{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiaelkvm5j2j35iyadwweqnapjkz24wwjboqxz4by4p3rkwgifczke",
"uri": "at://did:plc:wnit4jb553jiwptxnj5srnmr/app.bsky.feed.post/3mfysrhrxoww2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreia3vrnlu32hs5ach53mjcjmrjzf4fhq733bvl4eaywh3qlllm7cka"
},
"mimeType": "image/jpeg",
"size": 25527
},
"description": "Configure failover on Cisco PIX firewall",
"path": "/pix-failover/",
"publishedAt": "2026-03-01T13:09:35.000Z",
"site": "https://cg1network.com",
"textContent": "Protects the network from primary PIX failure. two firewalls, active (primary) and backup (secondary)\n\nFailover happens:\n\n * PIX powers down or reboots\n * Link is down for more than 30 seconds\n * failover active command issue on standby PIX firewall\n * memory is depleted on primary for more than 15 seconds\n\n\n\nRequirements:\n\n * PIX models must be identical\n * must have same activation key levels\n * same software version\n * same amount of ram and flash memory\n * one must have unrestricted licence (UR), other can have (FO) or (UR) but not restricted.\n * 501 and 506E can’t be used for failover\n\n\n\nFailover: all connections are dropped and client apps must reconnect. stateful information is not passed to standby PIX\n\nStateful Failover: each connection is passed to standby, end users don’t need to reconnect. state data includes: global address pool. connections, translations, PAT\n\n### Failover cabling methods\n\n * Serial - custom RS232 cable at 115kbps\n * LAN-based - ethernet between two PIX firewalls\n * Stateful cable - minimum 100mbps full duplex ethernet, uses dedicated switch or VLAN. Uses IP protocol 8.\n\n\n\nSecondary assumes IP address and MAC address of the primary during a failover\n\nhello packets every 15 seconds and all interfaces and failover cable.\n\n * link up/down test\n * network activity test (5 seconds)\n * ARP test (10 most recent entries)\n * broadcast ping test (5 seconds)\n\n\n\n### Configure Serial Cable Failover\n\n 1. Make sure IP addresses on all interfaces are different but on the same subnet\n 2. power off secondary PIX firewall and attach serial cable\n 3. label cables primary and secondary\n 4. configure primary PIX firewall\n 5. set the clock\n 6. perform `write memory`\n 7. power on secondary PIX\n\n\n\n\n failover\n failover ip address outside 172.16.1.2\n failover ip address inside 10.0.1.2\n failover poll 12\n\n\nshow failover\n\nReplication occurs when:\n\n * Active PIX replicates complete config to standby when it finished initial bootup\n * Commands run on active primary push config to standby secondary\n * perform `write standby `on active PIX\n\n\n\nRevert from a failover:\n\n * `no failover active` on secondary\n * `failover active` on primary\n * `failover rest`\n\n\n\n### Configure LAN-Based Failover\n\n * no 6ft serial cable limitation\n * same interface can be used for stateful failover\n * also uses encryption and authentication using a pre-shared key\n\n\n\n\n nameif ethernet2 failan security60\n interface ethernet2 100full\n ip address failan 172.16.1.1 255.255.255.0\n\n failover ip address failan 172.16.1.2\n failover lan unit primary\n failover lan interface failan\n failover lan key Cisco123\n failover lan enable\n\nto also enable statefull failover\n\n\n failove link faillan",
"title": "PIX - Failover",
"updatedAt": "2026-03-01T13:09:35.000Z"
}