Non-stateful failover does not replicate xlate and connection table information.
Stateful failover replicates xlate and connection table information.
Stateful failover requires an extra LAN interface to interconnect the two firewalls.
Cable-based configuration requires a special serial cable with one end labeled "primary" and the other end labeled "secondary."
LAN-based configuration requires a dedicated switch or hub to interlink the two PIX firewalls. Do not use a crossover cable.
LAN-based and cable-based failovers both support configuration on the primary firewall and stateful failover.
When a primary interface fails, the secondary becomes active and inherits the primary's IP and MAC addresses. The primary moves into a fail or standby state and assumes the secondary firewall's IP and MAC addresses.
Failover requires the hardware models, RAM sizes, flash memory sizes, and software versions to be the same.
Failover is not supported on the 501 or 506 models.
RAM configuration information is replicated automatically to the standby firewall.
The write standby command can be used to force a replication of the RAM configuration in memory to the standby firewall.
The failover active command is used to enable failover on the PIX firewall.
Hello messages are sent across all the interfaces and, if two messages are missed, the failover process begins.
The four failover tests are
NIC status
ARP
Network activity
Ping
The network activity test monitors for traffic for 5 seconds. If no traffic is found, the PIX moves to the next test (the ARP test) ”not standby mode.
