line extenders?

No, the cable cannot be extended using modems or other RS-232 line extenders. Part of what the failover cable does is indicate the presence and power status of the other unit. When you place line extenders in this path you are relaying the status of the line extender rather than of the other PIX Firewall unit.

• What happens if a Primary unit has a power failure?

When the Primary (Active) PIX Firewall experiences a power failure, the Standby PIX Firewall comes up in active mode. If the Primary unit is powered on again it will become the Standby unit.

• What happens if an interface card is disconnected?

When the active PIX Firewall fails by disconnecting the interface (cable pull), the Standby PIX Firewall becomes the Active unit. When the interface is plugged back in, the unit automatically recovers, and its status is changed from failed to Standby.

• Does failover work in a switched environment?

Yes, if you are running PIX Firewall version 4.2.x or later on both units.

• What constitutes a failure?

Fault detection is based on the following:

• Failover hello packets are received on each interface. If hello packets are not heard for two consecutive 15 second intervals, the interface will be tested to determine which unit is at fault.

• Cable errors. The cable is wired so that each unit can distinguish between a power failure in the other unit, and an unplugged cable. If the Standby unit detects that the Active unit is powered off (or resets) it will take active control. If the cable is unplugged, a syslog message generates but no switching occurs. An exception to this is at boot-up, at which point an unplugged cable forces the unit to an active state. If both units are powered on without the failover cable installed, they will both become active creating a duplicate IP address conflict on your network. The failover cable must be installed for failover to work correctly.

• Failover communication. The two units share information every 15 seconds. If the Standby unit does not hear from the Active unit in two communication attempts (and the cable status is OK) the Standby unit will take over as active.