However, some state information does not get updated to the standby unit in a stateful
failover:
■ User authentication (uauth) table
■ ISAKMP and the IPSec SA table
■ ARP table
■ Routing information
Most UDP state tables are not transferred, with the exception of dynamically opened ports
that correspond to multichannel protocols such as H.323.
In addition to the failover cable, stateful failover setup requires a 100-Mbps or Gigabit
Ethernet interface to be used exclusively for passing state information between the active and
standby units. IP 105 is used to pass data over this interface.
The stateful failover interface can be connected to any of the following:
■ Category 5 crossover cable directly connecting the primary unit to the secondary unit
■ 100BASE-TX full duplex on a dedicated switch or a switch’s dedicated VLAN
■ 1000BASE-SX full duplex on a switch’s dedicated VLAN
A Cisco Security Appliance with two FDDI cards cannot use stateful failover because an
additional Ethernet interface with FDDI is not supported in stateful failover.
LAN-Based Failover
The distance restriction of 6 feet of serial cable between two PIX Firewall devices in a failover
configuration is no longer a limitation starting with Security Appliance software version 6.2.
LAN-based failover is a feature (available only on Security Appliance software version 6.2
or higher) that extends Security Appliance failover functionality to operate through a
dedicated LAN interface without the serial failover cable. This feature provides a choice of
failover configuration on the Security Appliance.
NOTE Cisco does not recommend using a crossover cable for stateful failover. Using a
crossover cable might cause a Security Appliance to incorrectly determine if a failover
event has occurred.