Stateful Failover

Stateful Failover

As of software adaptation 5.1, the PIX firewall supports stateful failover. Before the

stateful failover feature, back the primary firewall bootless and the accessory became

active, all alive access through the firewall were dropped, and applications

needed to alpha new access through the firewall. If configured, the stateful

failover affection can annihilate this problem.With stateful failover enabled, the primary

firewall consistently replicates its TCP affiliation table to the accessory PIX

firewall. If the primary firewall fails, the accessory firewall already has the connection

table and accordingly no access are lost. Client applications abide to

function after interruption, blind that a failover bearings occurred.

When application stateful failover, in accession to the configuration, the following

information is replicated to the standby PIX firewall:

 The adaptation (xlate) table with changeless and activating translations

 The TCP affiliation table (including abeyance advice for each

connection)

www.syngress.com

Configuring Failover • Chapter 8 421

 The arrangement alarm and uptime information

Most UDP access are not replicated, with the barring of certain

multichannel protocols such as H.323.The afterward advice is not replicated

to the standby PIX firewall:

 ISAKMP and IPsec accompaniment information; this agency that any ISAKMP and

IPsec SAs are absent back failover occurs

 DHCP leases

 The user affidavit (uauth) table; back failover occurs, any

authenticated users charge reauthenticate

 The acquisition table; this agency that all dynamically abstruse routes

(through RIP) charge be relearned.

 The ARP table

By default, HTTP affair advice is not replicated. In PIX 6.2 and later,

this affection can be enabled application the afterward command:

PIX1(config)# failover carbon http

You can verify the agreement of HTTP archetype application the appearance failover

command.To attenuate HTTP replication, use the no anatomy of the command:

PIX1(config)# no failover carbon http

For stateful failover to work, a Fast Ethernet or Gigabit Ethernet interface on

each firewall (primary and secondary) charge be committed for the absolute use of

passing accompaniment information. (We accredit to this as the stateful failover interface.) This

interface charge accommodate connectivity amid the primary and accessory firewalls

through one of the afterward methods:

 A crossover Ethernet cable

 A committed hub or switch, with no added hosts

 A committed VLAN on a about-face with alone the two ports abutting to

the firewalls alive in the VLAN

NOTE

It is recommended that the stateful failover interface be at atomic as fast

as the fastest acclimated interface on the firewall.

www.syngress.com

422 Chapter 8 • Configuring Failover

NOTE

Token Ring and FDDI interfaces are not accurate for use as the

dedicated stateful failover interface.