Some users require the key entries or access points of their networks, such as the Internet access point of an enterprise or a database server of a bank, to be highly reliable to ensure continuous data transmission. Deploying only one device (even with high reliability) in such a network risks a single point of failure and therefore cannot meet the requirement, as shown in figure
The stateful failover feature was introduced to meet the requirement. Stateful failover backs up services such as NAT, ALG, portal, blacklist, DHCP server and load balancing, and synchronizes configurations between two devices. In Figure 2, two devices that are enabled with stateful failover are deployed in the network. Each device has a failover interface. The failover interfaces are connected over the failover link.
The two devices exchange state negotiation messages through the failover link periodically. After the two devices enter the synchronization state, they back up the services of each other to ensure that the services on them are consistent. If one device fails, the other device can take over the services using VRRP or dynamic routing protocols (such as OSPF) to avoid service interruption.
To implement service backup, the key service configurations on the two devices must be consistent. With the configuration synchronization function, you can synchronize such configurations from the active device to the standby device through the failover link, instead of making repeated configurations on both devices.
You can use the following synchronization methods:
Auto synchronization. With auto synchronization, the active device synchronizes all its configurations to the standby device at a time. After that, when its configuration is changed, the active device automatically synchronizes the new configuration to the standby device.
Manual synchronization. You can choose to manually synchronize all configuration.
Stateful failover maintains certain connections during a failover incident. However, the Internet Security Association and Key Management Protocol (ISAKMP) and IPSec SA table is not replicated to the standby PIX Firewall. Any IPSec connection that is dropped due to failover must be recreated as a new connection through the secondary PIX.
The following issues can cause a failover:
A power off or a power down condition on the active PIX
Reboot of the active PIX
A link goes down on the active PIX for more than 30 seconds
Issuing the failover active command on the standby PIX
Block memory exhaustion for 15 consecutive seconds or more on the active PIX
The following information is replicated to the standby PIX:
The Transmission Control Protocol (TCP)(except HTTP) connection table including the timeout information of each connection
The translation (xlate) table
System up time (the system clock is synchronized on both PIX units)
The following information is not replicated to the standby PIX: