Firewall Wizards mailing list archives
RE: pix firewall - failover and logging issues
From: "Symon Thurlow" <sthurlow () webvein com>
Date: Thu, 6 Feb 2003 21:55:55 -0000
Thanks for the detailed reply. I had gone through all of this recently and just remembered reading in a Cisco document that they recommend not to. I agree with you however, since you can see that there is no adverse reaction, and simple is always better, IMHO. Cheers, Symon -----Original Message----- From: Scot Hartman [mailto:shartman () inflow com] Sent: 06 February 2003 19:30 To: Symon Thurlow Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] pix firewall - failover and logging issues snip
That reminds me of something else I thought didn't look right (in someone else's post). I don't think that you should ever use a crossover cable between any of the NICS in the main and standby unit. This is because of the behaviour mentioned below.
...
If you reboot one of the PIX, then you want all of the interfaces on the other one to remain up, not go down as well. Symon
Symon,
I hear your concern but I'd like to clarify this,...
Use of a crossover use for a dedicated state-link does not cause
a problem in my experience. This is from both lab testing and in
live production of numerous pairs.
If the other firewall is powered off, the primary PIX will simply make a
note of it. It will have already noted the loss of connection to the
mate and will actually tell you in the 'sh fail' that the other side is
powered off.
The desire to have all interfaces stay 'up' just for the sake of them
staying 'up' doesn't really buy you anything. In fact, it adds
complexity by adding a switch or a hub to the mix and the potential for
VLAN issues, bad ports on the layer 2 equipment, etc.
An example of a sh fail on a HA PIX pair...
interface 'statelink' is a crossover connection and used for
stateful failover with the 'failover link statelink'.
(you can also replicate http traffic over this with the
'failover replication http' command, but why bother?)
I also tend to crank down the poll frequency from the default of 15
seconds to the minimum of 3 seconds. This seems to make the users feel
better during failover tests when it doesn't
take what feels like an eon to fail over ;)
(pay no attention to the IPs behind the curtain,
only a lab setup to show the behavior...)
PIX(config)# sh fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Primary - Active
Active time: 4489767 (sec)
Interface vpndmz (172.16.47.254): Normal
Interface statelink (172.16.45.254): Normal
Interface webdmz (1.1.1.126): Normal
Interface customerdmz (172.16.46.254): Normal
Interface outside (2.2.2.156): Normal
Interface inside (172.16.41.254): Normal
Other host: Secondary - Standby
Active time: 1386 (sec)
Interface vpndmz (172.16.47.253): Normal
Interface statelink (172.16.45.253): Normal
Interface webdmz (1.1.1.125): Normal
Interface customerdmz (172.16.46.253): Normal
Interface outside (2.2.2.155): Normal
Interface inside (172.16.41.253): Normal
Stateful Failover Logical Update Statistics
Link : statelink
Stateful Obj xmit xerr rcv rerr
General 20 0 20 0
sys cmd 20 0 20 0
up time 0 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 20
Xmit Q: 0 1 20
Reboot the other side and you see this on the primary...
PIX(config)# 102001: (Primary) Power failure/System reload other side.
105007: (Primary) Link status 'Down' on interface 4
105003: (Primary) Monitoring on interface 5 waiting
105003: (Primary) Monitoring on interface 3 waiting
105003: (Primary) Monitoring on interface 2 waiting
105003: (Primary) Monitoring on interface 0 waiting
105003: (Primary) Monitoring on interface 1 waiting
PIX(config)#
PIX(config)#
PIX(config)# sh fail
Failover On
Cable status: Other side powered off
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Primary - Active
Active time: 4489803 (sec)
Interface vpndmz (172.16.47.254): Normal (Waiting)
Interface statelink (172.16.45.254): Link Down (Waiting)
Interface webdmz (1.1.1.126): Normal (Waiting)
Interface customerdmz (172.16.46.254): Normal (Waiting)
Interface outside (2.2.2.156): Normal (Waiting)
Interface inside (172.16.41.254): Normal (Waiting)
Other host: Secondary - Standby
Active time: 1386 (sec)
Interface vpndmz (172.16.47.253): Unknown
Interface statelink (172.16.45.253): Unknown
Interface webdmz (1.1.1.125): Unknown
Interface customerdmz (172.16.46.253): Unknown
Interface outside (2.2.2.155): Unknown
Interface inside (172.16.41.253): Unknown
Stateful Failover Logical Update Statistics
Link : statelink
Stateful Obj xmit xerr rcv rerr
General 23 0 23 0
sys cmd 23 0 23 0
up time 0 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 23
Xmit Q: 0 1 23
So interface 'statelink' shifts to Link Down. So what?
Doesn't affect anything and all the other checks are going
to be run through anyway. All the other interfaces shift to 'Waiting'
while the PIX tries to sense it's mate. Don't
see any reason not to use a crossover. Personal preferences, maybe, but
no technical reason I can determine.
As the other side powers back up...
PIX(config)# 105006: (Primary) Link status 'Up' on interface 4
105003: (Primary) Monitoring on interface 4 waiting
101001: (Primary) Failover cable OK.
102001: (Primary) Power failure/System reload other side.
101001: (Primary) Failover cable OK.
105007: (Primary) Link status 'Down' on interface 4
105006: (Primary) Link status 'Up' on interface 4
105003: (Primary) Monitoring on interface 4 waiting
105003: (Primary) Monitoring on interface 5 waiting
105003: (Primary) Monitoring on interface 4 waiting
105003: (Primary) Monitoring on interface 3 waiting
105003: (Primary) Monitoring on interface 2 waiting
105003: (Primary) Monitoring on interface 0 waiting
105003: (Primary) Monitoring on interface 1 waiting
709003: (Primary) Beginning configuration replication: Send to mate.
Sync Started .. Sync Completed
709004: (Primary) End Configuration Replication (ACT)
105004: (Primary) Monitoring on interface 5 normal
105004: (Primary) Monitoring on interface 4 normal
105004: (Primary) Monitoring on interface 3 normal
105004: (Primary) Monitoring on interface 2 normal
105004: (Primary) Monitoring on interface 0 normal
105004: (Primary) Monitoring on interface 1 normal
And a final verification. All still right in the world
and traffic through the primary none the wiser.
PIX(config)# sh fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Primary - Active
Active time: 4489899 (sec)
Interface vpndmz (172.16.47.254): Normal
Interface statelink (172.16.45.254): Normal
Interface webdmz (1.1.1.126): Normal
Interface customerdmz (172.16.46.254): Normal
Interface outside (2.2.2.156): Normal
Interface inside (172.16.41.254): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface vpndmz (172.16.47.253): Normal
Interface statelink (172.16.45.253): Normal
Interface webdmz (1.1.1.125): Normal
Interface customerdmz (172.16.46.253): Normal
Interface outside (2.2.2.155): Normal
Interface inside (172.16.41.253): Normal
Stateful Failover Logical Update Statistics
Link : statelink
Stateful Obj xmit xerr rcv rerr
General 26 0 25 0
sys cmd 24 0 25 0
up time 2 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 25
Xmit Q: 0 1 26
Scot Hartman
"God fights on the side with the best artillery."
--Napoleon
=============================================
This email has been content filtered and
subject to spam filtering. If you consider
this email is unsolicited please forward
the email to postmaster () webvein com and
request that the sender's domain be
blocked from sending any further emails.
=============================================
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 04)
- <Possible follow-ups>
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 05)
- RE: pix firewall - failover and logging issues Luciano Z (Feb 05)
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 06)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)