CCNP Security FAQ : Cisco Security Appliance Failover

CCNP Security FAQ : Cisco Security Appliance Failover

Q1. Which of the following causes a failover event?
A. A reboot or power interruption on an active PIX Firewall
B. Low HTTP traffic on the outside interface
C. Issuance of the failover active command on a standby PIX Firewall
D. Low memory utilization for several consecutive seconds

Answer: A

Q2. What is the command to view failover configuration?
A. show failover
B. failover
C. view failover
D. show me failover

Answer: A

Q3. Which of the following is/are replicated in stateful failover operation?
A. Configuration
B. TCP connection table, including timeout information for each connection
C. Translation (xlate) table
D. Negotiated H.323 UDP protocols
E. All of these answers are correct

Answer: E

Q4. Which of the following is not replicated in stateful failover operation?
A. User authentication (uauth) table
B. ISAKMP and IPSec SA table
C. ARP table
D. Routing information
E. All of these answers are correct

Answer: E

Q5. What is the command to force configuration replication to the standby unit?
A. write standby
B. copy to secondary
C. force secondary
D. force conf

Answer: A

Q6. Which of the following is a stateful failover hardware restriction?
A. The stateful failover configuration is supported only by PIX Firewall 535 models.

B. Only fiber connections can be used in a stateful failover hardware configuration.

C. A PIX Firewall with two FDDI cards cannot use stateful failover, because an additional FDDI interface is not supported.

D. There is no hardware restriction for stateful failover configuration.

Answer: C

Q7. What command assigns an IP address to the standby Cisco Security Appliance?
A. secondary ip address ip address
B. ip address ip-address standby ip-address
C. ip address ip address secondary
D. ip address ip address failover

Answer: B

Q8. What is the command to configure a LAN-based failover?
A. conf lan failover
B. failover ip LAN
C. failover lan interface if-name
D. lan interface failover

Answer: C

Q9. What is an advantage of a LAN-based failover?
A. It quickly fails over to a peer when a power failure on the active unit takes place.

B. It does not have the 6-foot-cable distance limitation for failover communication.

C. It is preconfigured on the PIX Firewall.

D. All of these answers are correct.

Answer: B

Q10. What is the default failover poll, in seconds?
A. 10 seconds
B. 15 seconds
C. 30 seconds
D. 25 seconds

Answer: B

Q11. Which of the following is true about the serial link cable connection in a PIX Firewall failover configuration?
A. Serial link cable can transfer data at 100 Mbps.

B. The two units maintain the heartbeat network over the cable.

C. Network link status is not communicated over the serial link.

D. Keepalive packets and configuration replication are communicated over the serial link.

Answer: B

Q12. What are some things that trigger a failover event?

Answer: A failover event may be triggered by a loss of power, cable error, memory exhaustion, or an administrator forcing the standby.

Q13. What command assigns an IP address to the standby PIX Firewall?

Answer: The failover ip address if-name ip-address command assigns an IP address to the standby PIX Firewall.

Q14. How many PIX Firewall devices can be configured in a failover configuration?

Answer: Two PIX Firewall devices can be configured in a failover configuration.

Q15. What are the disadvantages of LAN-based failover?

Answer: The following are the disadvantages of LAN-based failover:

  • The PIX Firewall takes longer to fail because it cannot immediately detect the loss of power of the standby unit.
  • The switch between the two units can be another point of hardware failure.
  • A separate interface is required for the failover link, which otherwise could have been used for normal traffic.

Q16. What is some of the information that is updated to the standby unit in a stateful failover configuration?

Answer: The following is some information that is updated to the standby unit in a stateful failover configuration: TCP connection table; translation table (xlate); negotiated H.323 UDP ports; port allocation table bitmap for PAT; SIP; HTTP sessions; and MGCP UDP media connections.

Q17. What command forces replication to the standby unit?

Answer: The write standby command forces replication to the standby unit.

Q18. What command configures a LAN-based failover?

Answer: The failover lan interface interface-name command configures a LAN-based failover.

Q19. What is the default failover poll, in seconds?

Answer: The default failover poll is 15 seconds.

Q20. Does configuration replication save the running configuration to Flash memory on the standby unit during normal operations?

Answer: No, the running configuration is only stored in memory on the active unit. When a write memory command issued on the active unit, configuration replication causes the changes to the current configuration to be saved on the standby unit.

Q21. How long does it take to detect a failure?

Answer: Network and failover communication errors are detected within two consecutive polling intervals (by default, 15-second intervals).

Q22. How many failover groups are allowed per Security Appliance?

Answer: Each Security Appliance can support two failover groups.

More Resources

About the author

Scott

Leave a Comment