Installing Failover [Cisco PIX 500 Series Security Appliances]

Table Of Contents

Installing Failover

Installing the Failover Cable

Failover Cable Pinouts

Frequently Asked Failover Questions

Installing Failover

This chapter includes the following sections:

•Installing the Failover Cable

•Failover Cable Pinouts

•Frequently Asked Failover Questions

Installing the Failover Cable

Follow these steps to install a failover Standby unit.

Step 1 Follow the instructions in "" to set up the Standby unit and connect its network interface cables.

Step 2 Locate the failover cable, shown in . This cable is shipped separately from the PIX Firewall unit. The cable is labeled Primary on one end and Secondary on the other.

Install the cable for the PIX 515 as shown in or as shown in for the PIX 520 and earlier models.

Figure 3-1 PIX 515 Failover Cable Connection

Figure 3-2 PIX 520 and Earlier Model Failover Cable Connection

Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have already configured. As soon as the PIX Firewall detects the presence of the failover cable, the system software enables failover mode and the PIX Firewall unit assumes active status.

Step 4 Connect the Secondary end of the failover cable to the Standby unit.

Step 5 Connect the Standby unit's power cord to the power connector on the rear panel of the unit, and to a power outlet.

Step 6 Power on the Standby unit.

Within a few seconds, the Active unit automatically downloads its configuration to the Standby unit. The two units are now operating in failover mode. The first PIX Firewall (the one you configured) is the primary unit, and is active by default. The second PIX Firewall is the secondary unit, acting as failover Standby.

If the primary unit fails, the secondary unit automatically becomes active.

All further PIX Firewall configuration for this failover pair must be done on the Active unit, whichever unit that might be at the time you perform the configuration. The Active unit automatically updates the configuration on the Standby unit. If the Standby unit has failed, updating takes place as soon as the Standby unit is brought back into operation.

Refer to Chapter 3, "Advanced Configurations" in the configuration guide for your respective software version listed in the section, "Related Documentation" in "About This Manual."

Failover Cable Pinouts

Should you need to test the cable you received, the pinouts are shown in .

Figure 3-3 Failover Cable Pinouts

Frequently Asked Failover Questions

This section contains some frequently asked questions about the failover feature.

•Can the failover feature work without using the failover cable?

No, failover will not work without the cable. If you run without the failover cable you are essentially running two separate PIX Firewall units. This will result in a bridge loop and flood the network. The failover cable is an essential part of failover.

•Can I extend the length of the failover cable with modems or line extenders?

No, the cable cannot be extended using modems or other RS-232 line extenders. Part of what the failover cable does is indicate the presence and power status of the other unit. When you place line extenders in this path you are relaying the status of the line extender rather than of the other PIX Firewall unit.

•What happens if a Primary unit has a power failure?

When the Active PIX Firewall experiences a power failure, the Standby PIX Firewall comes up in active mode. If the Primary unit is powered on again it will become the Standby unit.

•What happens if an interface card is disconnected?

When the active PIX Firewall fails by disconnecting the interface (cable pull), the Standby PIX Firewall becomes the Active unit. When the interface is plugged back in, the unit automatically recovers, and its status is changed from failed to Standby.

•Does failover work in a switched environment?

Yes, if you are running PIX Firewall version 4.2.x or later on both units.

•What constitutes a failure?

Fault detection is based on the following:

•Failover hello packets are received on each interface. If hello packets are not heard for two consecutive 15 second intervals, the interface will be tested to determine which unit is at fault.

•Cable errors. The cable is wired so that each unit can distinguish between a power failure in the other unit, and an unplugged cable. If the Standby unit detects that the Active unit is powered off (or resets) it will take active control. If the cable is unplugged, a syslog message generates but no switching occurs. An exception to this is at boot-up, at which point an unplugged cable forces the unit to an active state. If both units are powered on without the failover cable installed they will both become active creating a duplicate IP address conflict on your network. The failover cable must be installed for failover to work correctly.

•Failover communication. The two units share information every 15 seconds. If the Standby unit does not hear from the Active unit in two communication attempts (and the cable status is OK) the Standby unit will take over as active.

Refer to the "Failover" section in Chapter 3, "Advanced Configurations" in the configuration guide for your respective software version listed in the section, "Related Documentation" in 'About This Manual.'


	Installing Failover
	Download this chapter Installing Failover Feedback Table Of Contents Installing Failover Installing the Failover Cable Failover Cable Pinouts Frequently Asked Failover Questions Installing Failover This chapter includes the following sections: •Installing the Failover Cable •Failover Cable Pinouts •Frequently Asked Failover Questions Installing the Failover Cable Follow these steps to install a failover Standby unit. Step 1 Follow the instructions in "" to set up the Standby unit and connect its network interface cables. Step 2 Locate the failover cable, shown in . This cable is shipped separately from the PIX Firewall unit. The cable is labeled Primary on one end and Secondary on the other. Install the cable for the PIX 515 as shown in or as shown in for the PIX 520 and earlier models. Figure 3-1 PIX 515 Failover Cable Connection Figure 3-2 PIX 520 and Earlier Model Failover Cable Connection Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have already configured. As soon as the PIX Firewall detects the presence of the failover cable, the system software enables failover mode and the PIX Firewall unit assumes active status. Step 4 Connect the Secondary end of the failover cable to the Standby unit. Step 5 Connect the Standby unit's power cord to the power connector on the rear panel of the unit, and to a power outlet. Step 6 Power on the Standby unit. Within a few seconds, the Active unit automatically downloads its configuration to the Standby unit. The two units are now operating in failover mode. The first PIX Firewall (the one you configured) is the primary unit, and is active by default. The second PIX Firewall is the secondary unit, acting as failover Standby. If the primary unit fails, the secondary unit automatically becomes active. All further PIX Firewall configuration for this failover pair must be done on the Active unit, whichever unit that might be at the time you perform the configuration. The Active unit automatically updates the configuration on the Standby unit. If the Standby unit has failed, updating takes place as soon as the Standby unit is brought back into operation. Refer to Chapter 3, "Advanced Configurations" in the configuration guide for your respective software version listed in the section, "Related Documentation" in "About This Manual." Failover Cable Pinouts Should you need to test the cable you received, the pinouts are shown in . Figure 3-3 Failover Cable Pinouts Frequently Asked Failover Questions This section contains some frequently asked questions about the failover feature. •Can the failover feature work without using the failover cable? No, failover will not work without the cable. If you run without the failover cable you are essentially running two separate PIX Firewall units. This will result in a bridge loop and flood the network. The failover cable is an essential part of failover. •Can I extend the length of the failover cable with modems or line extenders? No, the cable cannot be extended using modems or other RS-232 line extenders. Part of what the failover cable does is indicate the presence and power status of the other unit. When you place line extenders in this path you are relaying the status of the line extender rather than of the other PIX Firewall unit. •What happens if a Primary unit has a power failure? When the Active PIX Firewall experiences a power failure, the Standby PIX Firewall comes up in active mode. If the Primary unit is powered on again it will become the Standby unit. •What happens if an interface card is disconnected? When the active PIX Firewall fails by disconnecting the interface (cable pull), the Standby PIX Firewall becomes the Active unit. When the interface is plugged back in, the unit automatically recovers, and its status is changed from failed to Standby. •Does failover work in a switched environment? Yes, if you are running PIX Firewall version 4.2.x or later on both units. •What constitutes a failure? Fault detection is based on the following: •Failover hello packets are received on each interface. If hello packets are not heard for two consecutive 15 second intervals, the interface will be tested to determine which unit is at fault. •Cable errors. The cable is wired so that each unit can distinguish between a power failure in the other unit, and an unplugged cable. If the Standby unit detects that the Active unit is powered off (or resets) it will take active control. If the cable is unplugged, a syslog message generates but no switching occurs. An exception to this is at boot-up, at which point an unplugged cable forces the unit to an active state. If both units are powered on without the failover cable installed they will both become active creating a duplicate IP address conflict on your network. The failover cable must be installed for failover to work correctly. •Failover communication. The two units share information every 15 seconds. If the Standby unit does not hear from the Active unit in two communication attempts (and the cable status is OK) the Standby unit will take over as active. Refer to the "Failover" section in Chapter 3, "Advanced Configurations" in the configuration guide for your respective software version listed in the section, "Related Documentation" in 'About This Manual.'
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks