Configuring Failover Communication Authentication/Encryption; Verifying The Failover Configuration; Viewing Failover Status - Cisco 7604 Configuration Manual

Chapter 14 Configuring Failover

Configuring Failover Communication Authentication/Encryption

You can encrypt and authenticate the communication between failover peers by specifying a shared
secret or hexadecimal key.
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
Caution
the communication with a failover key. If FWSM is used to terminate VPN tunnels, this information
includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting
this sensitive data in clear text could pose a significant security risk. We recommend securing the failover
communication with a failover key if you are using FWSM to terminate VPN tunnels.
Enter the following command on the active unit of an Active/Standby failover pair or on the unit that has
failover group 1 in the active state of an Active/Active failover pair:
hostname(config)# failover key {secret | hex key}
The secret argument specifies a shared secret that is used to generate the encryption key. It can be from
1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex
key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9,
a-f).
To prevent the failover key from being replicated to the peer unit in clear text for an existing failover
Note
configuration, disable failover on the active unit (or in the system execution space on the unit that has
failover group 1 in the active state), enter the failover key on both units, and then reenable failover. When
failover is reenabled, the failover communication will be encrypted with the key.
For new failover configurations, the failover key command should be part of the initial failover pair
configuration.

Verifying the Failover Configuration

This section describes how to verify your failover configuration. This section includes the following
topics:
•
•
•
•

Viewing Failover Status

This section describes how to view the failover status. On each unit you can verify the failover status by
entering the show failover command. The information displayed depends upon whether you are using
Active/Standby or Active/Active failover.
This section includes the following topics:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Viewing Failover Status, page 14-31
Viewing Monitored Interfaces, page 14-39
Viewing the Failover Configuration, page 14-39
Testing the Failover Functionality, page 14-39
Viewing Failover Status for Active/Standby, page 14-32
Viewing Failover Status for Active/Active, page 14-35
Configuring Failover
14-31