Some users require the key entries or access points of their networks, such as the Internet access point of an enterprise or a database server of a bank, to be highly reliable to ensure continuous data transmission. Deploying only one device (even with high reliability) in such a network risks a single point of failure and therefore cannot meet the requirement, as shown in figure
The stateful failover feature was introduced to meet the requirement. Stateful failover backs up services such as NAT, ALG, portal, blacklist, DHCP server and load balancing, and synchronizes configurations between two devices. In Figure 2, two devices that are enabled with stateful failover are deployed in the network. Each device has a failover interface. The failover interfaces are connected over the failover link.
The two devices exchange state negotiation messages through the failover link periodically. After the two devices enter the synchronization state, they back up the services of each other to ensure that the services on them are consistent. If one device fails, the other device can take over the services using VRRP or dynamic routing protocols (such as OSPF) to avoid service interruption.
To implement service backup, the key service configurations on the two devices must be consistent. With the configuration synchronization function, you can synchronize such configurations from the active device to the standby device through the failover link, instead of making repeated configurations on both devices.
You can use the following synchronization methods:
Auto synchronization. With auto synchronization, the active device synchronizes all its configurations to the standby device at a time. After that, when its configuration is changed, the active device automatically synchronizes the new configuration to the standby device.
Manual synchronization. You can choose to manually synchronize all configuration.
Stateful failover maintains certain connections during a failover incident. However, the Internet Security Association and Key Management Protocol (ISAKMP) and IPSec SA table is not replicated to the standby PIX Firewall. Any IPSec connection that is dropped due to failover must be recreated as a new connection through the secondary PIX.
The following issues can cause a failover:
A power off or a power down condition on the active PIX
Reboot of the active PIX
A link goes down on the active PIX for more than 30 seconds
Issuing the failover active command on the standby PIX
Block memory exhaustion for 15 consecutive seconds or more on the active PIX
The following information is replicated to the standby PIX:
The Transmission Control Protocol (TCP)(except HTTP) connection table including the timeout information of each connection
The translation (xlate) table
System up time (the system clock is synchronized on both PIX units)
The following information is not replicated to the standby PIX:
Do Cisco IronPorts start with an MID of 0 (zero) or 1 (one)? I have only seen MID 0 for "Message size exceeds limit". Is 0 reserved for this notice or is it ALSO a valid MID when a system restarts/rolls over. Thank you
I have a pair of 3850's, between them is a 5 member Etherchannel, on each Port there is a Pair of Microwave Radios, 10 in all, that have specific IP addresses for management, in a specific in band management Vlan100, it is not native and not Vlan 1, all t...
Hi, I've been trying to configure some custom NMAP scans for device profiling. From looking at some debug output, it looks as though the nmap command (created by ISE, and passed to the NMAP process) has an incorrect syntax, so NMAP quits withou...
HiI'm new to these devices and am wondering do rule updates happen automatically e.g VDB, GEODB, SRU, I recently ugraded from 6.4 to 6.5 and just wondered if i had to set up scheduling for these updates. also are they pushed out to Sensors automatically??...
Hello ISE Expert,
I have a customer Who is doing Remote access with F5 APM today (SSL Web VPN).
They want to use ASAv avec VPN gateway with ISE as Radius server with Posture and want to still use their
F5 APM for Web SSL VPN Gateway, do we have a w...