|
|
by Mike Connelly
One important feature of the PIX is failover. It has a proprietary failover mechanism that can work over a special serial cable or over a switched LAN. The state information can also be copied with the stateful failover feature. What makes the PIX an attractive proposition, when compared to other choices, is Cisco's policy of supplying the failover PIX at a third of the price of the primary, thus making failover a very economical solution.
Figure 5. Failover Configurations
The failover feature is available on PIX firewalls from model 515 upward. It offers the possibility of having two PIX firewalls: a primary one that is normally active and a secondary one that becomes active in the event of a failure in the primary. To enable failover, you must have the correct licensing. In a 515, you must purchase what is known as an "unrestricted bundle" for the primary PIX and a "failover bundle" for the secondary PIX. To check whether your PIX is capable of failover mode, type show version and look at the output.
pixfirewall(config)# show ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
Compiled on Fri 07-Jun-02 17:49 by morlee
pixfirewall up 1 hour 25 mins
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0003.6bf6.cce9, irq 11
1: ethernet1: address is 0003.6bf6.ccea, irq 10
2: ethernet2: address is 0004.ac38.bccd, irq 7
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
Look at the "Failover" item. If it says "disabled", you will have to upgrade your license. If it says "enabled", then, before configuring for failover, you have to make sure that the hardware (number of interfaces, memory, etc.) is identical, and also that the software versions are identical.
The primary and secondary PIXs are connected with a green Cisco cable with 15-pin connectors on each end (except in versions 6.2 and later). The cable has primary and secondary clearly marked and you have to plug the right end to the right box. Once it is plugged in and the failover commands are entered, the failover cable is used to synchronize the configurations between the boxes.
Each interface on the primary has to have its counterpart on the secondary. The corresponding interfaces have to be connected to the same LANs. The interfaces also must not be configured as "auto" (with the interface command). Set all the interfaces to 100full. Otherwise, failover cannot be enabled.
Once the hardware is correctly connected, type the failover command on the primary.
That's it. You should now be in failover mode. You can test by typing show failover. The output is shown below:
pix-firewall (config)# show failover Failover On Cable Status: Normal Reconnect timout 0:00:00 Poll frequency 15 seconds failover replication http This host:Primary - Active Active time:1734 (sec) Interface FailoverLink (192.168.254.1) :Normal Interface Outside (100.1.1.1) :Normal (Waiting) Interface Inside (192.168.10.1) :Normal Other host:Secondary - Standby Active time:0 (sec) Interface FailoverLink (192.168.254.2) :Normal Interface Outside (127.0.0.1) :Normal (Waiting) Interface Inside (192.168.10.2) :Normal
This shows that failover is working. The Cable Status line refers to the green failover cable, which is installed and working in this example. The output shows that the Primary (the PIX on which the command was typed) is Active, and has been so for 1734 seconds. The Secondary device has no active time, indicating that there has never been a failover. The Interfaces say "normal" meaning that the common interfaces can communicate with each other -- except for the Outside interfaces, which say "Normal (Waiting)". This means that the Outside interfaces on the two devices cannot communicate with each other. The reason is easy to spot. On the secondary device, the IP address is 127.0.0.1, meaning that the failover IP address has not been configured (see below).
The configuration on the primary is automatically synchronized to the secondary. All configuration should be done on the primary. There is no need to directly configure the secondary (in fact doing so will stop the synchronization).
The primary and secondary systems constantly poll each other over the failover cable. They can also poll each other over their common Ethernet interfaces. To enable this, the interfaces on the failover PIX must be given their own IP addresses. They must be allocated IP addresses in the same range as their corresponding interfaces on the primary. Use the following command:
failover ip address interface ip-address
e.g.,
failover ip address inside 192.168.1.2
Although the command is typed on the primary, it actually configures the interface IP address on the secondary box.
The Primary and Secondary PIXs continually poll each other with "hello" messages. The default time between polls is 15 seconds, although this can be configured to any time between 3 seconds and 15 seconds. The polling goes over both the failover cable and each LAN interface (providing that the Interface status is Normal (referring to the show fail output above)). Two things can trigger a failover:
Three successive "hellos" over the failover cable are missed.
Three "hellos" are missed between the common Ethernet interfaces, and then:
The NICs are tested. If they are OK then ...
The interfaces are checked for activity (are packets flowing). If no activity then ...
ARP requests are sent to the 10 most recent ARP entries. If no replies received ...
Broadcast ping sent. If replies received testing stops, otherwise back to c.
If the active unit passes the test, it stays active.
If both units fail then there is no change, but testing continues.
If the active unit fails, but the standby unit passes, a failover occurs
Steps a to d take 5 seconds each, adding 20 seconds to the failover time on top of the three missed hellos. With default configuration, this comes to up to 45 seconds for a failover cable failure or 65 seconds for a LAN interface failure.
In the event of a failover, the following things happen:
All traffic is blocked
The failover device assumes the IP address and MAC address of the primary
The primary device assumes the IP address and MAC address of the secondary
Sessions have to be rebuilt (translation table populated) before traffic can resume.
The failover happens on the whole box. Even if a failure is only on a single interface, the whole firewall will failover.
Stateful failover requires a little extra configuration, but provides significant improvement. With normal failover, all sessions are lost and need to be re-built. With stateful failover, the xlate, TCP connection, HTTP (optional), ARP, and various other tables are synchronized. In the event of a failure of the primary, if the failover time does not cause a session to timeout, the session should be preserved. Note that this does not usually apply to UDP, which has no concept of a session. There are some exceptions, such as H.323 connections.
Stateful failover requires a dedicated Fast-Ethernet link (configured as 100full) between the two firewalls. This can be a crossover cable or it can go through switch.
The command to configure stateful failover (in addition to the normal failover commands previously discussed) is:
failover link interface-name
e.g.,
failover link FailoverLink
This enables stateful failover and sets (reserves) the link named FailoverLink (named with the nameif command) for copying state information between the PIXs.
One of the drawbacks of the PIX failover was its dependence on the short green crossover cable. Sometimes it is not possible or convenient to have the two firewalls within six feet of each other. Starting with version 6.2 this dependency will be gone. A feature called LAN-based failover will allow a Fast-Ethernet link to replace the failover cable. The commands to configure this are:
failover lan enable
failover lan interface (interface-name)
failover lan unit {primary | secondary}
failover lan key secret-key
The LAN interface is a dedicated interface for failover, although it can be combined with the stateful failover function. This reduces the total number of usable interfaces on the PIX, unless you planned to use stateful failover. The firewalls need to be configured as either the primary or the secondary. Because configuration is sent over the LAN, for security a pre-shared key is used to encrypt the data.
Note: the LAN failover link between the firewalls must go through a hub or a switch. An Ethernet crossover cable is not supported (for some reason). The failover must still be within a subnet and cannot be routed.
Apart from the advantage of gaining some distance between the primary and secondary firewalls, there are mostly disadvantages:
An interface can be lost (although it can share the same interface as the stateful-failover link, this is not recommended by Cisco because the state information in a busy firewall can generate high utilization of the interface and potentially disrupt the failover mechanism)
power loss or reload on the other firewall cannot be detected, so failover is slower in these circumstances
You need to configure the secondary before it can communicate with the primary -- unlike normal failover where the secondary configuration is automatic.
Other new features include the ability to specify a virtual MAC address to be shared by the two PIXs, (similar to HSRP in a router). The default is to use the burned-in MAC addresses, and to swap them in case of a failover.
You can check failover status by typing show failover.
The correct output should be:
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
This host: Primary - Active
Active time: 3131 (sec)
Interface outside (100.0.0.254): Normal
Interface 1 (192.168.1.254): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface 0 (100.0.0.253): Normal
Interface 1 (192.168.1.253): Normal
...
Note that the command was entered on the primary device and that it is the active firewall. The Secondary is in standby. The Primary has been active for 3131 seconds and the Secondary has been active for zero seconds. From this, you can conclude that the devices have never failed-over. If the Secondary device shows a positive number of seconds, you know that there has been a failover. If you are using syslog (and you should be) then you can see the time, duration, and possibly the reason for the failover. All cable statuses and interfaces show a normal status. Any other status warrants investigation. The show failover gives more information. The output below shows an example of output for stateful failover:
... Stateful Failover Logical Update Statistics Link : FailLink Stateful Obj xmit xerr rcv rerr General 517 0 622 0 sys cmd 240 0 711 0 up time 1 0 1 0 xlate 27 0 1 0 tcp conn 48 0 12 0 udp conn 1 0 0 0 ARP tbl 11 0 0 0 RIP Tbl 0 0 0 0 ...
See the Cisco PIX Command Reference for more detailed information on the various statistics.
|