Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

benefit of having both the failovers configured

hi could someone tell me what is the benefit of configuring both the failovers. a lan based and a stateful failover. when both are configured and a failoerv takes places. which failover happens first lan based or the stateful failover. there is no documentation mentioning abt this.



Re: benefit of having both the failovers configured


Failover (FO) option is either normal failover (non-stateful) or stateful failover.

Normal failover means existing connections/sessions will be dropped when primary firewall is down. Primary firewall will not update secondary unit on its current state and connections/sessions status. User need to re-establish connection manually, example, telnet session will be disconnected once primary unit fails, and you need to start the telnet session again.

*Normal failover only requires standard Failover cable (bundled with PIX) to inter-connect both units.

Stateful failover, on the other hand (benefit), allows both firewalls to synchronize current connectivity state & status. Existing connections will not be dropped as both has similar information on current connection state. When primary unit fails, the secondary (standby) unit willl resume firewalling tasks based on the status synch from the primary unit before it fails. Your FTP or telnet session will not be dropped and you can continue to do your work.

*Requirements for stateful failover:

1. UTP (cross-over) or fiber patch cord between primary and secondary firewall -> to channel existing sessions/connections. For this purpose, you need to allocate 1 interface/port on both firewalls.

2. Standard Failover cable (bundled with PIX) -> to enable secondary unit to know the status of primary unit, or similar like a 'heartbeat' checking.

Stateful failover is highly recommended than normal failover.

The difference (or benefit) between failover using failover cable or LAN-based failover is that LAN-based failover allows you to separate, mount or install both firewalls far from each other. It uses both UTP cables for stateful and heartbeat update status. So, your limit probably the max of 100m distance using UTP.

However, when failover occurs, it might take longer time before secondary unit can fully take over the firewalling operations.

Failover setup (stateful or non-stateful) using standard failover cable limit the distance of your firewalls. Here you need 1 x UTP and 1 standard failover cable. Advantage is update or failover process is faster than LAN-based. You are allowed to push up to 3secs for the failover process to start.

Hope this can help.



New Member

Re: benefit of having both the failovers configured

hi there thanks a lot. for ur detailed explainnation. but my actual doubt is i have seen many people configure a stateless lan based failover on a interface and at the same time configure a another stateful lan based failover over a another interface. what is the reason behind it. what is the benfit of such a configuration. if failover happens then which ones takes over first. the stateful or the stateless failover. can u pls explain me this part. it will be really helpful to me. thank u for all ur help


CreatePlease login to create content