Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Lan based failover session key encryption for PIX

My suggestion for session key encryption for a lan based failover connection for the PIX is as follows:

A) Physically connect PIX interfaces to a workgroup amd or enterprise Catalyst 6509 switch, IOS 12.2(18) SXF and higher.

B) Assign static IP addresses within the range of the primary and failover PIX units.

C) Configure session key encryption on the workgroup switch and only allow TCP packet segments via IP protocol number 105/SCPS. Then deny all other TCP/IP segments.

The configurations should be as follows:

Company A 6509#show run


version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


hostname Company A 6509





enable password cisco


no aaa new-model

ip subnet-zero


no crypto isakmp enable


crypto ipsec transform-set encrypt-aes esp-aes esp-sha-hmac



crypto map pix failover 8 ipsec-manual

set peer

set session-key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20

set session-key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20

set transform-set encrypt-aes

match address 101


interface gi2/2

speed 100

duplex full

Description PIX failover interface Lan-Based access list applied to protocol 105 for SCPS

ip address

crypto map pix failover


ip http server

no ip http secure-server

ip classless

ip route


access-list 101 permit ip host host eq 105

access-list 101 permit ip host host eq 105

access-list 101 deny ip any any

access-list 101 permit ip any any


line con 0

no login

line aux 0

no login

line vty 0 15

exec-timeout 300

transport input ssh


If possible, try this on a home lab, then verify the results.


Re: Lan based failover session key encryption for PIX

The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

The security appliance supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.

CreatePlease to create content