Failover Concepts

Failover Concepts

The failover affection of the Cisco PIX firewall provides the adeptness to accord with

firewall failures.This is able by alive a additional PIX firewall that automatically

takes over in case the alive firewall fails. Failover works with two, and

exactly two, firewalls.When one of these firewalls fails, the added one takes over

the bootless firewall’s functions. Failover works with all interface types.The two

firewalls charge be identical in the afterward ways:

 Same archetypal of firewall (for example, a PIX 515 cannot be acclimated with a

PIX 515E)

 Same bulk of beam anamnesis and RAM

 Same software adaptation (for example, software adaptation 6.1 cannot be used

with software adaptation 6.2)

 Same cardinal and types of interfaces

 Same activation key blazon (for example, DES or 3DES support)

In addition, there are some licensing restrictions for application failover:

 The primary firewall charge be alive an complete license.

 The accessory firewall charge be alive either an complete or a failoveronly

license.

Failover is alone accurate on the high-end models of the PIX firewall, such

as the PIX 515, 515E, 520, 525, and 535. It is not accurate on the PIX 501, 506,

and 506E.

www.syngress.com

www.syngress.com

Firewalls with failover-only licenses can usually be acquired from Cisco at

very low prices. Cisco additionally offers arranged firewall pricing, affairs two PIX firewall

units (one with an complete authorization and the added with a failover-only

license) for low prices.


Many enterprises accept aerial requirements for availability. In abounding environments,

providing 99.99 percent uptime is allotment of the service-level acceding (SLA),

which equals beneath than 53 account of blow a year. In adjustment for this uptime

requirement to be met, aerial availability through back-up and failover charge be

implemented.To abutment aerial availability, the PIX firewall provides both stateless

and stateful failover capabilities.

In this chapter, you will apprentice how failover works on the PIX firewall.We will

go through assorted agreement examples to apprentice all types of failover.You will

also apprentice about LAN-based failover operation, which is one of the newer features

available on the PIX firewall.


Note

A firewall with a failover-only license is meant to be used as a secondary
firewall for failover only, not for standalone operation. If used in standalone
mode, the firewall will reboot once every 24 hours and display the
following message on the console:
=========================NOTICE ==========================
This machine is running in secondary mode without
a connection to an active primary PIX. Please
check your connection to the primary system.
REBOOTING....
==========================================================
The reboots will continue until the firewall is re-configured for
operation as a failover unit.
Configuring Failover • Chapter 8 415
Load Balancing vs. Redundancy
The failover feature in PIX firewalls only provides support for redundancy.
One unit acts as the active firewall, and the other one runs in
standby mode. It is not possible to run both firewalls in active mode at
the same time. If you want to increase capacity by using two or more
firewalls in active mode, you should consider purchasing some loadbalancing
equipment. Load balancers, such as the Cisco Content Services
Switch (CSS) 11000 series, provide the ability to load-balance network
traffic to multiple PIX firewalls in order to provide increased capacity and
higher combined throughput rates. Be careful to configure your load
balancers to work on a per-conversation basis. If they are configured to
work on a per-packet basis, the stateful inspection feature of the PIX
firewall will end up denying valid traffic.
Designing & Planning…
416 Chapter 8 • Configuring Failover
When you configure failover, one firewall is designated as primary, and the
other one is designated as secondary. In normal mode of operation, when everything
is functioning properly, the primary firewall is active and handles all the network
traffic.The secondary firewall sits in standby state and is ready to take over
the functions of the primary firewall in case the primary fails.When the primary
fails, the secondary firewall becomes active, and the primary goes into the standby
state.A standby firewall can also fail. If the standby firewall fails, the primary
remembers this and the secondary is disallowed to ever take control, so failover
will not occur even if the primary firewall later fails. Although the firewalls may
switch the active and standby roles, the primary and secondary never change.This
terminology of primary, secondary, active, and standby is extremely important to
understand as they relate to other failover concepts.
This brings us to a very important question:When is a firewall considered
failed? Failure happens when any of the following conditions occurs:
 Block memory is exhausted for 15 consecutive seconds or longer on the
active PIX firewall.
 The link status of any of the network interfaces on the active PIX goes
down for more than twice the poll interval.This does not include interfaces
that are administratively down.
 Hello packets are constantly exchanged between the primary and secondary
PIX firewalls over all network interfaces. (They are sent out
every 15 seconds by default, but this interval can be tuned.) If no hello
messages are received for two poll intervals, the interface that did not
respond is put into testing mode. If the interface does not pass testing, it
as well as the firewall are considered failed.
 Hello packets are also exchanged between the primary and secondary
PIX firewalls over the failover serial cable. If the standby firewall does
not hear from the active firewall for two poll intervals and the failover
cable status is declared okay, the standby PIX firewall considers the active
PIX failed and becomes active itself. Furthermore, if the active unit does
not hear from the standby firewall for two poll intervals, it considers the
standby unit as failed.
 If the standby firewall detects that the active firewall has been powered
off or rebooted, the standby becomes active. If the failover cable is
unplugged, no failover occurs.
www.syngress.com
Configuring Failover • Chapter 8 417
NOTE

The failover cable is advised to be able abundant to distinguish

between a ability abortion on the added unit, a cable accessible from this

unit, or a cable accessible from the added unit. Therefore, if the cable is

unplugged from either unit, no failover occurs, but a syslog bulletin is

generated. However, if the alive firewall is powered off (either gracefully

using a reload command or through a ability failure), the standby

unit assumes the alive state.

There are two types of failover—standard failover and LAN-based failover—

and the two action in a agnate manner.The primary aberration amid them

is the agency acclimated to barter failover advice amid the primary and secondary

firewalls. In accepted failover, a appropriate consecutive cable is acclimated to affix the

two firewalls.This cable is accepted as the failover cable.The failover cable is a Cisco

proprietary adapted RS-232 cable that is acclimated accurately for PIX firewalls. In

LAN-based failover, instead of the failover consecutive cable, a committed Ethernet link

is acclimated to barter failover information.

The failover advice barter over the consecutive failover cable (or the

failover Ethernet articulation in LAN-based failover) includes:

 The MAC addresses of the firewalls

 Hello (keepalive) packets

 Accompaniment advice (active or standby)

 Network interface articulation status

 Configuration replication

Communication over the failover cable is performed application messages, and each

message charge be acknowledged. If a bulletin is not accustomed by the other

firewall aural 3 seconds, it is retransmitted. After bristles retransmissions after an

acknowledgment, the firewall that is not acknowledging letters is declared failed.