LAN-Based Failover
The distance restriction of 6 feet of serial cable between two PIX Firewall devices in a failover
configuration is no longer a limitation starting with Security Appliance software version 6.2.
LAN-based failover is a feature (available only on Security Appliance software version 6.2
or higher) that extends Security Appliance failover functionality to operate through a
dedicated LAN interface without the serial failover cable. This feature provides a choice of
failover configuration on the Security Appliance.
NOTE Cisco does not recommend using a crossover cable for stateful failover. Using a
crossover cable might cause a Security Appliance to incorrectly determine if a failover
event has occurred.
Active-Active Failover 313
The obvious benefit of LAN-based failover is that it removes the 6-foot distance limitation
from the Security Appliance devices in a failover configuration. If the LAN-based failover
command interface link goes down, the Security Appliance notifies the peer through “other”
interfaces, and then the standby unit takes over. If all connectivity between the two Security
Appliance units is lost, both Security Appliance could become active. Therefore, it is best to
use a separate switch for the LAN-based failover command interface, so that a failed switch
will not cause all connectivity to be lost between the two Security Appliance units.
The weakness of LAN-based failover is the delayed detection of its peer power loss,
consequently causing a relatively longer period for failover to occur.
The standby unit in a Security Appliance failover pair can be configured to use a virtual MAC
address. This eliminates potential “stale” ARP entry issues for devices connected to the
Security Appliance failover pair in the unlikely event that both firewalls in a failover pair fail
at the same time