Stateful Failover Link - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 14
Configuring Failover
•
•
•
•
The disadvantages include:
•
•
Stateful Failover Link
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
•
•
•
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch
or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be
on this link.
Enable the PortFast option on Cisco switch ports that connect directly to the security appliance.
Note
If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet
interface available. If you experience performance problems on that interface, consider dedicating a
separate interface for the Stateful Failover interface.
If you use a data interface as the Stateful Failover link, you receive the following warning when you
specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING
Sharing Stateful failover interface with regular data interface is not
a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING
Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks.
Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing
performance problems on that network segment.
Using a data interface as the Stateful Failover interface is only supported in single context, routed mode.
Note
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the
failover interface are the only interfaces in the system context. All other interfaces are allocated to and
configured from within security contexts.
OL-12172-03
The standby unit can communicate with the active unit and can receive the entire configuration
without having to be bootstrapped for failover. In LAN-based failover you need to configure the
failover link on the standby unit before it can communicate with the active unit.
The switch between the two units in LAN-based failover can be another point of hardware failure;
cable-based failover eliminates this potential point of failure.
You do not have to dedicate an Ethernet interface (and switch) to the failover link.
The cable determines which unit is primary and which is secondary, eliminating the need to
manually enter that information in the unit configurations.
Distance limitation—the units cannot be separated by more than 6 feet.
Slower configuration replication.
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface, such as the inside interface. However, this option is not
recommended.
Cisco Security Appliance Command Line Configuration Guide
Understanding Failover
*********
*********
14-5
Advertisement
Table of Contents
Troubleshooting
