NOTE With Security Appliance software version 7.0, serial cable failover supports
message encryption.
Failover Monitoring 309
It is also important to examine the labels on each end of the failover cable. One end of the
cable is labeled “primary,” and the other end is labeled “secondary.” To have a successful
failover configuration, the end labeled “primary” should be connected to the primary unit,
and the end labeled “secondary” should be connected to the secondary unit. Changes made
to the standby unit are never replicated to the active unit.
In addition to the hardware and software requirements, it is also important to correctly
configure the switches where the Security Appliances directly connect. Port Fast should be
enabled on all the ports where the Security Appliance interface directly connects, and
trunking and channeling should be turned off. This way, if the Security Appliance’s interface
goes down during failover, the switch does not have to wait 30 seconds while the port is
transitioned from a listening state to a learning state to a forwarding state.
Port Fast
Many Cisco switches provide a Port Fast option for switch ports. Configuring this option on
a switch port enables a simplified version of the Spanning Tree Protocol that eliminates
several of the normal spanning-tree states. The preforwarding states are bypassed to more
quickly transition ports into the forwarding states. Port Fast is an option that you can enable
on a per-port basis. It is recommended only for end-station attachments.
Failover Monitoring
The failover feature in the Cisco Security Appliance monitors failover communication, the
power status of the other unit, and hello packets received at each interface. If two consecutive
hello packets are not received within an amount of time determined by the failover feature,
failover starts testing the interfaces to determine which unit has failed and transfers active
control to the standby unit. At this point, the “active” LED on the front of the standby
Security Appliance lights up and the “active” LED on the failed Security Appliance unit dims.
NOTE The ASA 55x0 Security Appliance family of firewalls does not support the serial
cable for failover