Foundation Summary 155
Foundation Summary
Failover allows you to connect a second PIX Firewall unit to your network to protect your network should the first unit go offline. If you use Stateful Failover, you can maintain operating state for the TCP connection during the failover from the primary unit to the standby unit.
Failover is triggered by some of the following events:
•
•
•
•
•
Losss Of Power
Standy unit forced by an Administrator to be active
Cable errors
Memory exhaustion
Failover communication loss
Failover requires you to purchase a second PIX Firewall unit sold as a failover unit that only works as a failover unit. You need to ensure that both units have the same software version, activation key type, Flash memory, and the same RAM. Once you configure the primary unit and attach the necessary cabling, the primary unit automatically copies the configuration over to the Standby unit.
If a failure is due to a condition other than a loss of power on the other unit, failover will begin a series of tests to determine which unit failed. This series of tests will begin when “hello” messages are not heard for two consecutive 15-second intervals (the interval depends on how you set the failover poll command). Hello messages are sent over both network interfaces and the failover cable. Failover uses the following tests to determine the other units availability:
•
•
•
•
Link up/Down
Network activity
Address resolution Protocol
Ping
The Stateful Failover feature passes per-connection stateful information to the Standby unit. After a failover occurs, the same connection information is available at the new Active unit. End user applications are not required to do a reconnect to keep the same communication session.
156 Chapter 9: Cisco PIX Firewall Failover
Q&A
The questions in this section are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. Use the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix A.
1 Which two of the following cause a failover event?
AA reboot or power interruption on the active PIX Firewall
BLow HTTP traffic on the outside interface
CThe failover active command is issued on the standby PIX Firewall
DBlock memory exhaustion for 15 consecutive seconds or more on the active PIX
2What is the command to view failover configuration?
A show failover
B failover
C view failover
D show me failover
3Which of the following is/are replicated during a stateful failover?
A Configuration
B TCP connection table, including timeout information for each connection
C Translation (xlate) table
D Negotiated H.323 UDP protocols
E All of the above
4Which of the following is not replicated in a stateful failover?
AUser authentication (uauth) table
BISAKMP and IPSec SA table
CARP table
DRouting information
EAll of the above
Q&A 157
5What is the command to force configuration replication to the standby unit?
A write standby
B copy to secondary
C force secondary
D force conf
6Which of the following is a stateful failover hardware restriction?
AThe stateful failover configuration is supported only by PIX 535 models.
BOnly fiber connections can be used in a stateful failover hardware configuration.
CA PIX with two FDDI cards cannot use stateful failover, because an additional Ethernet interface with FDDI is not supported.
DThere is no hardware restriction for stateful failover configuration.
7What command assigns an IP address to the standby Cisco PIX Firewall?
A secondary ip address ip address
B failover ip address if_name ip_address
C ip address ip address secondary
D ip address ip address failover
8What is the command to configure a LAN-based failover?
Aconf lan failover
Bfailover ip LAN
Cfailover lan interface if_name
Dlan interface failover
9 What is an advantage of a LAN-based failover?
AIt quickly fails over to a peer when a power failure on the active unit takes place.
BIt does not have the 6-foot cable distance limitation for failover communication.
CIt is preconfigured on the PIX.
DAll of the above
10What is the default failover poll in seconds?
A 10 seconds
B 15 seconds
C 30 seconds
D 25 seconds
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-111):
36.PIX Firewall enables a secure VPN
37.IPSec configuration tasks
38.Prepare to configure VPN support
39.Configure IKE parameters
40.Configure IPSec parameters
41.Test and verify VPN configuration
42.Cisco VPN Client
43.Scale PIX Firewall VPNs
44.PPPoE and the PIX Firewall