Firewall Wizards mailing list archives
pix/proxy issue
From: bills <bills () momineen org>
Date: Thu, 31 Jul 2008 18:36:46 -0400
I have just implemented a new dmz on our pix 535. The two forward proxies that reside in the dmz support internal web queries going out to the internet via virtual ip addresses assigned to each of the boxes. Internal users use dns round robin for a type of load balancing between the two boxes. The concept is that if one box goes down the other box will take over answering on both virtual ip addresses without the end user being impacted. This is working on 3 internal proxies that do not use the firewall and also works for 2 reverse proxies in the dmz but only accepting traffic from external sources. What is happening is that when I fail one box over to the other the traffic seems to not get past the firewall but if I switch the configuration back it works again. If I add a new virtual ip to test the traffic gets there but again if I try to fail it over to the other box no traffic seems to get to the other box. I have confirmed that the snmp heartbeat between the two boxes is working as it should and the proxy vendor has stated that its got to be the firewall preventing this. Does anyone know if it has something to do with state table or anything related to the pix settings?
Default: fwd1 physical ip: 192.168.1.1 virtual ip master: 192.168.1.3 virtual ip slave: 192.168.1.4 fwd2 physical ip: 192.168.1.2 virtual ip master: 192.168.1.4 virtual ip slave: 192.168.1.3Failover scenerio would be taking fwd2 out of the loop and the snmp heartbeat transistions the virtual ip to the other box.
fwd1 physical ip: 192.168.1.1 virtual ip master: 192.168.1.3 virtual ip master: 192.168.1.4 fwd2 physical ip: 192.168.1.2 virtual ip slave: 192.168.1.4 virtual ip slave: 192.168.1.3 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- pix/proxy issue bills (Aug 01)
- Re: pix/proxy issue Secure Scorp (Aug 05)