PIX failover and hello messages

Discussion in 'Cisco' started by kate0104@hotmail.com, Nov 19, 2005.

  1. Guest

    Does failover work if two PIX are connected via one or more routers
    (say on internal interfaces in high availability configurations for
    example) or is it mandatory to have layer 2 links between the two
    firewalls?

    Thank you
    , Nov 19, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :Does failover work if two PIX are connected via one or more routers
    :(say on internal interfaces in high availability configurations for
    :example) or is it mandatory to have layer 2 links between the two
    :firewalls?

    I never went very far into failover, so the following might be
    inaccurate.

    My recollection is that if you are using the network failover instead
    of the serial-cable failover, that it -must- be layer 2 links with
    no routing.

    It is possible that this changed in PIX 7.0; I don't have information
    on that point.
    --
    Many food scientists have reported chocolate to be the single most
    craved food. -- Northwestern University, 2001
    Walter Roberson, Nov 19, 2005
    #2
    1. Advertising

  3. DigitalVinyl Guest

    wrote:

    >Does failover work if two PIX are connected via one or more routers
    >(say on internal interfaces in high availability configurations for
    >example) or is it mandatory to have layer 2 links between the two
    >firewalls?
    >
    >Thank you


    Even though you assign IP addresses to the fialovers (which might make
    you think they could withstand layer 3 routing), i think the timeout
    tolerances are VERY low (milliseconds definitely <1 second). I found
    a dumb setup on a pix where one side of the pix backhauled through
    media converters to a switch in a different building. So the heartbeat
    had to hop through 2 media convertors ride fiber back to another
    building (a football field away)go through a switch to ride fiber and
    2 more media convertors back to the original building to get to the
    fialover's twin interface. every 20 to 40 seconds we had an interface
    failure, which recovered the next second(when it re-attempted). That
    was layer 2, but the delays were enough to cause a problem.

    DiGiTAL_ViNYL (no email)
    DigitalVinyl, Nov 19, 2005
    #3
  4. Guest

    I'm asking this question because I saw some uncommented network
    diagrams where the two PIX seem to be in failover but each one has the
    internal interface connected to a different router.
    , Nov 19, 2005
    #4
  5. Kate,

    How the PIX failower works: You have two different IP addresses on the
    Active and Standby firewalls. But when failower event happens, PIX firewall
    SWAP ip addresses, so Standby firewall takes IP addresses which wwere
    previously assigned to the Active firewall, and another firewall takes
    Standby IP addresses. And hosts which are using firewalls do not see a
    difference. Theoretically "statefull failower" interface may be in the
    different subnet, but there is no reason to put them that way since all
    interfaces in the Active should have L2 link to the corresponding interfaces
    on the Standby firewall.

    Mike
    www.ciscoheadsetadapter.com



    <> wrote in message
    news:...
    > I'm asking this question because I saw some uncommented network
    > diagrams where the two PIX seem to be in failover but each one has the
    > internal interface connected to a different router.
    >
    CiscoHeadsetAdapter.com, Nov 20, 2005
    #5
  6. DigitalVinyl Guest

    wrote:

    >I'm asking this question because I saw some uncommented network
    >diagrams where the two PIX seem to be in failover but each one has the
    >internal interface connected to a different router.


    Yeah, actually engaging the brain when thinking about it more, the two
    interfaces MUST be in the same VLAN.

    The diagram may have shown them connecting to a hybrid router/switch.
    Switches like the 4006 and 6500 are often both router and switch in a
    single chassis. They on one physical box but the router resides on a
    blade installed in it. On a normal router you could configure two
    interfaces to bridge things. I'm not sure why they would go with that
    more complex setup.

    Our pixes are distributed across two separate 6509's. Each 6509 is a
    router and a switch. However the same vlan is trunked across both
    units, so the interfaces do end up on the same vlan. This setup
    provides redundancy.


    DiGiTAL_ViNYL (no email)
    DigitalVinyl, Nov 20, 2005
    #6
  7. Guest

    That's what I was thinking too, or maybe that particular diagram was
    simply wrong. I've always been used to seeing couples of firewalls
    connected through plain switches or L3 switches. Thank you.
    , Nov 20, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alec Waters
    Replies:
    0
    Views:
    1,492
    Alec Waters
    Jun 9, 2004
  2. Replies:
    1
    Views:
    519
    Walter Roberson
    Sep 11, 2005
  3. Tom Pouce
    Replies:
    6
    Views:
    6,102
  4. nevillenevilleson

    HELLO HELLO

    nevillenevilleson, Aug 5, 2005, in forum: Computer Support
    Replies:
    6
    Views:
    589
    jean-philippe egea
    Aug 6, 2005
  5. Pit
    Replies:
    0
    Views:
    1,118
Loading...

Share This Page