The main commands for configuration of failover between two PIX (PIX3 and PIX4)
| Primary: PIX3 |
| failover |
| failover lan unit primary |
| failover lan interface failover Ethernet3 |
| failover lan enable |
| failover key cisco |
| failover link stateful Ethernet4 |
| failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2 |
| failover interface ip stateful 192.168.2.1 255.255.255.252 standby 192.168.2.2 |
| int e3 |
| no shut |
| Secondary: PIX4 (After open failover feature, the hostname will remain the same as the first active one.) |
| failover lan unit secondary |
| failover lan interface failover Ethernet3 |
| failover lan enable |
| failover key cisco |
| failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2 |
| int e3 |
| no shut |
| failover |
| Primary: |
| int e4 |
| no shut |
Before enable stateful interface, we check the telnet from inside to outside will be torn down when there's a failover.
Telnet is good.
Perform failover:
The telnet connection is closed immidiately after failover:
Let's enable stateful interface on active PIX:
Use below commands to tell them apart from each other:
We telnet again, we see that the telnet connection is still there after failover:
Let's check the MAC address before and after failover. We see that the MAC address for interface inside, outside and dmz exchanges between Active and Standby.
On SW1 and SW2:
| Before failover (Primary as Active, Secondary as Standby) | |
| SW1 connecting PIX3-Primary | SW2 connecting PIX4-Secondary |
| 110 000c.850e.d4e0 DYNAMIC Fa1/0/7 | 110 0015.625a.f4e7 DYNAMIC Fa1/0/11 |
| 110 0015.625a.f4e7 DYNAMIC Gi1/0/1 | 110 0015.632a.96ec DYNAMIC Gi1/0/1 |
| 110 0015.632a.96ec DYNAMIC Fa1/0/11 | 110 24b6.57ec.5001 DYNAMIC Gi1/0/1 |
| 110 00b0.6416.be41 DYNAMIC Fa1/0/2 | |
| 102 0015.625a.f4e6 DYNAMIC Gi1/0/1 | 102 0015.625a.f4e6 DYNAMIC Fa1/0/10 |
| 102 0015.632a.96eb DYNAMIC Fa1/0/10 | 102 0015.632a.96eb DYNAMIC Gi1/0/1 |
| 102 001e.7aa4.45b8 DYNAMIC Fa1/0/1 | 102 24b6.57ec.5001 DYNAMIC Gi1/0/1 |
| 172 000d.8810.c538 DYNAMIC Fa1/0/12 | 172 000d.8810.c538 DYNAMIC Gi1/0/1 |
| 172 000d.8810.ca24 DYNAMIC Gi1/0/1 | 172 000d.8810.ca24 DYNAMIC Fa1/0/12 |
| 172 00b0.6428.f341 DYNAMIC Fa1/0/3 | 172 00b0.6428.f341 DYNAMIC Gi1/0/1 |
| 172 24b6.57ec.5001 DYNAMIC Gi1/0/1 | |
| After failover(Primary as Standby, Secondary as Active) | |
| 110 000c.850e.d4e0 DYNAMIC Fa1/0/7 | 102 0015.625a.f4e6 DYNAMIC Gi1/0/1 |
| 110 0015.625a.f4e7 DYNAMIC Fa1/0/11 | 102 0015.632a.96eb DYNAMIC Fa1/0/10 |
| 110 0015.632a.96ec DYNAMIC Gi1/0/1 | 102 24b6.57ec.5001 DYNAMIC Gi1/0/1 |
| 110 00b0.6416.be41 DYNAMIC Fa1/0/2 | 110 0015.625a.f4e7 DYNAMIC Gi1/0/1 |
| 102 0015.625a.f4e6 DYNAMIC Fa1/0/10 | 110 0015.632a.96ec DYNAMIC Fa1/0/11 |
| 102 0015.632a.96eb DYNAMIC Gi1/0/1 | 110 00b0.6416.be41 DYNAMIC Gi1/0/1 |
| 102 001e.7aa4.45b8 DYNAMIC Fa1/0/1 | 110 24b6.57ec.5001 DYNAMIC Gi1/0/1 |
| 172 000d.8810.c538 DYNAMIC Gi1/0/1 | 172 000d.8810.c538 DYNAMIC Fa1/0/12 |
| 172 000d.8810.ca24 DYNAMIC Fa1/0/12 | 172 000d.8810.ca24 DYNAMIC Gi1/0/1 |
| 172 00b0.6428.f341 DYNAMIC Fa1/0/3 | 172 00b0.6428.f341 DYNAMIC Gi1/0/1 |
| 172 24b6.57ec.5001 DYNAMIC Gi1/0/1 |
