Firewall Wizards mailing list archives
RE: pix firewall - failover and logging issues
From: Scot Hartman <shartman () inflow com>
Date: Thu, 6 Feb 2003 12:29:49 -0700
snip
That reminds me of something else I thought didn't look right (in someone else's post). I don't think that you should ever use a crossover cable between any of the NICS in the main and standby unit. This is because of the behaviour mentioned below.
...
If you reboot one of the PIX, then you want all of the interfaces on the other one to remain up, not go down as well. Symon
Symon, I hear your concern but I'd like to clarify this,... Use of a crossover use for a dedicated state-link does not cause a problem in my experience. This is from both lab testing and in live production of numerous pairs. If the other firewall is powered off, the primary PIX will simply make a note of it. It will have already noted the loss of connection to the mate and will actually tell you in the 'sh fail' that the other side is powered off. The desire to have all interfaces stay 'up' just for the sake of them staying 'up' doesn't really buy you anything. In fact, it adds complexity by adding a switch or a hub to the mix and the potential for VLAN issues, bad ports on the layer 2 equipment, etc. An example of a sh fail on a HA PIX pair... interface 'statelink' is a crossover connection and used for stateful failover with the 'failover link statelink'. (you can also replicate http traffic over this with the 'failover replication http' command, but why bother?) I also tend to crank down the poll frequency from the default of 15 seconds to the minimum of 3 seconds. This seems to make the users feel better during failover tests when it doesn't take what feels like an eon to fail over ;) (pay no attention to the IPs behind the curtain, only a lab setup to show the behavior...) PIX(config)# sh fail Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 3 seconds This host: Primary - Active Active time: 4489767 (sec) Interface vpndmz (172.16.47.254): Normal Interface statelink (172.16.45.254): Normal Interface webdmz (1.1.1.126): Normal Interface customerdmz (172.16.46.254): Normal Interface outside (2.2.2.156): Normal Interface inside (172.16.41.254): Normal Other host: Secondary - Standby Active time: 1386 (sec) Interface vpndmz (172.16.47.253): Normal Interface statelink (172.16.45.253): Normal Interface webdmz (1.1.1.125): Normal Interface customerdmz (172.16.46.253): Normal Interface outside (2.2.2.155): Normal Interface inside (172.16.41.253): Normal Stateful Failover Logical Update Statistics Link : statelink Stateful Obj xmit xerr rcv rerr General 20 0 20 0 sys cmd 20 0 20 0 up time 0 0 0 0 xlate 0 0 0 0 tcp conn 0 0 0 0 udp conn 0 0 0 0 ARP tbl 0 0 0 0 RIP Tbl 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 20 Xmit Q: 0 1 20 Reboot the other side and you see this on the primary... PIX(config)# 102001: (Primary) Power failure/System reload other side. 105007: (Primary) Link status 'Down' on interface 4 105003: (Primary) Monitoring on interface 5 waiting 105003: (Primary) Monitoring on interface 3 waiting 105003: (Primary) Monitoring on interface 2 waiting 105003: (Primary) Monitoring on interface 0 waiting 105003: (Primary) Monitoring on interface 1 waiting PIX(config)# PIX(config)# PIX(config)# sh fail Failover On Cable status: Other side powered off Reconnect timeout 0:00:00 Poll frequency 3 seconds This host: Primary - Active Active time: 4489803 (sec) Interface vpndmz (172.16.47.254): Normal (Waiting) Interface statelink (172.16.45.254): Link Down (Waiting) Interface webdmz (1.1.1.126): Normal (Waiting) Interface customerdmz (172.16.46.254): Normal (Waiting) Interface outside (2.2.2.156): Normal (Waiting) Interface inside (172.16.41.254): Normal (Waiting) Other host: Secondary - Standby Active time: 1386 (sec) Interface vpndmz (172.16.47.253): Unknown Interface statelink (172.16.45.253): Unknown Interface webdmz (1.1.1.125): Unknown Interface customerdmz (172.16.46.253): Unknown Interface outside (2.2.2.155): Unknown Interface inside (172.16.41.253): Unknown Stateful Failover Logical Update Statistics Link : statelink Stateful Obj xmit xerr rcv rerr General 23 0 23 0 sys cmd 23 0 23 0 up time 0 0 0 0 xlate 0 0 0 0 tcp conn 0 0 0 0 udp conn 0 0 0 0 ARP tbl 0 0 0 0 RIP Tbl 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 23 Xmit Q: 0 1 23 So interface 'statelink' shifts to Link Down. So what? Doesn't affect anything and all the other checks are going to be run through anyway. All the other interfaces shift to 'Waiting' while the PIX tries to sense it's mate. Don't see any reason not to use a crossover. Personal preferences, maybe, but no technical reason I can determine. As the other side powers back up... PIX(config)# 105006: (Primary) Link status 'Up' on interface 4 105003: (Primary) Monitoring on interface 4 waiting 101001: (Primary) Failover cable OK. 102001: (Primary) Power failure/System reload other side. 101001: (Primary) Failover cable OK. 105007: (Primary) Link status 'Down' on interface 4 105006: (Primary) Link status 'Up' on interface 4 105003: (Primary) Monitoring on interface 4 waiting 105003: (Primary) Monitoring on interface 5 waiting 105003: (Primary) Monitoring on interface 4 waiting 105003: (Primary) Monitoring on interface 3 waiting 105003: (Primary) Monitoring on interface 2 waiting 105003: (Primary) Monitoring on interface 0 waiting 105003: (Primary) Monitoring on interface 1 waiting 709003: (Primary) Beginning configuration replication: Send to mate. Sync Started .. Sync Completed 709004: (Primary) End Configuration Replication (ACT) 105004: (Primary) Monitoring on interface 5 normal 105004: (Primary) Monitoring on interface 4 normal 105004: (Primary) Monitoring on interface 3 normal 105004: (Primary) Monitoring on interface 2 normal 105004: (Primary) Monitoring on interface 0 normal 105004: (Primary) Monitoring on interface 1 normal And a final verification. All still right in the world and traffic through the primary none the wiser. PIX(config)# sh fail Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 3 seconds This host: Primary - Active Active time: 4489899 (sec) Interface vpndmz (172.16.47.254): Normal Interface statelink (172.16.45.254): Normal Interface webdmz (1.1.1.126): Normal Interface customerdmz (172.16.46.254): Normal Interface outside (2.2.2.156): Normal Interface inside (172.16.41.254): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface vpndmz (172.16.47.253): Normal Interface statelink (172.16.45.253): Normal Interface webdmz (1.1.1.125): Normal Interface customerdmz (172.16.46.253): Normal Interface outside (2.2.2.155): Normal Interface inside (172.16.41.253): Normal Stateful Failover Logical Update Statistics Link : statelink Stateful Obj xmit xerr rcv rerr General 26 0 25 0 sys cmd 24 0 25 0 up time 2 0 0 0 xlate 0 0 0 0 tcp conn 0 0 0 0 udp conn 0 0 0 0 ARP tbl 0 0 0 0 RIP Tbl 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 25 Xmit Q: 0 1 26 Scot Hartman "God fights on the side with the best artillery." --Napoleon _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 04)
- <Possible follow-ups>
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 05)
- RE: pix firewall - failover and logging issues Luciano Z (Feb 05)
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 06)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)