Firewall Wizards mailing list archives
Re: RE: PIX FW Failover & Hello Packet
From: Dave Rinker <firewall () dsrtech com>
Date: 06 May 2003 21:19:42 -0400
Danny, Here is the Cisco recommended config of the cables for both LAN and stateful configs. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_installation_guide_chapter09186a008017279b.html#1048874 Note you cannot configure failover if the units are not absolutely identical. This includes 515 and 515E models. The hello packets are sent over all interfaces every 15 seconds, if two consecutive hellos are missed then the pix will start testing each and every interface. (sounds like this might be your issue) You should specifically check that you have spanning tree shut OFF on the switch ports involved. If the switch detects a bridge loop it will delay forwarding for 30 seconds (default) and cause the hellos to be missed by the failover pix. Hope this helps. Dave On Mon, 2003-05-05 at 16:45, Sutantyo, Danny wrote:
Hi PIX expert I need help... I have 2 PIX 515 fws and setup both of them to run as failover, and also I have put the ACL on each interface except "Failover" interface. For some reason after failover cmd is turned on for few minutes, then for awhile the Standby PIX failed, and it keeps checking all the interfaces. The question is: The "hello" packet that PIX fw sends to all the interfaces, is it multicast or Cisco proprietary like Cisco CDP or something else? Is it possible the ACL blocks the communication when PIX tries to send the "hello" packet, and then it fails? Both PIX Fw is setup with 2 cables, and all the interfaces are plugged in to the switch that does not have trunking, etc. The inside int is connected to diff switch from the other 3 switch, and only these 3 int are in a waiting mode (waiting for hello packet), but not the inside interface and failover int. Any idea? Thanks Danny _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: PIX FW Failover & Hello Packet Sutantyo, Danny (May 06)
- Re: RE: PIX FW Failover & Hello Packet Dave Rinker (May 07)
- <Possible follow-ups>
- Re: PIX FW Failover & Hello Packet Mike Hoskins (May 07)
- RE: RE: PIX FW Failover & Hello Packet Sutantyo, Danny (May 07)
- RE: PIX FW Failover & Hello Packet Brian Ford (May 07)
- RE: Re: PIX FW Failover & Hello Packet Sutantyo, Danny (May 08)