Can someone clarify the following for me as I have read conflicting articles. Questions refer to PIX 6.X

1) Standard Failover

Configured ordinarily with Serial cable. Serial cable replicates firewall config between Active and Standby. This design does not provide Stateful Failover

2) Stateful Failover

Can be achieved in 1 of 2 ways.

Serial Cable + Crossover Cable

Using Serial cable and additional Crossover cable between Active & Standby units. Serial cable replicates config between the 2 x units whilst Crossover cable acts as stateful Failover link. Stateful link requires an Ethernet connection hard coded to either 100BaseT or Gig depending on Interfaces


LAN based Failover. LAN connection between 2 x PIX's must be via a Hub or Switch hard coded to 100BaseT or Gig. LAN connection can be used as Stateful connection, however, recommendation is that separate Ethernet link between 2 x PIX's is used.

Assuming an additional Ethernet link is used for Stateful Failover, this connection can be a crossover cable. A serial cable would not be used.



Darren Green
You seem to have forgotten to post the question?! There is nothing contradictory about the above statements if you recognize that in any primary/secondary failover configuration (PIX or other service) there are multiple requirements which must be met:

1 - the backup must be able to reliably detect failure of the primary.

2 - the backup must be able to keep track of what the primary is doing.

3 - the backup must be able to distinguish between primary failure and failure of the communications path to the primary.

The special PIX serial cable is designed to do number 1 keeping number 3 in mind. Stateful failover requires number 2 which in turn requires more bandwidth than the serial link can provide. LAN based failover makes number 3 very difficult. Number 3 is non-trivial and absolutely necessary--consider the impact of the backup taking over while the primary is still in operation--do a search on STONITH for the gory details (STONITH == shoot the other node in the head).

Vincent C Jones


