CCNP Security FAQ : Cisco Security Appliance Failover
Q1. Which of the following causes a failover event?
A. A reboot or power interruption on an active PIX Firewall
B. Low HTTP traffic on the outside interface
C. Issuance of the failover active command on a standby PIX Firewall
D. Low memory utilization for several consecutive seconds
Q2. What is the command to view failover configuration?
A. show failover
C. view failover
D. show me failover
Q3. Which of the following is/are replicated in stateful failover operation?
B. TCP connection table, including timeout information for each connection
C. Translation (xlate) table
D. Negotiated H.323 UDP protocols
E. All of these answers are correct
Q4. Which of the following is not replicated in stateful failover operation?
A. User authentication (uauth) table
B. ISAKMP and IPSec SA table
C. ARP table
D. Routing information
E. All of these answers are correct
Q5. What is the command to force configuration replication to the standby unit?
A. write standby
B. copy to secondary
C. force secondary
D. force conf
Q6. Which of the following is a stateful failover hardware restriction?
A. The stateful failover configuration is supported only by PIX Firewall 535 models.
B. Only fiber connections can be used in a stateful failover hardware configuration.
C. A PIX Firewall with two FDDI cards cannot use stateful failover, because an additional FDDI interface is not supported.
D. There is no hardware restriction for stateful failover configuration.
Q7. What command assigns an IP address to the standby Cisco Security Appliance?
A. secondary ip address ip address
B. ip address ip-address standby ip-address
C. ip address ip address secondary
D. ip address ip address failover
Q8. What is the command to configure a LAN-based failover?
A. conf lan failover
B. failover ip LAN
C. failover lan interface if-name
D. lan interface failover
Q9. What is an advantage of a LAN-based failover?
A. It quickly fails over to a peer when a power failure on the active unit takes place.
B. It does not have the 6-foot-cable distance limitation for failover communication.
C. It is preconfigured on the PIX Firewall.
D. All of these answers are correct.
Q10. What is the default failover poll, in seconds?
A. 10 seconds
B. 15 seconds
C. 30 seconds
D. 25 seconds
Q11. Which of the following is true about the serial link cable connection in a PIX Firewall failover configuration?
A. Serial link cable can transfer data at 100 Mbps.
B. The two units maintain the heartbeat network over the cable.
C. Network link status is not communicated over the serial link.
D. Keepalive packets and configuration replication are communicated over the serial link.
Q12. What are some things that trigger a failover event?
Q13. What command assigns an IP address to the standby PIX Firewall?
Q14. How many PIX Firewall devices can be configured in a failover configuration?
Q15. What are the disadvantages of LAN-based failover?
Answer: The following are the disadvantages of LAN-based failover:
- The PIX Firewall takes longer to fail because it cannot immediately detect the loss of power of the standby unit.
- The switch between the two units can be another point of hardware failure.
- A separate interface is required for the failover link, which otherwise could have been used for normal traffic.
Q16. What is some of the information that is updated to the standby unit in a stateful failover configuration?
Q17. What command forces replication to the standby unit?
Q18. What command configures a LAN-based failover?
Q19. What is the default failover poll, in seconds?
Q20. Does configuration replication save the running configuration to Flash memory on the standby unit during normal operations?
Q21. How long does it take to detect a failure?
Q22. How many failover groups are allowed per Security Appliance?