Failure Detection

Failure Detection

The primary and accessory firewalls barter accost packets with anniversary added over

the failover cable as able-bodied as all arrangement interfaces.These hellos are exchanged every

15 abnormal by default.To change the accost interval, use the afterward command:

failover poll

The minimum amount for abnormal is 3 seconds, and the best is 15 seconds.

With a lower accost interval, abortion will be detected faster, but there is additionally the

danger of accidental failover occurring back the arrangement is experiencing

temporary congestion.

The failover affection on the PIX firewall monitors failover communication

hello packets as able-bodied as the ability cachet on the added firewall. If a abortion is

detected and it is not because of a ability accident or reboot of the accessory firewall,

the PIX firewall (primary or secondary, whichever detects a failure) performs a

series of tests to actuate which firewall has failed.The tests activate back hello

messages are not heard for two afterwards poll intervals, which is set to 15 seconds

by default.The abstraction abaft anniversary analysis is to attending for arrangement traffic. For each

of these tests, if one firewall receives arrangement cartage during a analysis and the other

firewall does not, the firewall that has not accustomed any cartage is advised failed.

If neither firewall receives any traffic, the abutting analysis in the alternation is performed.The

following four tests are used:

 Articulation up/down The firewall tests the arrangement articulation accompaniment to ensure it is

up.This analysis finds issues such as a cable actuality unplugged, a hub/switch

port action bad, or a hub/switch failure. If the interface passes this test,

the PIX starts the arrangement action test. Otherwise, the interface and the

corresponding firewall are advised failed.

 Arrangement action The firewall listens for arrangement action for up to 5

seconds. If any packets are accustomed during this testing, the interface is

considered operational and testing stops. If no action is found, the PIX

firewall starts the ARP test.

 ARP If the arrangement action analysis fails, the Address Resolution Protocol

(ARP) analysis is performed.The PIX takes the 10 best contempo entries

www.syngress.com

420 Chapter 8 • Configuring Failover

added to its ARP table and sends ARP requests for anniversary one in adjustment to

stimulate some arrangement traffic. Afterwards sending anniversary request, the PIX

monitors all accustomed cartage for up to 5 seconds. If no cartage is received,

the PIX moves on to the abutting access in the list. If at any time during the

test arrangement cartage is received, the interface is advised operational

and testing stops. If the account is beat and no cartage has been received,

the PIX starts the advertisement ping test.

 Advertisement ping The firewall sends out a advertisement ping on the interface

and looks at all packets accustomed for up to 5 abnormal afterwards the ping

was sent. If any packets are received, the PIX firewall declares the interface

operational and stops the test. If, however, no packets are received,

the firewall starts testing all over afresh with the ARP test.

NOTE

All agnate interfaces (which are not administratively shut down)

on both firewalls charge be able to acquaint with anniversary other, alike if

they’re not used. For example, they can be affiliated with crossover

cables or acquainted into the aforementioned switch. Otherwise, the tests will fail.