Firewall Wizards mailing list archives

RE: Re: PIX FW Failover & Hello Packet

From: "Sutantyo, Danny" <DSutantyo () livingstonintl com>
Date: Wed, 7 May 2003 09:59:42 -0400

I've upgraded to 6.3 now.

DS

-----Original Message-----
From: Mike Hoskins [mailto:mike () adept org] 
Sent: Tuesday, May 06, 2003 08:23 PM
To: firewall-wizards () honor icsalabs com
Cc: DSutantyo () livingstonintl com
Subject: [fw-wiz] Re: PIX FW Failover & Hello Packet


From: "Sutantyo, Danny" <DSutantyo () livingstonintl com>
Date: Mon, 5 May 2003 16:45:17 -0400
Subject: [fw-wiz] RE: PIX FW Failover & Hello Packet

I have 2 PIX 515 fws and setup both of them to run as failover, and 
also I have put the ACL on each interface except "Failover" interface. 
For some reason after failover cmd is turned on for few minutes, then 
for awhile the Standby PIX failed, and it keeps checking all the 
interfaces.


First, what OS version?

In general, the two PIX' will need to be able to send hello packets over any
active network interfaces + the failover cable.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration
_guide_chapter09186a008008996b.html

The question is: The "hello" packet that PIX fw sends to all the 
interfaces, is it multicast or Cisco proprietary like Cisco CDP or 
something else?


6.2 discussion of failover,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a0080094ea7.shtml

I'm not sure of the hello's specific format, but the network tests and
general methodology are discussed in the URL above.  Someone more
knowledgeable will likely offer details about the hello packet, or perhaps a
sniffer would do the job.

If you haven't already, be sure to read the 6.2 failover discussion above...
It is relatively detailed, including special considerations for switched
environments (portfast mode) which I've seen some people overlook.

-mrh

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: PIX FW Failover & Hello Packet Sutantyo, Danny (May 06)
- Re: RE: PIX FW Failover & Hello Packet Dave Rinker (May 07)
- <Possible follow-ups>
- Re: PIX FW Failover & Hello Packet Mike Hoskins (May 07)
- RE: RE: PIX FW Failover & Hello Packet Sutantyo, Danny (May 07)
- RE: PIX FW Failover & Hello Packet Brian Ford (May 07)
- RE: Re: PIX FW Failover & Hello Packet Sutantyo, Danny (May 08)