PIX Failover Configuration.

The Pix and the ASA supports 2 types of failover:
Active/Standy
Active unit talks to the standby unit, polling each other, to track interfaces, and verifying that the Active Unit, if the Active Unit, does down, the standby unit, takes the role of the active and passes traffic,
We can configure Stateless or Stateful failover:
with Stateless Failover, all connections are dropped and must be reestablished when the failover occurs,
with Stateless failover, the devices communicates the connection tables, and when we switch over the standby device, there is no notion that a failure had occurred.
A second type of failover supported by the Pix  is  Active/Active, and with this type of failover  both units can simultaneous sending traffic,  this type of configuration is supported on context mode.
with Active/Standby Failover configuration, the Standby unit tracks the active unit, and if the active fails the standby unit becomes the active device, the standby unit, takes the mac address of the failed active unit, and ip address, to make transparent the actual failover, when we do this configuration is better to do the configuration on notepad, because assuming that the active device have configuration and the standby device none, if you misconfigure, the failover the standby unit can become that active unit, and could replicate a blank configuration to the actual active unit overriding the configuration with a blank one. Now  the first thing to do, when we configure failover we need to configure the active / standby ips, when the active fails, the standby takes control it using the active primary ip add,  so the configuration done on the interfaces for tracking is ip address [active address] [netmask ][ standby stnaddress] and this goes on any interface that we want to track (inside, outside, dedicated failover interface).
We specify who is the primary unit is going to be, using the failover lan unit primary and we specify where the failover information using failover lan interface command on the pix we can have a dedicated failover interface (serial cable between the devices) on the ASA we can use go ahead and use any regular lan interfaces we can have.
We need to assign an ip to the failover link using failover interface ip [name] [active_address] [netmask] standby standipadd on global configuration, any configuration on the failover link is going to be deleted then using this command.
For the stateful failover, to make sure to replicate all connections, and other dynamic parameters we use failover link .. we need to specify optionally also witch interface we monitor, using monitor interface, and we can specify policies like if both outside interfaces are down, we can proceed with the failover action. then we go ahead and enable failover using failover command.
For the secondary unit configuration, we do NOT need to configure nothing more than
we would not need to configure any routing/ipsec configuration, because of the configuration are replicated by the active unit.
the configuration we need is to specify witch is the Failover interface using failover lan interface, then assign ip to failover links, and that this device is the secondary using failover lan unit secondary, and is stateful failover is needed then we use failover link and enable failover..

The Pix and the ASA supports 2 types of failover:

Active/Standy

Active unit talks to the standby unit, polling each other, to track interfaces, and verifying that the Active Unit, if the Active Unit, does down, the standby unit, takes the role of the active and passes traffic,

We can configure Stateless or Stateful failover:

with Stateless Failover, all connections are dropped and must be reestablished when the failover occurs,

with Stateless failover, the devices communicates the connection tables, and when we switch over the standby device, there is no notion that a failure had occurred.

A second type of failover supported by the Pix  is  Active/Active, and with this type of failover  both units can simultaneous sending traffic,  this type of configuration is supported on context mode.

with Active/Standby Failover configuration, the Standby unit tracks the active unit, and if the active fails the standby unit becomes the active device, the standby unit, takes the mac address of the failed active unit, and ip address, to make transparent the actual failover, when we do this configuration is better to do the configuration on notepad, because assuming that the active device have configuration and the standby device none, if you misconfigure, the failover the standby unit can become that active unit, and could replicate a blank configuration to the actual active unit overriding the configuration with a blank one. Now  the first thing to do, when we configure failover we need to configure the active / standby ips, when the active fails, the standby takes control it using the active primary ip add,  so the configuration done on the interfaces for tracking is ip address [active address] [netmask ][ standby stnaddress] and this goes on any interface that we want to track (inside, outside, dedicated failover interface).

We specify who is the primary unit is going to be, using the failover lan unit primary and we specify where the failover information using failover lan interface command on the pix we can have a dedicated failover interface (serial cable between the devices) on the ASA we can use go ahead and use any regular lan interfaces we can have.

We need to assign an ip to the failover link using failover interface ip [name] [active_address] [netmask] standby standipadd on global configuration, any configuration on the failover link is going to be deleted then using this command.

For the stateful failover, to make sure to replicate all connections, and other dynamic parameters we use failover link .. we need to specify optionally also witch interface we monitor, using monitor interface, and we can specify policies like if both outside interfaces are down, we can proceed with the failover action. then we go ahead and enable failover using failover command.

For the secondary unit configuration, we do NOT need to configure nothing more than

we would not need to configure any routing/ipsec configuration, because of the configuration are replicated by the active unit.

the configuration we need is to specify witch is the Failover interface using failover lan interface, then assign ip to failover links, and that this device is the secondary using failover lan unit secondary, and is stateful failover is needed then we use failover link and enable failover..

FO

A Networker Blog

Advertisements

One thought on “PIX Failover Configuration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s