Setting up Failover

Unanswered Question
Jul 15th, 2009

I have a Pix-525-UR-bun and a Pix-525-FO-bun...

I'm bit of a novice with failover. Anyone have any tips or tricks? I have as single cable connection. My biggest concern is how to set up the routers as the gateway to the internet but I'm not sure how that would work if I only have one port on the cable modem. That and I don't know how to set it up in general!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
MATTHEW BECK Wed, 07/15/2009 - 06:59


The first thing to understand about FO is that the units are almost identical in config so only 1 is active at any given time and the other is standby. They communicate over their failover cable or a dedicated Ethernet cable/interface between the two devices. Depending on the code you're running the dedicate FO cable may be required.

When configuring the primary unit you can follow the documentation for your version to build the FO pair. Then every command you type on the primary is replicated to the secondary.

To get both units to connect to the gateway to the Internet will require a switch with at least 3 ports. The PRI/SEC PIX will also need two IP addresses in the same subnet as the gateway. If you don't have multiple IP addresses for your public subnet you're not going to be able to use FO.

I hope this gets you started and let me know if you need more info.


m-jankowski Wed, 07/15/2009 - 11:21

Just requested another IP from my ISP.. both are dynamic is that is ok. Now what do I do? Am I correct in assuming both units must have the same version on them? How much would it be to get a contract to get the correct software for the device?

MATTHEW BECK Wed, 07/15/2009 - 11:33


Unfortunately, no, dynamic IP addresses are not going to work. Yes, you must have the same hardware and OS version on each PIX. I believe the PIX 525s are EOL and you will not be able to get a contract on them but you would have to ask a Cisco reseller to be sure about that. It would probably be expensive too since they want you to buy ASAs.

Your ISP needs to assign you a small block of addresses - even a /29 will give you 6 addresses to use. 1 will be for your gateway and 2 will be for the PIX outside interfaces. The other 3 can be used to present internal hosts to the public if necessary.

And if you only have one gateway why are you worried about firewall redundancy? I believe it's just adding complexity without adding much value. Of course, I'm sure you have your reasons but I'm curious.

I don't think DHCP is supported in an FO pair because the secondary unit doesn't speak on the network until it has to take over for the primary. When it does, it assumes the MAC and IP address of the primary - it doesn't use it's own identity.

Make sense?


This Discussion