All Cisco-Network Study Notes: Failing Back cisco systems

Failing Back

Just as with accepted failover, the failover alive and no failover alive commands can

be acclimated to manually change the alive and standby firewalls.

Disabling Failover

The action for disabling LAN-based failover is the aforementioned as disabling standard

failover. Enter the distinct command:

PIX1(config)# no failover

To verify that failover has been disabled, use the appearance failover command:

PIX1# appearance failover

Failover Off

Cable Status: My ancillary not connected

Reconnect timeout: 0:00:00

If you are disabling failover permanently, it is awful recommended that you

clean up your agreement by removing the added failover commands.

www.syngress.com

444 Affiliate 8 • Configuring Failover

Summary

In this chapter, we abstruse how failover operation works on the PIX firewall.To

support aerial availability, the Cisco PIX firewall provides the adeptness to accord with

firewall failures.This is able by alive a additional PIX firewall that automatically

takes over in case the alive firewall fails. Failover works with two, and

exactly two, identical firewalls.When the alive firewall fails, the standby takes

over its functions.

There are two types of failover—standard failover and LAN-based failover—

and the two action in a agnate manner.The primary aberration amid them

is the agency of connectivity acclimated amid the primary and accessory firewalls to

exchange failover information. In accepted failover, a appropriate consecutive cable is acclimated to

connect the two firewalls.This cable is accepted as the failover cable. In LAN-based

failover, instead of the failover consecutive cable, an Ethernet cable is acclimated to connect

the firewalls.Whichever blazon of failover is used, the PIX can be set up to operate

in stateless or stateful mode. Failover is alone accurate on the high-end models

of the PIX firewall, such as the PIX 515, 515E, 520, 525, and 535. It is not supported

on the PIX 501, 506, and 506E.

When you configure failover, you baptize one firewall as primary and the

other as secondary. In accustomed approach of operation, back aggregate is functioning

properly, the primary firewall is alive and handles all the arrangement traffic.The

secondary firewall sits in standby accompaniment and is accessible to booty over the functions of

the primary firewall in case the primary fails.When the primary fails, the secondary

firewall becomes alive and the primary goes into the standby state.This

terminology of primary, secondary, active, and standby is acutely important to

understand as it relates to failover concepts.

Solutions Fast Track

Failover Concepts

Failover works with two, and absolutely two, identical firewalls.When one

of these firewalls fails, the added one takes over its functions.

Failover is alone accurate on the high-end models of the PIX firewall,

such as the PIX 515, 515E, 520, 525, and 535. It is not accurate on the

PIX 501, 506, and 506E.

www.syngress.com

Configuring Failover • Affiliate 8 445

Agreement archetype is the action by which the agreement from

the primary PIX firewall is replicated to the accessory firewall.

In accustomed approach of operation, back aggregate is action properly,

the primary firewall is alive and handles all the arrangement traffic.The

secondary firewall sits in standby accompaniment and is accessible to booty over the

functions of the primary firewall in case the primary fails.When the

primary fails, the accessory firewall becomes alive and the primary

goes into the standby state.

Standard Failover Application a Failover Cable

Accepted failover works application a failover cable, which is acclimated to connect

the primary and accessory PIX firewalls. Communication over this cable

includes hellos (keepalives), MAC abode exchanges, accompaniment (active vs.

standby), arrangement articulation status, and agreement replication.

Back you use stateful failover, assertive tables on the firewall, such as the

translation and affiliation tables, are replicated from the alive firewall

to the standby firewall.This archetype takes abode over a dedicated

interface.When a failover bearings occurs, accompaniment advice is

maintained.

The primary adjustment of ecology failover action is to use the show

failover command, which can be run on either firewall.

Once failover has occurred, the primary firewall is alive in standby

mode and the accessory firewall is alive as the active, and a failback

does not automatically occur.You can force a firewall to be the active

firewall by entering the failover alive command in agreement mode.

LAN-Based Failover

In LAN-based failover, instead of the consecutive failover cable, an Ethernet

link can be used.The better advantage of application LAN-based failover is

that it gets about the ambit limitation of application the consecutive failover

cable, which is alone 6 anxiety long.

A committed hub or about-face or a committed VLAN on a about-face can be

used to affix the two PIX firewalls for LAN-based failover.A

crossover Ethernet cable cannot be used.

www.syngress.com

446 Affiliate 8 • Configuring Failover

To accredit LAN-based failover to be stateful, you can use the dedicated

LAN-based failover articulation to barter accompaniment information, or you can

dedicate a abstracted LAN articulation for this purpose.

To adviser LAN-based failover, use the appearance failover lan and appearance failover

lan detail commands.

Q: How fast is a abortion bearings detected?

A: The time it takes to ascertain a abortion depends on the failover poll interval. If

the poll breach is set at the absence of 15 seconds, arrangement and failover communication

errors are detected aural 30 seconds, and ability or cable failures

are detected aural 15 seconds.

Q: What is the best adjustment to adviser failover on a circadian basis? Back the

primary firewall fails, how will I know?

A: The PIX firewall generates syslog letters for all failover events, including

any errors.The best way to adviser failover is to analysis syslog letters regularly.

Failover letters are consistently beatific with a severity akin of 2 (critical). It is

recommended that you install a syslog watching affairs to alive you back a

failover absurdity or switchover occurs.

Q: Back configuring failover, how should I accord with bare interfaces?

A: If you are not application a accurate interface, our advocacy is to shut it

down administratively. If it is not administratively shut down, the PIX firewall

will use the interface as a allotment of failover monitoring, and you will charge to

assign it arrangement and failover IP addresses and affix it to the corresponding

interface on the added firewall.

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

Configuring Failover • Affiliate 8 447

Q: Is it anytime accessible for failover to action from the accessory firewall to the

primary firewall?

A: Yes, there is a bearings in which this failover ability occur. Accept that you

configure a primary and accessory firewall, and failover is alive normally.

In this case, the primary will be active, and the accessory will be standby.

Now accept that there is a abortion on the primary firewall.The secondary

will booty over as active, and the primary will become standby. Now assume

you boldness the affair that acquired the abortion on the primary firewall. As you

will remember, there is no automated “failback” on the PIX firewall.This

means that alike admitting both firewalls will now be action normally, the

secondary will abide to act as the active, and the primary will abide to

be standby. If, in this situation, the accessory firewall fails, the primary will

become alive again, and the accessory will become standby.

Q: Can I abode a router amid the primary and accessory PIX firewall LANbased

failover connection?

A: No.You can alone use a hub, a switch, or a committed VLAN on a switch.The

LAN-based failover interfaces from both firewalls charge be in the aforementioned VLAN

and the aforementioned subnet. Unless your router is alive in cellophane bridging

mode, it will not work.