RE: pix firewall - failover and logging issues

[Luciano Z <user_luciano () yahoo com br>]

I know we had a problem with an 515 once but Cisco
said it was really a hardware bug and replaced the
box. I don´t have much information about this because
it happens when I was starting on this job :-(

Well, I would like to thank you all for the help!

[]
lwulff

 --- Symon Thurlow <sthurlow () webvein com> escreveu: >
I may be incorrect, but it is my understanding that
> the serial failover cable can be used by itself for
> failover, however you need to use the LAN and Serial
> failover if you want Stateful failover.
>  
> Also, not sure of your platfrom, but I had an issue
> with failover on a PIX515e bundle, it was erratic
> and pretty much just didn't work. Also, the
> performance was absolute cr*p.
>  
> The answer from the reseller was to send both boxes
> back, and they were replaced.
>  
> The reseller mentioned that they had seen this
> problem before.
>  
> Symon
> ________________________________
>
> From:  Claussen, Ken [mailto:Ken () kccweb com]       
> Sent:  Wed 05/02/2003 12:37 AM        
> To:    Luciano Z; firewall-wizards () honor icsalabs com      
> Subject:       RE: [fw-wiz] pix firewall - failover and
> logging issues        
>       
>
> The first answer is you are required to use LAN side
> failover communication to control the failover
> process. Each pair of interfaces must either be on
> the same dumb switch, a series of two switches with
> a crossover and a single VLAN, or a common VLAN on a
> layer 3 switch (not the best for security). In other
> words there must be communication between the
> corresponding network cards in the Primary and
> Standby units in order for Hello packets to be sent
> back and forth. When one of the Pixes fails to
> answer the Hello, the failover bundle begins a
> series of tests.  It determines if the network
> interface failed and if so it switches to the
> Secondary. It is important to make sure the
> interfaces are on a common network segment before
> configuring new subnets. The serial cable is used
> for sending the configuration and the control
> signals. When the primary determines it's interface
> has failed it passes control to the secondary. It is
> usually a good idea to disable Failover before
> making any changes which affect interface IP
> addresses. The command "Show Fail" will provide the
> current status of each interface on each Pix. Normal
> is good, other options may be Testing or Failed. 
> About logging, Syslog is the way to go. Like
> previously mentioned Level 7 will provide all
> messages. Filtering of messages is best done at the
> syslog server. Kiwi provides a free Windows Syslog
> daemon www.kiwisyslog.com . If you purchase the full
> version it has an extensive filtering rule section.
> HTH. I have almost always logged at level 7 and
> never seen significant performance degradation. SHOW
> CPU USAGE is an undocumented command to show
> utilization if you are concerned about performance.
>
> Ken Claussen MCSE(NT42K) CCNA CCA
> "In Theory it should work as you describe, but the
> difference between theory and reality is the truth!
> For this we all strive"
>
> PS I Don't have my encoding set to UTF-8. It
> specifies Western European (windows) for Internet
> recipients.
>
> -----Original Message-----
> From: Luciano Z [mailto:user_luciano () yahoo com br]
> Sent: Tuesday, January 28, 2003 2:03 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] pix firewall - failover and
> logging issues
>
>
>
> Hi!
>
> I have two questions about pix firewall for the
> list.
>
> The first one is directed to failover users. I´m
> using
> a pix with version 6.1(1) software and with stateful
> failover (I think this version needs update,
> right?).
> From time to time I experiment lost of ssh
> connection
> to the active pix because it have changed from
> active
> state to standby state. I couldn´t find the reason
> for
> this because we just checked the cables and it was
> operating well before I create another subnet
> attached
> to this firewall, changing the address of and unused
> interface.
>
> In this situation I´m not using LAN based failover
> (this version doesn´t support it) so the I have the
> serial cable in place. Someone had some problem that
> looks like my? Is it possible to start looging to
> the
> syslog server just the messages related to failover
> events?
>
> Second question, this is about logging of URL
> access.
> I´ve read the pix could log the URLs accessed by the
> users on a protected network. My question is about
> the performace impact of this feature. Anybody used
> this? What was the impression about it? And again:
> Is it possible to log just the events related to
> this?
>
> Well, thanks for your time!
>
> []
> Luciano
_______________________________________________________________________
> Busca Yahoo!
> O serviço de busca mais completo da Internet. O que
> você pensar o Yahoo! encontra.
> http://br.busca.yahoo.com/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> ===============
>
>  This email has been content filtered and
>  subject to spam filtering. If you consider
>  this email is unsolicited please forward
>  the email to postmaster () webvein com and
>  request that the sender's domain be
>  blocked from sending any further emails.
>
> ===============
>
>
>
>  

_______________________________________________________________________
Busca Yahoo!
O serviço de busca mais completo da Internet. O que você pensar o Yahoo! encontra.
http://br.busca.yahoo.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards