Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: "Elvis" <elvis () securegateway org>
Date: Mon, 24 Jan 2005 08:40:56 +1100
Kerry hit the mail on the head below, but there is more trouble then just failover. I saw a number of situations were the pix's would failover, but would not fail back when the failed box became active again and both pix's would start acting as if they are the primary - all sort of interesting things happen in this case. Some traffic would pass, some would fail, some sessions would come in one firewall and try to leave VA the other - it also caused us problems on the switches the firewalls connected to as the different MACs came up for the different interfaces with the same ip addresses when they both tried to use the primary addresses for the interfaces.
I eventually worked out that the boxes were both trying to act as Primary, but had to go to site to see this.
I ran about 10 pairs of failover pixes in the last few years, and two of those experience this problem - we were advised by cisco to use a switch and the problems did not re-appear. Versions of code made no difference.
We initially configured them all with x-over cables, but soon converted them all to go via switches. 
Elvis Fizelle

mkrbeck () hushmail com said:

I recall reading a detailed technical paper recently on the cisco site where it was recommended that pix stateful 
interface traffic always be passed thru a switch (as opposed to a x-over cable) between a pair of  pix chassis, 
regardless of whether the deployment is serial cable or LAN failover, however I cannot find it again, would anyone have 
a link for it or a copy ??


http://www.cisco.com/warp/public/110/failover.html
There is good reasoning behind this. If you have a crossover cable and one end fails ( or it is disconnected ), then the other end will also see the loss of carrier and conclude that it has an interface failure. 

Kerry


--
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: