One of the failover units must have an Unrestricted license (UR), while the other can have a Failover (FO) or UR license. Restricted units cannot be used for failover and two units with FO licenses cannot be used in a single failover pair. The PIX 515, PIX 515E, PIX 525, and PIX 535 can be used for failover if you have the optional Unrestricted (UR) license. | CHAPTER 10 Using PIX Firewall Failover This chapter describes the PIX Firewall failover feature which lets you add a second PIX Firewall unit that takes control if the primary unit fails. It includes the following topics Failover Unit System Requirements Understanding Failover Configuring Failover with a Failover Cable Configuring LAN-Based Failover Changing from Cable-Based Failover to LAN-Based Failover Verifying Failover Configuration Additional Failover Information Failover Configuration Examples Note For instructions about upgrading failover from a previous version refer to Upgrading Failover Systems from a Previous Version in Chapter 11 Changing Feature Licenses and System Software. Failover Unit System Requirements Failover requires two units that are identical in the following respects Platform type a PIX 515E cannot be used with a PIX 515 Software version Activation key type DES or 3DES Flash memory Amount of RAM One of the failover units must have an Unrestricted license UR while the other can have a Failover FO or UR license. Restricted units cannot be used for failover and two units with FO licenses cannot be used in a single failover pair. The PIX 515 PIX 515E PIX 525 and PIX 535 can be used for failover if you have the optional Unrestricted UR license. Note Neither PIX 501 or PIX 506 506E units can be used for failover either as the primary or secondary unit. Cisco PIX Firewall and VPN Configuration Guide I 78-13943-01 10-1 Chapter 10 Using PIX Firewall Failover Understanding Failover Understanding Failover Failover lets you connect a second PIX Firewall unit to your network to protect your network should the first unit go off line. If you use Stateful Failover you can maintain operating state for the TCP connection during the failover from the primary unit to the standby unit. When failover occurs each unit changes state. The unit that activates assumes the IP and MAC addresses of the previously active unit and begins accepting traffic. The new .