Configuring and Enabling Failover
Let’s use the archetype in Amount 8.7 to configure LAN-based failover. If a failover
serial cable is affiliated to either of the two firewalls, you should abstract it at
this point. Connect all the arrangement cables as apparent in the diagram.We begin
with the accessory firewall powered off.
As we did with failover application the consecutive cable, we charge aboriginal set the Ethernet
interface settings and accredit IP addresses to anniversary interface. By default, the inside
interface (ethernet0, or e0 in the figure) and the central interface (ethernet1, or
e1) already accept names assigned to them. However, ethernet2, or e2, which will
be our committed LAN affiliation for failover, does not. Here is what our configuration
would attending like in this example:
PIX2(config)# nameif ethernet2 lanlink security25
PIX1(config)# interface ethernet0 100full
PIX1(config)# interface ethernet1 100full
www.syngress.com
Configuring Failover • Chapter 8 435
PIX1(config)# interface ethernet2 100full
PIX1(config)# ip abode central 192.168.1.1 255.255.255.0
PIX1(config)# ip abode alfresco 10.5.1.1 255.255.255.0
PIX1(config)# ip abode lanlink 172.16.1.1 255.255.255.0
First we accredit failover on the primary unit:
PIX1(config)# failover
Next we configure the failover IP addresses application the failover ip address
command:
PIX1(config)# failover ip abode central 192.168.1.2
PIX1(config)# failover ip abode alfresco 10.5.1.2
PIX1(config)# failover ip abode lanlink 172.16.1.2
We can use the appearance failover command to verify the cachet of the failover IP
addresses (see Amount 8.8).
www.syngress.com
Figure 8.7 A LAN-Based Failover Example
Internal Network
e0 e0
e1 e1
e2 e2
PIX1 PIX2
Internet
436 Chapter 8 • Configuring Failover
Figure 8.8 Output of the appearance failover Command Afterwards Configuring Failover
IP Addresses
PIX1# appearance failover
Failover On
Cable status: Other ancillary powered off
Reconnect abeyance 0:00:00
Poll abundance 15 seconds
This host: primary - Active
Active time: 300 (sec)
Interface lanlink (172.16.1.1): Normal (Waiting)
Interface alfresco (10.5.1.1): Normal (Waiting)
Interface central (192.168.1.1): Normal (Waiting)
Other host: accessory - Standby
Active time: 0 (sec)
Interface lanlink (172.16.1.2): Unknown (Waiting)
Interface alfresco (10.5.1.2): Unknown (Waiting)
Interface central (192.168.1.2): Unknown (Waiting)
To baptize the primary firewall for LAN-based failover, access the following
command on the primary firewall:
PIX1(config)# failover lan assemblage primary
We charge now specify the interface that will be acclimated to as the failover interface.
On both the primary and accessory firewalls, the afterward command is
used to baddest the interface:
failover lan interface
In this example, we access the afterward command on the primary firewall:
PIX1(config)# failover lan interface lanlink
In LAN-based failover, failover letters are transmitted on Ethernet links.
Since these Ethernet links could be beneath defended than a consecutive cable, a chiral preshared
key can be acclimated to encrypt and accredit the capacity of these messages.
Although not required, it is awful recommended that you use a aggregate key
when application LAN-based failover.The aggregate key is configured by accounting the following
command on the firewall:
failover lan key
www.syngress.com
Configuring Failover • Chapter 8 437
In our case, we access the afterward command on the primary firewall and set
the key to cisco:
PIX1(config)# failover lan key cisco
To accredit LAN-based failover on the primary firewall, access the following
commands:
PIX1(config)# failover lan enable
PIX1(config)# failover
At this point, you can ability on the accessory firewall (after disconnecting
the LAN-based failover interface). Access the afterward commands:
PIX2(config)# interface ethernet2 100full
PIX2(config)# nameif ethernet2 lanlink security25
PIX2(config)# ip abode lanlink 172.16.1.1 255.255.255.0
PIX2(config)# failover ip abode lanlink 172.16.1.2
PIX2(config)# failover lan assemblage secondary
PIX2(config)# failover lan interface lanlink
PIX2(config)# failover lan key cisco
PIX2(config)# failover lan enable
PIX2(config)# failover
At this point, LAN-based failover is absolutely configured. Now you can reconnect
the LAN-based failover interface.You should see the afterward letters on the
secondary PIX firewall:
LAN-based Failover: aggravating to acquaintance peer??
LAN-based Failover: Send accost msg and alpha failover monitoring
On the primary PIX firewall, you will see the afterward messages:
LAN-based Failover: Associate is UP
Sync Started
Sync Completed
If all access are alive and the configurations were typed in correctly,
the appearance failover command will appearance that failover is operational (see Amount 8.9).
www.syngress.com
438 Chapter 8 • Configuring Failover
Figure 8.9 Output of the appearance failover Command Afterwards Completing the
Configuration
PIX1# appearance failover
Failover On
Cable status: My ancillary not connected
Reconnect abeyance 0:00:00
Poll abundance 15 seconds
This host: Primary - Active
Active time: 400 (sec)
Interface accompaniment (172.16.2.1): Normal
Interface alfresco (10.5.1.1): Normal
Interface central (192.168.1.1): Normal
Other host: Accessory - Standby
Active time: 0 (sec)
Interface accompaniment (172.16.2.2): Normal
Interface alfresco (10.5.1.2): Normal
Interface central (192.168.1.2): Normal
LAN-based Failover is Active
interface lanlink (172.16.1.1): Normal, associate (172.16.1.2): Normal
NOTE
The failover mac abode command is not accessible back you use
LAN-based failover.
We can accredit stateful failover absolutely easily.We will add interface ethernet3
for exchanging accompaniment advice (see Amount 8.10) and configure it for stateful
failover:
PIX1(config)# interface ethernet3 100full
PIX1(config)# nameif ethernet3 accompaniment security20
PIX1(config)# ip abode accompaniment 172.16.2.1 255.255.255.0
PIX1(config)# failover ip abode accompaniment 172.16.2.2
PIX1(config)# failover articulation state
www.syngress.com
Configuring Failover • Chapter 8 439
PIX2(config)# interface ethernet3 100full
PIX2(config)# nameif ethernet3 accompaniment security20
As usual, we can use the appearance failover command to analysis the cachet of stateful
failover (see Amount 8.11).
Figure 8.11 Output of the appearance failover Command Afterwards Enabling Stateful
Failover
PIX1# appearance failover
Failover On
Cable status: My ancillary not connected
Reconnect abeyance 0:00:00
Poll abundance 15 seconds
This host: Primary - Active
Active time: 400 (sec)
Interface accompaniment (172.16.2.1): Normal
Interface alfresco (10.5.1.1): Normal
Interface central (192.168.1.1): Normal
www.syngress.com
Figure 8.10 A LAN-Based Stateful Failover Example
Internal Network
e0 e0
e1 e1
e2 e2
PIX1 PIX2
e3 e3
Internet
Continued
440 Chapter 8 • Configuring Failover
Other host: Accessory - Standby
Active time: 0 (sec)
Interface accompaniment (172.16.2.2): Normal
Interface alfresco (10.5.1.2): Normal
Interface central (192.168.1.2): Normal
Stateful Failover Logical Update Statistics
Link : state
Stateful Obj xmit xerr rcv rerr
General 12 0 12 0
sys cmd 12 0 12 0
up time 0 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 13
Xmit Q: 0 1 13
LAN-based Failover is Active
interface lanlink (172.16.1.1): Normal, associate (172.16.1.2): Normal