Step 1 Enable LAN-based failover:
Primary-pix (config)# failover lan enable
Step 2 Enable the Security Appliance as the designated primary unit:
Primary-pix (config)# failvoer lan unit primary
Step 3 Define the failover interface:
Primary-pix (config)# failover lan interface failover ethernet3
Step 4 Assign an IP address and standby IP address to the failover interface:
Primary-pix (config)# failover interface ip failover 172.16.10.1
255.255.255.240 standby 172.16.10.2
Step 5 Verify your failover configuration:
Primary-pix (config)# show failover
Step 6 Configure the secondary unit IP address from the primary unit by using
the ip address command. Add the ip address command for all
interfaces, including the one for the dedicated failover interface and any
unused interfaces:
Primary-pix (config)# interface ethernet0
Primary-pix (config-if)# ip address 192.168.1.1 255.255.255.0 standby
192.168.1.2
Primary-pix (config)# interface etherenet1
Primary-pix (config-if)# ip address 10.10.10.1 255.255.255.0 standby
10.10.10.2
Step 7 Enable the failover interface:
Primary-pix (config)# interface ethernet3
Primary-pix (config)# no shutdown
Step 8 Save your configuration:
Primary-pix (config)# write memory
Step 9 Use the show ip address command to view the addresses you specified:
Primary-pix (config)# show ip address
System IP Addresses:
ip address outside 192.168.1.1 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip address failover 172.16.10.1 255.255.255.240
NOTE Before you begin the failover configuration, be sure that you connect the failover
cable to the units correctly. Also be sure that the standby unit is not powered on.
320 Chapter 12: Cisco Security Appliance Failover
Current IP Addresses:
ip address outside 192.168.1.1 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip address failover 172.16.10.1 255.255.255.244
The current IP addresses are the same as the system IP addresses on the
failover active unit. When the primary unit fails, the current IP
addresses become those of the standby unit.
Step 10 Enable stateful failover:
Primary-pix (config)# failover link failover
Step 11 Power up the secondary unit. At this point, the primary unit starts
replicating the configuration to the secondary.
Step 12 Verify your failover configuration:
Primary-pix (config)# show failover
Failover On
Cable status: N/A – LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover Ethernet3 (up)
Unit Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaced 3 of 250 maximium
Last Failover at: 22:19:11 UTC Mon Jan 19 2005
This host: Primary - Active
Active time: 345 (sec)
Interface outside (192.168.1.1): Normal
Interface inside (10.10.10.1): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface outside (192.168.1.1): Normal
Interface inside (10.10.10.1): Normal
Stateful Failover Logical Update Statistics
Link : fover Ethernet3 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 6 0 0 0
UDP conn 0 0 0 0
ARP tbl 106 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Configuring Failover 321
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
The show failover command displays the last occurrence of a failover.
The first part of the show failover command output describes the cable
status. Each interface on the PIX Firewall unit has one of the following
values:
• Normal—The active unit is working, and the standby unit is ready.
• Waiting—Monitoring of the other unit’s network interfaces has not
yet started.
• Failed—The PIX Firewall has failed.
• Shutdown—The interface is turned off.
The second part of the show failover command describes the status of
the stateful failover configuration. Each row is for a particular static
object count:
• General—The sum of all stateful objects.
• Sys cmd—Refers to logical update system commands, such as login
and stay alive.
• Up time—The value for PIX up time that the active PIX Firewall unit
passes on to the standby unit.
• Xlate—The PIX Firewall translation information.
• Tcp conn—The PIX Firewall dynamic TCP connection information.
• Udp conn—The PIX Firewall dynamic UDP connection information.
• ARP tbl—The PIX Firewall dynamic ARP table information.
• RIF tbl—The dynamic router table information. The Stateful Obj has
these values:
— Xmit—Indicates the number of packets transmitted.
— Xerr—Indicates the number of transmit errors.
— Rcv—Indicates the number of packets received.
— rerr—Indicates the number of receive errors.
Step 13 Enter the write memory command from the active unit to synchronize
the current configuration to the Flash memory on the standby unit.