This is a Tutorial excerpt from PIX Firewall Configuration by Mike Connelly.

If you're not a Certification Zone Subscriber and you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!

PIX Failover

by Mike Connelly

One important feature of the PIX is failover. It has a proprietary failover mechanism that can work over a special serial cable or over a switched LAN. The state information can also be copied with the stateful failover feature. What makes the PIX an attractive proposition, when compared to other choices, is Cisco's policy of supplying the failover PIX at a third of the price of the primary, thus making failover a very economical solution.

Figure 5. Failover Configurations

The failover feature is available on PIX firewalls from model 515 upward. It offers the possibility of having two PIX firewalls: a primary one that is normally active and a secondary one that becomes active in the event of a failure in the primary. To enable failover, you must have the correct licensing. In a 515, you must purchase what is known as an "unrestricted bundle" for the primary PIX and a "failover bundle" for the secondary PIX. To check whether your PIX is capable of failover mode, type show version and look at the output.

pixfirewall(config)# show ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
Compiled on Fri 07-Jun-02 17:49 by morlee
pixfirewall up 1 hour 25 mins
Hardware:   PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0003.6bf6.cce9, irq 11
1: ethernet1: address is 0003.6bf6.ccea, irq 10
2: ethernet2: address is 0004.ac38.bccd, irq 7
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Disabled
Maximum Interfaces: 3
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

Look at the "Failover" item. If it says "disabled", you will have to upgrade your license. If it says "enabled", then, before configuring for failover, you have to make sure that the hardware (number of interfaces, memory, etc.) is identical, and also that the software versions are identical.

The primary and secondary PIXs are connected with a green Cisco cable with 15-pin connectors on each end (except in versions 6.2 and later). The cable has primary and secondary clearly marked and you have to plug the right end to the right box. Once it is plugged in and the failover commands are entered, the failover cable is used to synchronize the configurations between the boxes.

Each interface on the primary has to have its counterpart on the secondary. The corresponding interfaces have to be connected to the same LANs. The interfaces also must not be configured as "auto" (with the interface command). Set all the interfaces to 100full. Otherwise, failover cannot be enabled.

Configuring Failover

Once the hardware is correctly connected, type the failover command on the primary.

That's it. You should now be in failover mode. You can test by typing show failover. The output is shown below:

pix-firewall (config)# show failover
  Failover On
  Cable Status: Normal
  Reconnect timout 0:00:00
  Poll frequency 15 seconds
  failover replication http
    This host:Primary - Active
      Active time:1734 (sec)
      Interface FailoverLink ( :Normal
      Interface Outside ( :Normal (Waiting)
      Interface Inside ( :Normal
    Other host:Secondary - Standby
      Active time:0 (sec)
      Interface FailoverLink ( :Normal
      Interface Outside ( :Normal (Waiting)
      Interface Inside ( :Normal

This shows that failover is working. The Cable Status line refers to the green failover cable, which is installed and working in this example. The output shows that the Primary (the PIX on which the command was typed) is Active, and has been so for 1734 seconds. The Secondary device has no active time, indicating that there has never been a failover. The Interfaces say "normal" meaning that the common interfaces can communicate with each other -- except for the Outside interfaces, which say "Normal (Waiting)". This means that the Outside interfaces on the two devices cannot communicate with each other. The reason is easy to spot. On the secondary device, the IP address is, meaning that the failover IP address has not been configured (see below).

The configuration on the primary is automatically synchronized to the secondary. All configuration should be done on the primary. There is no need to directly configure the secondary (in fact doing so will stop the synchronization).

The primary and secondary systems constantly poll each other over the failover cable. They can also poll each other over their common Ethernet interfaces. To enable this, the interfaces on the failover PIX must be given their own IP addresses. They must be allocated IP addresses in the same range as their corresponding interfaces on the primary. Use the following command:

failover ip address interface ip-address


failover ip address inside

Although the command is typed on the primary, it actually configures the interface IP address on the secondary box.

How Failover Works

The Primary and Secondary PIXs continually poll each other with "hello" messages. The default time between polls is 15 seconds, although this can be configured to any time between 3 seconds and 15 seconds. The polling goes over both the failover cable and each LAN interface (providing that the Interface status is Normal (referring to the show fail output above)). Two things can trigger a failover:

  1. Three successive "hellos" over the failover cable are missed.

  2. Three "hellos" are missed between the common Ethernet interfaces, and then:

    1. The NICs are tested. If they are OK then ...

    2. The interfaces are checked for activity (are packets flowing). If no activity then ...

    3. ARP requests are sent to the 10 most recent ARP entries. If no replies received ...

    4. Broadcast ping sent. If replies received testing stops, otherwise back to c.

    5. If the active unit passes the test, it stays active.

    6. If both units fail then there is no change, but testing continues.

    7. If the active unit fails, but the standby unit passes, a failover occurs

    Steps a to d take 5 seconds each, adding 20 seconds to the failover time on top of the three missed hellos. With default configuration, this comes to up to 45 seconds for a failover cable failure or 65 seconds for a LAN interface failure.

In the event of a failover, the following things happen:

  1. All traffic is blocked

  2. The failover device assumes the IP address and MAC address of the primary

  3. The primary device assumes the IP address and MAC address of the secondary

  4. Sessions have to be rebuilt (translation table populated) before traffic can resume.

The failover happens on the whole box. Even if a failure is only on a single interface, the whole firewall will failover.

Stateful Failover

Stateful failover requires a little extra configuration, but provides significant improvement. With normal failover, all sessions are lost and need to be re-built. With stateful failover, the xlate, TCP connection, HTTP (optional), ARP, and various other tables are synchronized. In the event of a failure of the primary, if the failover time does not cause a session to timeout, the session should be preserved. Note that this does not usually apply to UDP, which has no concept of a session. There are some exceptions, such as H.323 connections.

Stateful failover requires a dedicated Fast-Ethernet link (configured as 100full) between the two firewalls. This can be a crossover cable or it can go through switch.

The command to configure stateful failover (in addition to the normal failover commands previously discussed) is:

failover link interface-name


failover link FailoverLink

This enables stateful failover and sets (reserves) the link named FailoverLink (named with the nameif command) for copying state information between the PIXs.

Differences In Version 6.2 and Later

One of the drawbacks of the PIX failover was its dependence on the short green crossover cable. Sometimes it is not possible or convenient to have the two firewalls within six feet of each other. Starting with version 6.2 this dependency will be gone. A feature called LAN-based failover will allow a Fast-Ethernet link to replace the failover cable. The commands to configure this are:

failover lan enable
failover lan interface (interface-name)
failover lan unit {primary | secondary}
failover lan key secret-key

The LAN interface is a dedicated interface for failover, although it can be combined with the stateful failover function. This reduces the total number of usable interfaces on the PIX, unless you planned to use stateful failover. The firewalls need to be configured as either the primary or the secondary. Because configuration is sent over the LAN, for security a pre-shared key is used to encrypt the data.

Note: the LAN failover link between the firewalls must go through a hub or a switch. An Ethernet crossover cable is not supported (for some reason). The failover must still be within a subnet and cannot be routed.

Apart from the advantage of gaining some distance between the primary and secondary firewalls, there are mostly disadvantages:

Other new features include the ability to specify a virtual MAC address to be shared by the two PIXs, (similar to HSRP in a router). The default is to use the burned-in MAC addresses, and to swap them in case of a failover.

Troubleshooting Failover

You can check failover status by typing show failover.

The correct output should be:

Failover On
  Cable status: Normal
  Reconnect timeout 0:00:00
    This host: Primary - Active
      Active time: 3131 (sec)
      Interface outside ( Normal
      Interface 1 ( Normal
    Other host: Secondary - Standby
      Active time: 0 (sec)
      Interface 0 ( Normal
      Interface 1 ( Normal

Note that the command was entered on the primary device and that it is the active firewall. The Secondary is in standby. The Primary has been active for 3131 seconds and the Secondary has been active for zero seconds. From this, you can conclude that the devices have never failed-over. If the Secondary device shows a positive number of seconds, you know that there has been a failover. If you are using syslog (and you should be) then you can see the time, duration, and possibly the reason for the failover. All cable statuses and interfaces show a normal status. Any other status warrants investigation. The show failover gives more information. The output below shows an example of output for stateful failover:

Stateful Failover Logical Update Statistics
Link : FailLink
Stateful Obj  xmit   xerr   rcv   rerr
General       517    0      622   0
sys cmd       240    0      711   0
up time       1      0      1     0
xlate         27     0      1     0
tcp conn      48     0      12    0
udp conn      1      0      0     0
ARP tbl       11     0      0     0
RIP Tbl       0      0      0     0

See the Cisco PIX Command Reference for more detailed information on the various statistics.

This is a Tutorial excerpt from PIX Firewall Configuration by Mike Connelly.

If you're not a Certification Zone Subscriber and you would like complete, unrestricted access to the rest of this and every other Tutorial, Study Quiz, Lab Scenario, and Practice Exam available at Certification Zone, become a Subscriber today!