Failover on Pix 515-E

Answered Question
Apr 2nd, 2007
User Badges:

Hello all,


A question again !


I have two PIX 515-E, one with UR licence and the other with FO licence only.


Both serial cable (not really serial but you understand me) and ethernet cable are connected for the failover.


Why?? Both are near. When I do a sho faiover i see that ethernet is : N/A.


The guy who configured before me this device said me that it was cisco who told him to make this confiugration with both cable.


Can you explain me why? To maintain session??? I belived that it's only when you use serial cable that your session is saved.


Thank you a lot for your answer.

Correct Answer by David White about 10 years 3 months ago

There are two parts to failover. One is required, the other is optional. Let me explain:


1) Serial vs. LAN failover (required)

2) Stateful failover (optional)


For #1, you must choose to use the serial cable or an ethernet interface to send the failover configuration information to the peer.


For #2, you can optionally enable stateful failover (which is an ethernet interface only) and this replicate the state of the connections/xlates/etc from the Active to the Standby (high recommended so that failovers do not have any impact on users).


If your PIXes are close by, I would suggest using Serial failover along with stateful failover (for state replication). This may be what you have configured. If you want to send the output of :

show run | inc failover

show failover


We can have a look.


Hope it helps,


David.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
David White Mon, 04/02/2007 - 05:33
User Badges:
  • Cisco Employee,

There are two parts to failover. One is required, the other is optional. Let me explain:


1) Serial vs. LAN failover (required)

2) Stateful failover (optional)


For #1, you must choose to use the serial cable or an ethernet interface to send the failover configuration information to the peer.


For #2, you can optionally enable stateful failover (which is an ethernet interface only) and this replicate the state of the connections/xlates/etc from the Active to the Standby (high recommended so that failovers do not have any impact on users).


If your PIXes are close by, I would suggest using Serial failover along with stateful failover (for state replication). This may be what you have configured. If you want to send the output of :

show run | inc failover

show failover


We can have a look.


Hope it helps,


David.

fargier Mon, 04/02/2007 - 05:44
User Badges:

Hi David,


I understand!

I never take care of a line in the sho failover :


Stateful Failover Logical Update Statistics

Link : Failover Ethernet2 (up)


In fact I only read this where is N/A !:

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds


Thanks a lot. It's good for me.


FFF# sho run | grep fail

failover

failover replication http

failover link Failover Ethernet2

failover interface ip Failover X.X.X.X 255.255.255.0 standby Y.Y.Y.Y


pix# sho fail

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 5 of 250 maximum

failover replication http

Version: Ours 7.2(1), Mate 7.2(1)

Last Failover at: 15:08:30 UTC Apr 2 2007

This host: Primary - Active

Active time: 1650 (sec)



Stateful Failover Logical Update Statistics

Link : Failover Ethernet2 (up)

Stateful Obj xmit xerr



I tried to disconnect the ethernet cable and the stateful go to Failed!


OK..

Good. Thank you guys..

David White Mon, 04/02/2007 - 08:51
User Badges:
  • Cisco Employee,

Hi fargier,


A couple of comments:


From the "show failover" output, you have:


#######

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based

#######


Since the "Cable status" is Normal, this means Serial failover is being used.


Also, the "Failover LAN Interface" (for LAN based failover) indicates N/A, because it tells you "Serial-based" failover is used.


The config line "failover link Failover Ethernet2" indicates you are doing Stateful failover as well (as you noticied).


One thing I would suggest is to disable the http replication, by removing the line:

failover replication http


This tells the PIX to replicate http connections (TCP/80) which it does not do by default. The reason is, HTTP connections are very short lived, and the overhead of replicating all this connections is high. So, unless you really need to replicate the HTTP connections, I would suggest against it. Some reasons to do it is if you have HTTP connections that are long-lived, or if you are tunneling another application over HTTP.


Sincerely,


David.


Actions

This Discussion