- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: PIX Stateful Failover Question posted 03/21/2007
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

                You brought up a very good question.I will try to answer it.Stateful failover might sound magical but has limitations.
  There are applications that are latency sensitive, and in some cases the application times out before the failover sequence is completed. In these cases, the application must reestablish the session.In version 6.0 andlater, you can use the command failover replicate http in order to enforce TCP port 80 state replication which is not done by default. DNS resolves are not transferred as it is a single channel port. Most UDP state tables are not transferred.
A good rule of thumb is to expect the standby to take 10 seconds to take over using
stateful failover. Without stateful failover it can take up to a minute to reestablish connections.
  One of the caveat about the stateful failover is what causes the failover. If you have failover hello set to the maximum of 15 seconds and the inside interface goes bad, then the standby does not declare that the primary has failed until it misses at least two hellos, 30 seconds. Some people set the failover hellos to the minimum of 3 seconds but then the PIX can failover unnecessarily. Cisco recommends that you set the hello
to the maximum of 15 seconds.
  Hope that Helps.
  Tarun Pahuja
  CCIE #7707(R&S,Security,SP,Voice,Storage)


Andre Dufour <andremd4@xxxxxxxxx> wrote:  Hello,

I have a quick question. Why would a company not want to have stateful
failover implemented? What would be some reasons or risks of enabling
stateful-based failover? Take a look at the below exampe of a set of PIX
535s. Any info would be greatly appreciated. They have the additional
interfaces to do this.


xxxxxxxxxxxx# show fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 3 seconds
Last Failover at: 08:55:14 ESDT Sun Mar 18 2007
This host: Secondary - Active
Active time: 173955 (sec)
Interface syslog (10.x.x.x): Normal
Interface intf2 ( Link Down (Shutdown)
Interface inside (192.168.x.x): Normal
Interface outside (192.168.x.x): Normal
Other host: Primary - Standby
Active time: 798 (sec)
Interface syslog (10.x.x.x): Normal
Interface intf2 ( Link Down (Shutdown)
Interface inside (192.168.x.x): Normal
Interface outside (192.168.x.x): Normal

*Stateful Failover Logical Update Statistics
Link : Unconfigured.*

Subscription information may be found at:

Don't get soaked.  Take a quick peek at the forecast 
 with theYahoo! Search weather shortcut.