Re: PIX 515 Failover pair - serial or LAN-based failover?

andrew.butterworth · ‎06-08-2009

I have had a good look on CCO and it seems that if the pair of PIX firewalls are less than 6-feet apart then use the serial-based failover. Since the ASA doesn't have this capability is this still the recommended way to deploy a failover pair of 515's?

I recently upgraded a failover pair of 515's to 7.2(4) from 6.3(5) - one has a UR license the other just the FO license. I converted the serial failover to LAN-Based and added State failover using the same link (cross-over cable). At the time I assumed this was the way to go, however we have had some odd issues where the FO unit doesn't seem to kick in when the primary one is powered off. I think this may be a result of the cross-over cable used for the failover link, however I not 100% sure. I tested failover onsite, but since then the customer has done some work (not config) and powered them off since and failover didn't seem to kick in.

I am just after the optimum hardware setup for a failover pair of 515's that are (at the moment) installed next to each other in the same rack.

Thanks

Andy

mwheinz · ‎06-12-2009

Both failover ports have to be connected to a switch in order to keep link status up on surviving firewall. Keeep switch port cfg minimal using portfast, access mode, and a VLAN dedicated to these 2 ports.

Good luck!

srue · ‎06-12-2009

it's best to not connect the failover link directly using a cross over cable, otherwise you will experience issues like you already are. Because the interfaces are directly connected, if one goes down, the opposite interface goes down, so it assumes itself is down as well.