|
|
This document provides an overview of the failover feature and describes how to install the failover connector assemblies and cable on the PIX Firewall. Use this document with the PIX Firewall Series Configuration Guide, which is supplied in the PIX Firewall accessory kit.
Failover provides a mechanism for a PIX Firewall to be redundant by allowing two identical units to serve the same functionality. One unit is considered the "active" unit while the other is considered the "standby" unit. The active unit performs its normal network functions while the standby unit only monitors the other unit, ready to take control should the active unit fail.
The two PIX Firewall units can be either both PIX Firewall units, both PIX10000s, or one PIX Firewall and one PIX10000.
The following topics are discussed:
 | Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. To see translations of the warnings that appear in this publication, refer to the Regulatory Compliance and Safety Information document that accompanied this device. |
Waarschuwing Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het document Regulatory Compliance and Safety Information (Informatie over naleving van veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.
Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten noudattaminen ja tietoa turvallisuudesta).
Attention Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant causer des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions d'avertissements figurant dans cette publication, consultez le document Regulatory Compliance and Safety Information (Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.
Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information (Informationen zu behördlichen Vorschriften und Sicherheit), das zusammen mit diesem Gerät geliefert wurde.
Avvertenza Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nel documento Regulatory Compliance and Safety Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna questo dispositivo.
Advarsel Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med denne enheten.
Aviso Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos físicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos avisos que constam desta publicação, consulte o documento Regulatory Compliance and Safety Information (Informação de Segurança e Disposições Reguladoras) que acompanha este dispositivo.
¡Advertencia! Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. Para ver una traducción de las advertencias que aparecen en esta publicación, consultar el documento titulado Regulatory Compliance and Safety Information (Información sobre seguridad y conformidad con las disposiciones reglamentarias) que se acompaña con este dispositivo.
Varning! Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory Compliance and Safety Information (Efterrättelse av föreskrifter och säkerhetsinformation), vilket medföljer denna anordning.
| Warning Before working on a system that has an on/off switch, turn OFF the power and unplug the power cord. |
| Warning Do not work on the system or connect or disconnect cables during periods of lightning activity. |
| Warning Do not touch the power supply when the power cord is connected. For systems with a power switch, line voltages are present within the power supply even when the power switch is off and the power cord is connected. For systems without a power switch, line voltages are present within the power supply when the power cord is connected. |
| Warning Before working on equipment that is connected to power lines, remove jewelry (including rings, necklaces, and watches). Metal objects will heat up when connected to power and ground and can cause serious burns or weld the metal object to the terminals. |
The failover cable kit consists of two connector assemblies and a failover cable. The failover cable has DB-15 connectors. Each connector assembly appears as shown in Figure 1:
To open the cabinet of a PIX Firewall:
Step 1 Read the Regulatory Compliance and Safety Information for the PIX Firewall Series for important safety information. This document is provided in the PIX Firewall
accessory kit.
Step 2 Save the existing configuration to flash memory with the write memory command.
Step 3 Open the front access panel and power-off the unit as shown in Figure 2:
Step 4 At the back of the PIX Firewall unit, remove the power cord and any network cabling.
Step 5 Remove the unit from the equipment rack and place it on a stable work surface.
Step 6 Detach the top access panel by using a Phillips-head screwdriver to remove the 16 screws securing the top panel (12 on top and 4 on the rear cover flange) as shown in Figure 3:
Step 7 Remove the top access panel.
To install the failover connector assembly:
Step 1 Remove the top panel from the PIX Firewall and set it aside.
Step 2 Find the large green circuit board attached to the bottom of the unit. This is the "motherboard." On the right rear corner of the motherboard nearest the circuit board connection slots at the rear of the unit, locate the COM2 connector on which to install the failover connector as shown in Figure 4:
Note that the arrow marks pin 1.
Step 3 Install the pin connector of the connector assembly so that the red stripe on the connector is oriented above pin 1 as shown in Figure 5:
Step 4 Remove the securing screw and plate from the first open slot to the left of the network interface boards.
Step 5 Thread the connector assembly cable around the back of the circuit board nearest the COM2 port.
Step 6 Attach the cable connector to the rear of the unit as shown in Figure 6:
Step 7 Replace the top access panel and attach all of the screws.
Step 8 Follow Steps 2 through 7 to attach the second connector assembly to the second
PIX Firewall unit.
Step 9 Connect the failover cable at the rear of the two PIX Firewall units. The failover cable has DB-15 connectors. On the PIX Firewall, the connectors are labeled "Failover." Connect the cable end labeled "Primary" to the active PIX Firewall unit.
Step 10 Attach the power cords, place the units back in the rack, and power on the units.
Step 11 When the unit reboots, it automatically detects the failover cable.
You can now configure your system for failover as explained in the next section.
Enable the failover feature by adding the failover command (without the active parameter) to the configuration files for both the primary and secondary units.
Ensure that the configuration files for both units are identical except for the host name. You can use the hostname command to assign unique names to each firewall unit. Then when you use Telnet to access the inside IP address, you can determine which unit is active.
If you want to force a unit to be active, use the failover command. To force a unit to standby, use the no failover command.
Use the show failover command to verify the status of both the active and standby units.
The two units must be configured exactly the same and appear to the network as a single unit. They share the same IP address and the same MAC address as well as any configuration parameters. Because the secondary unit is using the same IP and MAC address as the primary unit, no ARP entries need to change or timeout anywhere in the network. The MAC address used by the two units is that of the primary unit. The unit that has the end of the failover cable marked "primary" plugged into it becomes the primary unit by default.
Because each unit has the same IP address and the same MAC address, they both receive exactly the same network traffic. Failover monitors receive network traffic counts, failover communications, and the power status of the other unit. A failure of any of these parameters on the active unit causes the standby unit to take active control.
Once a unit enters the "failed" state, it cannot assume active duty until you cycle the power and configure it to become active. Whenever a failure or switch occurs, SYSLOG messages indicate the cause of the failure.
Because the standby unit does not keep state information on each connection, all active connections are dropped and must be re-established by the clients.
This section contains some frequently asked questions about the failover feature. Before contacting a technical support representative, read this section to see if your questions are addressed.
Step 1 View SYSLOG messages with the show syslog command. The messages can indicate the source of the problem.
Step 2 Save the console session and any possible core dump messages in a file before proceeding. Also, make a note of what the network was doing at the time of the failure,
if you can determine this. Any significant events such as broadcast storms or larger than normal data transfers can help customer support understand the issues, should you need to contact them.
Step 3 Check that all cables are securely fastened. Then reboot the failed unit and try it again.
Step 4 Check network connectivity by pinging the PIX Firewalls' interfaces from hosts within each network and pinging the network from the PIX Firewall. If connectivity exists on the network but the PIX Firewall still does not work, call customer support.
Step 5 If both units fail, check that the cables are secure on both units and reboot. Then if they are still not working, test network connectivity. If you cannot find the problem, call customer support.
Step 1 At the secondary unit that is now active, enter the no failover command to put it in
standby mode.
Step 2 At the fixed primary unit, enter failover to make the unit active.
Step 3 At the secondary unit, enter the failover command to let the secondary unit work with the primary unit.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more up to date than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar, select Documentation, and click Enter the feedback form. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
|
|