https://community.cisco.com/t5/network-security/lan-based-failover-session-key-encryption-for-pix/m-p/750767#M1006936 <HTML><HEAD></HEAD><BODY><P>The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. </P><P></P><P>The security appliance supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml</A></P><P></P></BODY></HTML> Mon, 23 Apr 2007 13:23:01 GMT thomas.chen 2007-04-23T13:23:01Z https://community.cisco.com/t5/network-security/lan-based-failover-session-key-encryption-for-pix/m-p/750766#M1006935 <P>My suggestion for session key encryption for a lan based failover connection for the PIX is as follows:</P><P></P><P>A) Physically connect PIX interfaces to a workgroup amd or enterprise Catalyst 6509 switch, IOS 12.2(18) SXF and higher.</P><P></P><P>B) Assign static IP addresses within the range of the primary and failover PIX units.</P><P></P><P>C) Configure session key encryption on the workgroup switch and only allow TCP packet segments via IP protocol number 105/SCPS. Then deny all other TCP/IP segments. </P><P></P><P>The configurations should be as follows:</P><P></P><P>Company A 6509#show run </P><P>!</P><P>version 12.3</P><P>service timestamps debug datetime msec</P><P>service timestamps log datetime msec</P><P>no service password-encryption</P><P>!</P><P>hostname Company A 6509</P><P>!</P><P>boot-start-marker</P><P>boot-end-marker</P><P>!</P><P>enable password cisco</P><P>!</P><P>no aaa new-model</P><P>ip subnet-zero</P><P>!</P><P>no crypto isakmp enable</P><P>!</P><P>crypto ipsec transform-set encrypt-aes esp-aes esp-sha-hmac</P><P>!</P><P>!</P><P>crypto map pix failover 8 ipsec-manual </P><P> set peer 11.11.11.6</P><P> set session-key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20 </P><P> set session-key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20 </P><P> set transform-set encrypt-aes</P><P> match address 101</P><P>!</P><P>interface gi2/2</P><P>speed 100</P><P>duplex full</P><P>Description PIX failover interface Lan-Based access list applied to protocol 105 for SCPS</P><P>ip address 11.11.11.5 255.255.255.252</P><P>crypto map pix failover</P><P>!</P><P>ip http server</P><P>no ip http secure-server</P><P>ip classless</P><P>ip route 0.0.0.0 0.0.0.0 11.11.11.12</P><P>!</P><P>access-list 101 permit ip host 11.11.11.5 host 11.11.11.6 eq 105</P><P>access-list 101 permit ip host 11.11.11.6 host 11.11.11.5 eq 105</P><P>access-list 101 deny ip any any </P><P>access-list 101 permit ip any any </P><P>!</P><P>line con 0</P><P>no login</P><P>line aux 0</P><P>no login</P><P>line vty 0 15</P><P>exec-timeout 300</P><P>transport input ssh</P><P>login</P><P></P><P>If possible, try this on a home lab, then verify the results.</P> Mon, 11 Mar 2019 10:01:09 GMT https://community.cisco.com/t5/network-security/lan-based-failover-session-key-encryption-for-pix/m-p/750766#M1006935 mwardinterpub 2019-03-11T10:01:09Z https://community.cisco.com/t5/network-security/lan-based-failover-session-key-encryption-for-pix/m-p/750767#M1006936 <HTML><HEAD></HEAD><BODY><P>The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. </P><P></P><P>The security appliance supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml</A></P><P></P></BODY></HTML> Mon, 23 Apr 2007 13:23:01 GMT https://community.cisco.com/t5/network-security/lan-based-failover-session-key-encryption-for-pix/m-p/750767#M1006936 thomas.chen 2007-04-23T13:23:01Z