Cisco PIX 500 Series Configuration Manual page 224

Understanding Failover
•
•
LAN-Based Failover Link
You can use any unused Ethernet interface on the device as the failover link. You cannot specify an
interface that is currently configured with a name. The failover link interface is not configured as a
normal networking interface; it exists only for failover communication. This interface should only be
used for the failover link (and optionally for the Stateful Failover link). You can connect the LAN-based
failover link in the following ways:
•
•
•
Note When using VLANs, use a dedicated VLAN for the failover link. Sharing the failover link VLAN with
any other VLANs can cause intermittent traffic problems and ping and ARP failures. If you use a switch
to connect the failover link, use dedicated interfaces on the switch and security appliance for the failover
link; do not share the interface with subinterfaces carrying regular network traffic.
On systems running in multiple context mode, the failover link resides in the system context. This
interface and the Stateful Failover link, if used, are the only interfaces that you can configure in the
system context. All other interfaces are allocated to and configured from within security contexts.
The IP address and MAC address for the failover link do not change at failover.
Note
Serial Cable Failover Link (PIX Security Appliance Only)
The serial Failover cable, or "cable-based failover," is only available on the PIX 500 series security
appliance. If the two units are within six feet of each other, then we recommend that you use the serial
Failover cable.
The cable that connects the two units is a modified RS-232 serial link cable that transfers data at
117,760 bps (115 Kbps). One end of the cable is labeled "Primary". The unit attached to this end of the
cable automatically becomes the primary unit. The other end of the cable is labeled "Secondary". The
unit attached to this end of the cable automatically becomes the secondary unit. You cannot override
these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series
security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=.
The benefits of using cable-based failover include:
•
Cisco Security Appliance Command Line Configuration Guide
14-4
LAN-Based Failover Link, page 14-4
Serial Cable Failover Link (PIX Security Appliance Only), page 14-4
Using a dedicated switch with no hosts or routers on the link. This is the recommended method.
Using a crossover Ethernet cable to link the units directly. This configuration is not recommended.
If one of the failover link interfaces fail, both interfaces are marked as failed; the security appliance
cannot determine which interface caused the failure. Additionally, you cannot use a crossover
Ethernet cable if you are using a redundant interface for the failover link.
(ASA 5500 series security appliance only) Using a straight through Ethernet cable to link gthe units
directly. This configuration is not recommended. If one of the failover link interfaces fail, both
interfaces are marked as failed; the security appliance cannot determine which interface caused the
failure. Additionally, you cannot use a straight through Ethernet cable if you are using a redundant
interface for the failover link.
The PIX 500 series security appliance can immediately detect a power loss on the peer unit and
differentiate between a power loss from an unplugged cable.
Chapter 14 Configuring Failover
OL-12172-03