Cisco PIX 500 Series Configuration Manual page 231

Chapter 14 Configuring Failover
Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you
Note
have more than one Active/Active failover pair on the same network, it is possible to have the same
default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of
the other pairs because of the way the default virtual MAC addresses are determined. To avoid having
duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active
and standby MAC address.
Primary/Secondary Status and Active/Standby Status
As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit,
and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate
which unit becomes active when both units start simultaneously. Instead, the primary/secondary
designation does two things:
•
•
Which unit each failover group becomes active on is determined as follows:
•
•
•
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both units in a failover pair boot. The configurations
are synchronized as follows:
•
OL-12172-03
Determines which unit provides the running configuration to the pair when they boot
simultaneously.
Determines on which unit each failover group appears in the active state when the units boot
simultaneously. Each failover group in the configuration is configured with a primary or secondary
unit preference. You can configure both failover groups be in the active state on a single unit in the
pair, with the other unit containing the failover groups in the standby state. However, a more typical
configuration is to assign each failover group a different role preference to make each one active on
a different unit, distributing the traffic across the devices.
Note The security appliance does not provide load balancing services. Load balancing must be
handled by a router passing traffic to the security appliance.
When a unit boots while the peer unit is not available, both failover groups become active on the
unit.
When a unit boots while the peer unit is active (with both failover groups in the active state), the
failover groups remain in the active state on the active unit regardless of the primary or secondary
preference of the failover group until one of the following:
– A failover occurs.
– You manually force the failover group to the other unit with the no failover active command.
– You configured the failover group with the preempt command, which causes the failover group
to automatically become active on the preferred unit when the unit becomes available.
When both units boot at the same time, each failover group becomes active on its preferred unit after
the configurations have been synchronized.
When a unit boots while the peer unit is active (with both failover groups active on it), the booting
unit contacts the active unit to obtain the running configuration regardless of the primary or
secondary designation of the booting unit.
Cisco Security Appliance Command Line Configuration Guide
Understanding Failover
14-11