Thursday, November 14, 2013

LAN Based Failover for Cisco PIX 515E

Revisited my blog after few years and below was an unpublished post and also I have tested this 3 years ago too.

This post will explain how you can couple a pair of Cisco PIX 515E in very basic level. (device version is 8.0(4) and this should be technically supported to any PIX /ASA version 6.2 and above)

There will be two identical failover scenarios;

Stateful Failover
With the stateful failover the active PIX will replicates the state table to the standby PIX. As such, if the active PIX fails, the standby PIX can take over transparently without any interruption to the current session already initiated to the PIX.

LAN-BASED Failover
With the Lan-Based failover the standby PIX waits idle and it will take over if the primary PIX fails at any point. (interface issue, power issue, etc) But the standby PIX has no information about any information about the existed session with the primary PIX was processing. So technically after a every failover all the session should be re initiated. This is not necessarily transparent to end users.

The Requirement
1.) Must be in operating mode
     a.) Routed or Transparent.
     b.) Single or Multiple Context

1.) The two units in a failover configuration must have the same
      a.)hardware configuration:
      b.) same model
      c.) same number and types of interfaces
      d.) same amount of RAM

1.) PIX 500:
     a.) One of the unit should be having UR (Unrestrcited License). The other unit can have FO (Failover) license or FO_AA (Failover Active/Active) License. Note: Boxes with FO or FO_AA, Restricted licenses can not be used for failover.

2.) ASA:
    User need to understand the requirement and can go for the the license according to his need. (Security Plus Bundle)