C H A P T E R 9
Cisco PIX Firewall Failover
Today, most businesses rely heavily on critical application servers that support the business process. The interruption of these services due to network device failures or other causes has a great financial cost, not to mention the irritation it causes in the user community. It is with this in mind that most of Cisco’s devices, including the firewall products (models 515 and up), can be configured in a redundant or highly available configuration.
The failover feature makes the Cisco PIX Firewall a highly available firewall solution. The purpose of this feature is to ensure continuity of service in case of a failure on the primary unit.
The failover process requires two PIX firewalls—one primary (active mode) and one secondary (standby mode). The idea is to have the primary PIX Firewall handle all the traffic from the network and to have the secondary PIX wait in standby mode in case the primary fails, at which point it takes over the process of handling all the network traffic. In the event of a primary (active) unit failure, the secondary PIX changes its state from standby mode to active and assumes the IP address and MAC address of the previously active unit and begins accepting traffic for it. The new standby unit assumes the IP address and MAC address of the unit that was previously the standby unit, thus completing the failover process.
“Do I Know This Already?” Quiz
The purpose of this quiz is to help you determine your current understanding of the topics covered in this chapter. Write down your answers and compare them to the answers in Appendix A. The concepts in this chapter are the foundation of much of what you need to understand to pass the CSPFA Certification Exam. Unless you do exceptionally well on the “Do I Know This Already?” pretest and are 100% confident in your knowledge of this area, you should read through the entire chapter.
1What are some things that trigger a failover event?
2What command assigns an IP address to the standby PIX Firewall?
3How many PIX Firewall devices can be configured in a failover configuration?
4What is the benefit of using LAN-based failover?
144 Chapter 9: Cisco PIX Firewall Failover
5What is some of the information that is updated to the standby unit in a stateful failover configuration?
6What command forces replication to the standby unit?
7What command configures a LAN-based failover?
8What is the default failover poll in seconds?
What Is Required for a Failover Configuration 145
Foundation Topics
What Causes a Failover Event
In a PIX failover configuration, one of the PIX firewalls is considered the active unit, and the other is the standby unit. As the name implies, the active unit performs normal network functions, and the standby unit monitors and is ready to take control should the active unit fail to perform its functionality. A failover event occurs after a series of tests determines that the primary (active) unit can no longer continue providing its services and the standby Cisco PIX Firewall assumes the role of the primary. The main causes of failover are as follows:
•Loss of power—When the primary (active) unit loses power or is turned off, the standby unit assumes the active role.
•Cable errors—The cable is wired so that each unit can distinguish between a power failure in the other unit and an unplugged cable. If the standby unit detects that the active unit is turned off (or resets), it takes active control.
•Standby active—An administrator can force the standby unit to change state using the standby active command, which causes failover to occur. This is the only time when failover takes place without the primary (active) unit’s having problems.
•Memory exhaustion—If block memory exhaustion occurs for 15 straight seconds on the active unit.
•Failover communication loss—If the standby unit does not hear from the active unit for more than twice the configured poll time (or a maximum of 30 seconds), and the cable status is OK, a series of tests are conducted before the standby unit takes over as active.
What Is Required for a Failover Configuration
The hardware and software for the primary and standby PIX firewalls must match for failover configuration to work properly. Both must be the same for:
•
•
•
•
•
Firewall model
Software version
Flash memory size
RAM size
Activation key
The only additional hardware needed to support failover is the failover cable. Both units in a failover pair communicate through the failover cable. The failover cable is a modified
146 Chapter 9: Cisco PIX Firewall Failover
RS-232 serial link cable that transfers data at 115 kbps. It is through this cable that the two units maintain the heartbeat network. Some of the messages that are communicated over the failover cable are
•
•
•
•
•
Hello (keepalive packets)
Configuration replication
Network link status
State of the unit (active/standby)
MAC address exchange
It is also important to examine the labels on each end of the failover cable. One end of the cable is labeled “primary,” and the other end is labeled “secondary.” To have a successful failover configuration, the end labeled “primary” should be connected to the primary unit, and the end labeled “secondary” should be connected to the secondary unit. Changes made to the standby unit are never replicated to the active unit.
Failover Monitoring
The failover feature in the Cisco PIX Firewall monitors failover communication, the power status of the other unit, and hello packets received at each interface. If two consecutive hello packets are not received within an amount of time determined by the failover feature, failover starts testing the interfaces to determine which unit has failed and transfers active control to the standby unit.
NOTE The failover poll seconds command allows you to determine how long failover waits before sending special failover “hello” packets between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds, and the maximum is 15 seconds.
Failover uses the following tests to check the status of the units for failure:
•Link up/down test—If an interface card has a bad network cable or a bad port, if it is administratively shut down, or if it is connected to failed switch, it is considered failed.
•Network activity test—The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational, and testing stops. If no traffic is received, the ARP test begins.
Configuration Replication 147
•Address Resolution Protocol (ARP) test—The ARP test involves evaluating
the unit’s ARP cache for the ten most recently acquired entries. One at a time, the PIX sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.
•Ping test—This test consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational, and testing stops. If no traffic is received, the testing starts over again with the ARP test.
TIP |
Portfast should be enabled on all the ports where the PIX interface directly connects, and |
|
trunking and channeling should be turned off. This way, if the PIX’s interface goes down |
|
during failover, the switch does not have to wait 30 seconds while the port is transitioned |
|
from a listening state to a learning state to a forwarding state. |
|
|
Configuration Replication
Configuration changes including initial failover configurations to the Cisco PIX Firewall are done on the primary unit. The standby unit keeps the current configuration through the process of configuration replication. For configuration replication to occur, the two PIX units should be running the same software release. Configuration replication usually occurs when:
•The standby unit completes its initial bootup, and the active unit replicates its entire configuration to the standby unit.
•Configurations are made (commands) on the active unit, and the commands/changes are sent across the failover cable to the standby unit.
•Issuing the write standby command on the active unit forces the entire configuration in memory to be sent to the standby unit.
When the replication starts, the PIX console displays the message “Sync Started.” When the replication is complete, the PIX console displays the message “Sync Completed.” During the replication, information cannot be entered on the PIX console.
The write memory command is important, especially when failover is being configured for the first time. During the configuration replication process, the configuration is replicated from the active unit’s running configuration to the running configuration of the standby unit. Because the running configuration is saved in RAM (which is unstable), the write memory command should be issued to save the configuration to Flash on the standby unit.