Configuring Failover
Failover is configured on the PIX only at the Reston site (HQ-PIX). When configuring
failover, you first configure the failover parameters on the primary PIX Firewall (leaving the
NOTE You also need to configure the VPN client software on the remote user PCs. This
configuration involves identifying the IP address of HQ-PIX and indicating the VPN group
name (remote-users) and group password (B#!42Dd).
Task 7: Configuring Failover 647
secondary PIX Firewall powered off). Then, you configure the failover parameters on the
secondary PIX Firewall. The steps to configure failover are as follows:
Step 1 Make sure that failover is enabled on the primary PIX Firewall using
the following command:
failover
Failover is not enabled by default.
Step 2 Configure Ethernet 3 for LAN-based failover through the following
commands:
failover lan interface LANFAIL ethernet3
failover interface ip LANFAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2
failover lan unit primary
failover key 1234567
failover
Step 3 Configure failover ip address for all interfaces that have an IP address
configured on them:
failover ip address inside 10.10.10.2
failover ip address outside 192.168.1.3
failover ip address DMZ 172.16.31.2
Step 4 Check the status of your failover configuration:
show failover
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Last Failover at: 13:21:38 UTC Dec 10 2004
This host: Primary - Active
Active time: 300 (sec)
Interface outside (192.168.1.2): Normal
Interface inside (10.10.10.1): Normal
Interface dmz (172.16.31.1): Normal
Other host: Secondary – Standby Ready
Active time: 0 (sec)
Interface outside (192.168.1.3): Normal
Interface inside (10.10.10.2): Normal
Interface dmz (172.16.31.2): Normal
648 Chapter 20: Case Study and Sample Configuration
Step 5 Enable stateful failover:
failover link lanfail
Step 6 Connect the failover cable between the two PIX Firewalls if you have
not already connected it.
Step 7 Power on the secondary unit.
Step 8 Check the status of your failover configuration:
HQ-PIX# show failover
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: lanfail Ethernet 3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Last Failover at: 13:21:38 UTC Dec 10 2004
This host: Primary - Active
Active time: 300 (sec)
Interface outside (192.168.1.2): Normal
Interface inside (10.10.10.1): Normal
Interface dmz (172.16.31.1): Normal
Other host: Secondary – Standby Ready
Active time: 0 (sec)
Interface outside (192.168.1.3): Normal
Interface inside (10.10.10.2): Normal
Interface dmz (172.16.31.2): Normal
Stateful Failover Logical Update Statistics
Link : failover
Stateful Obj xmit xerr rcv rerr
General 435 0 0 0
sys cmd 415 0 0 0
up time 0 0 0 0
xlate 27 0 0 0
tcp conn 203 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 1 614