topic Re: Failover on Pix 515-E in Network Security

Failover on Pix 515-E

fargier — Mon, 11 Mar 2019 09:54:47 GMT

Hello all,

A question again !

I have two PIX 515-E, one with UR licence and the other with FO licence only.

Both serial cable (not really serial but you understand me) and ethernet cable are connected for the failover.

Why?? Both are near. When I do a sho faiover i see that ethernet is : N/A.

The guy who configured before me this device said me that it was cisco who told him to make this confiugration with both cable.

Can you explain me why? To maintain session??? I belived that it's only when you use serial cable that your session is saved.

Thank you a lot for your answer.

Re: Failover on Pix 515-E

David White — Mon, 02 Apr 2007 12:33:44 GMT

There are two parts to failover. One is required, the other is optional. Let me explain:

1) Serial vs. LAN failover (required)

2) Stateful failover (optional)

For #1, you must choose to use the serial cable or an ethernet interface to send the failover configuration information to the peer.

For #2, you can optionally enable stateful failover (which is an ethernet interface only) and this replicate the state of the connections/xlates/etc from the Active to the Standby (high recommended so that failovers do not have any impact on users).

If your PIXes are close by, I would suggest using Serial failover along with stateful failover (for state replication). This may be what you have configured. If you want to send the output of :

show run | inc failover

show failover

We can have a look.

Hope it helps,

David.

Re: Failover on Pix 515-E

fargier — Mon, 02 Apr 2007 12:44:04 GMT

Hi David,

I understand!

I never take care of a line in the sho failover :

Stateful Failover Logical Update Statistics

Link : Failover Ethernet2 (up)

In fact I only read this where is N/A !:

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Thanks a lot. It's good for me.

FFF# sho run | grep fail

failover

failover replication http

failover link Failover Ethernet2

failover interface ip Failover X.X.X.X 255.255.255.0 standby Y.Y.Y.Y

pix# sho fail

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 5 of 250 maximum

failover replication http

Version: Ours 7.2(1), Mate 7.2(1)

Last Failover at: 15:08:30 UTC Apr 2 2007

This host: Primary - Active

Active time: 1650 (sec)

Stateful Failover Logical Update Statistics

Link : Failover Ethernet2 (up)

Stateful Obj xmit xerr

I tried to disconnect the ethernet cable and the stateful go to Failed!

OK..

Good. Thank you guys..

Re: Failover on Pix 515-E

David White — Mon, 02 Apr 2007 15:51:35 GMT

Hi fargier,

A couple of comments:

From the "show failover" output, you have:

#######

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based

#######

Since the "Cable status" is Normal, this means Serial failover is being used.

Also, the "Failover LAN Interface" (for LAN based failover) indicates N/A, because it tells you "Serial-based" failover is used.

The config line "failover link Failover Ethernet2" indicates you are doing Stateful failover as well (as you noticied).

One thing I would suggest is to disable the http replication, by removing the line:

failover replication http

This tells the PIX to replicate http connections (TCP/80) which it does not do by default. The reason is, HTTP connections are very short lived, and the overhead of replicating all this connections is high. So, unless you really need to replicate the HTTP connections, I would suggest against it. Some reasons to do it is if you have HTTP connections that are long-lived, or if you are tunneling another application over HTTP.

Sincerely,

David.