Protect Your PIX - Page 4
IP states are supported, as are TCP states, except those using HTTP. Almost no UDP state tables are transferred between the active and standby devices. Exceptions to this include dynamically opened ports used with multichannel protocols, such as H.323. Because DNS resolves use a single channel port, the state of DNS requests is not transferred between devices.
A dedicated LAN interface between the two PIX devices is required to achieve stateful failover. State update packets are transmitted asynchronously in the background from the active device to the standby device over the dedicated LAN interface. There are also a few configurations changes required when using stateful failover. These changes are covered below in the section "Stateful Failover Configuration."
Several criteria are considered before a failover occurs. If the standby device detects that the active device is powered down, the standby device will take active control. If the failover cable is unplugged, a syslog entry is generated, but both devices maintain their present state. An exception to this is during the boot process. Should the failover cable be unplugged while the devices are booting, both devices will assume the same IP address, causing a conflict on your network. Even if you are configuring the PIX Firewalls for stateful failover using a dedicated LAN interface, the failover cable must be installed on both devices for failover to function properly.
Failover hello packets are expected on each interface every 15 seconds. When the standby device does not receive a failover hello packet within 30 seconds, the interface runs a series of tests to establish the state of the active device. If these tests do not reveal that the active device is present, the standby device assumes the active role.
A power failure on the active device is detected through the failover cable within 15 seconds. In this case, the standby device assumes the active role. A disconnected or damaged failover cable is detected within 15 seconds.
Stateful Failover Configuration
Only a few commands need to be added to a configuration to enable stateful failover. The following is a partial configuration, showing the commands necessary to enable stateful failover. After the configuration, the commands are discussed.
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 failover security 60 ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.1 255.255.255.0 ip address failover 10.200.200.1 255.255.255.0 failover active failover ip address outside 192.168.1.2 failover ip address inside 172.30.1.2 failover ip address failover 10.200.200.2 failover link failoverNotice that the interfaces are named failover, and a security level is assigned to the interface with the nameif command. You could have named this interface anything, but for clarity, it is named failover here. This is the interface you will be using to transfer state update packets between the active and the standby devices.
After assigning IP addresses and netmasks to each of the interfaces, you are ready to start on the failover commands. Start failover with the failover active command. Next, use the failover ip address command on all of the interfaces.
When using the failover ip address command, you need to remember two things. First, every interface needs the failover ip address command entered for that interface. If an interface does not have an associated failover ip address command and the state of that interface is changed to down, failover will not occur. For example, if you did not add the failover ip address command for the outside interface and the cable connecting that interface broke, all data intended to travel through that interface will be lost. This defeats the purpose of having a failover device, because a failover device should allow all services to continue after the primary device has failed. Additionally, because both devices must have the same hardware installed, there is no reason not to enable failover to check all interfaces. The second item that you need to remember is that the failover ip address needs to be on the same subnet but with a different IP address than that to which the interface is set.
The final configuration required is to assign a dedicated interface to failover. Using the failover link command with the interface name assigned by the nameif command, Ethernet2 has been assigned as the failover interface in this example.