Showing results for 
Search instead for 
Did you mean: 

IPSec tunnels drop during stateful failover change


Introduction to stateful failover:

Some users require the key entries or access points of their networks, such as the Internet access point of an enterprise or a database server of a bank, to be highly reliable to ensure continuous data transmission. Deploying only one device (even with high reliability) in such a network risks a single point of failure and therefore cannot meet the requirement, as shown in figure


The stateful failover feature was introduced to meet the requirement. Stateful failover backs up  services such as NAT, ALG, portal, blacklist, DHCP server and load balancing, and synchronizes configurations between two devices. In Figure 2, two devices that are enabled with stateful failover are deployed in the network. Each device has a failover interface. The failover interfaces are connected over the failover link.


Service backup

The two devices exchange state negotiation messages through the failover link periodically. After the two devices enter the synchronization state, they back up the services of each other to ensure that the services on them are consistent. If one device fails, the other device can take over the services using VRRP or dynamic routing protocols (such as OSPF) to avoid service interruption.

Configuration synchronization

To implement service backup, the key service configurations on the two devices must be consistent. With the configuration synchronization function, you can synchronize such configurations from the active device to the standby device through the failover link, instead of making repeated configurations on both devices.

You can use the following synchronization methods:

  • Auto synchronization. With auto synchronization, the active device synchronizes all its configurations to the standby device at a time. After that, when its configuration is changed, the active device automatically synchronizes the new configuration to the standby device.
  • Manual synchronization. You can choose to manually synchronize all configuration.


Stateful failover maintains certain connections during a failover incident. However, the Internet Security Association and Key Management Protocol (ISAKMP) and IPSec SA table is not replicated to the standby PIX Firewall. Any IPSec connection that is dropped due to failover must be recreated as a new connection through the secondary PIX.

The following issues can cause a failover:

  • A power off or a power down condition on the active PIX
  • Reboot of the active PIX
  • A link goes down on the active PIX for more than 30 seconds
  • Issuing the failover active command on the standby PIX
  • Block memory exhaustion for 15 consecutive seconds or more on the active PIX

The following information is replicated to the  standby PIX:

  • The configuration
  • The Transmission Control Protocol (TCP)(except HTTP) connection table including the timeout information of each connection
  • The translation (xlate) table
  • System up time (the system clock is synchronized on both PIX units)

The following information is not replicated to the standby PIX:

  • The HTTP connection table
  • The user authentication (uauth) table
  • The ISAKMP and IPSec SA table
  • The Address Resolution Protocol (ARP) table
  • Routing information

Product Family

Firewall - PIX 500 series