When two firewalls are interconnected for failover, replication of the RAM configuration file ( running config ) occurs, keeping the standby firewall in sync with the primary firewall.

The following lists the methods by which the primary replicates its running configuration file across to the secondary firewall:

  • When the standby starts, it obtains the latest configuration from the active firewall.

  • When commands are entered into the active firewall, they are automatically replicated to the secondary firewall's RAM (the running configuration).

  • The write standby command can be used to force a replication of the entire configuration in memory to the standby firewall.

One important item to note is that replication sends only the running configuration to the standby's RAM; the startup configuration is not sent to flash. Therefore, to save configuration on the standby to flash, you must issue the write memory command.

Replication of Stateful Failover

In non-stateful failover configuration, only one cable is used to replicate the running configuration file. Conversely, in stateful failover, two cables are necessary ”one for the normal running configuration file replication and another for the xlate table and other such stateful information. The following is a list of what is replicated across in a stateful failover configuration:

  • The translation xlate table

  • The connection table

  • The negotiated fixup protocol ports

However, not all stateful information is sent across. This list of items is not replicated and, as such, is lost when failover occurs:

  • The user authentication ( uauth ) table used by AAA services

  • The ARP table

  • Routing information

  • ISAKMP and IPSec security association (SA) tables

Lastly, the following list shows what is sent across the serial or LAN-based failover cables:

  • The running configuration replication

  • MAC address exchanges

  • The status (active or standby)

  • The network interface status

  • Hello keepalive messages

Together both cables help keep the firewall in sync to provide failover fault tolerance.

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: