pix failover question

Discussion in 'Cisco' started by David Smith, Feb 20, 2004.

  1. David Smith

    David Smith Guest

    I have read CISCO guide about how to use pix failover. Here are still
    a few questions:

    1. same version, I have one version 6.3 (2) and the ohter is 6.3 (3).
    is it ok for failover.

    2. stateful failover:

    1) do we need any configuration on the 2nd unit for stateful failover?
    if not, just wondering how replication will happen since there is no
    config on the 2nd unit at all including interface type.
    2) for stateful failover, we only need a crossover cable, not the
    failover cable, right?
    3) can we connect the two units with both the failover cable (Primary
    and secondary on both ends) and crossover cable for failover interface
    (for stateful)?
    3) should we config unused interface and connect both unused interface
    with crossover cable?

    TIA
     
    David Smith, Feb 20, 2004
    #1
    1. Advertising

  2. David Smith

    mcaissie Guest

    "David Smith" <> wrote in message
    news:...
    > I have read CISCO guide about how to use pix failover. Here are still
    > a few questions:
    >
    > 1. same version, I have one version 6.3 (2) and the ohter is 6.3 (3).
    > is it ok for failover.


    No , you need the same version on both

    >
    > 2. stateful failover:
    >
    > 1) do we need any configuration on the 2nd unit for stateful failover?
    > if not, just wondering how replication will happen since there is no
    > config on the 2nd unit at all including interface type.


    You only need to configure the Primary unit . When doing a "wr mem" the
    config
    will be synchronised with the Secondary through the failover cable.


    > 2) for stateful failover, we only need a crossover cable, not the
    > failover cable, right?


    No , you always need the failover cable .

    > 3) can we connect the two units with both the failover cable (Primary
    > and secondary on both ends) and crossover cable for failover interface
    > (for stateful)?


    Not only you can , but you have to if you want to have stateful failover .
    But you could also work with only the failover cable without stateful .
    Without stateful , if you one unit fails existing connection are lost and
    have to be
    rebuild by the other unit . In stateful mode all existing connections are
    transfered
    to the failover unit through the cross-over cable

    > 3) should we config unused interface and connect both unused interface
    > with crossover cable?


    No , you can just keep them "shutdown"


    >
    > TIA
    >
     
    mcaissie, Feb 20, 2004
    #2
    1. Advertising

  3. David Smith

    Jason Kau Guest

    mcaissie <> wrote:
    >> 2) for stateful failover, we only need a crossover cable, not the
    >> failover cable, right?

    >
    > No , you always need the failover cable .


    No you don't. Read the documentation:

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#23601

    Failover Link

    The two units constantly communicate over a failover link to determine
    each unit's operating status. Communications over the failover link
    include:

    * The unit state (active or standby)
    * The power status (cable-based failover only)
    * Hello messages (also sent on all other interfaces)
    * Configuration synchronization between the two units (see the
    "Configuration Replication" section for more information).

    The failover link can be one of the following connections:

    * Serial failover cable ("cable-based failover").If the two units are
    within six feet of each other, then we recommend that you use the serial
    failover cable. Using this cable allows the firewall to sense a power loss
    of the peer unit, and to differentiate a power loss from an unplugged
    cable. The cable is a modified RS-232 serial link cable that transfers
    data at 117,760 bps (115 Kbps). One end is labeled "Primary" and attaches
    to the primary unit, while the other end is labeled "Secondary" and
    attaches to the secondary unit. If you purchased a PIX Firewall failover
    bundle, this cable is included. To order a spare, use part number PIX-FO.
    * Ethernet connection ("LAN-based failover").You can use any unused
    Ethernet interface on the device. If the units are further than six feet
    apart, use this method. We recommend that you connect this link through a
    dedicated switch. You cannot use a crossover Ethernet cable to link the
    units directly.

    The disadvantages of using LAN-based failover include:

    o The PIX Firewall cannot immediately detect the loss of power
    of a peer, so the PIX Firewall takes longer to fail over in this case.
    o You need to configure the failover link on the standby unit
    before it can communicate with the active unit.

    In cable-based failover, the standby unit can communicate directly with
    the active unit, and can receive the entire configuration before enabling
    any interfaces or setting IP addresses.

    o The switch between the two units can be another point of
    hardware failure.
    o You have to dedicate an Ethernet interface (and switch ports)
    to the failover link, and the interface cannot be used for regular
    traffic.

    The benefits include:

    o Separation of the units by more than 6 feet.
    o Faster configuration replication.

    State Link

    For Stateful Failover, you must use an Ethernet link to pass state
    information. The PIX Firewall supports the following Ethernet interface
    settings for the state link:

    * Fast Ethernet (100BASE-T) full duplex
    * Gigabit Ethernet (GE) (1000BASE-T) full duplex
    Note On a PIX 535 with GE interfaces, you must use a GE
    interface as the state link.

    We recommend that you use a crossover cable to directly connect the units.
    You can also use a switch between the units. No hosts or routers should be
    on this link.

    If the two units are more than six feet apart, you can use the same
    Ethernet state link as the failover link, but we recommend that you use a
    separate Ethernet link if available. If they are closer than 6 feet, we
    recommend that you use the serial failover cable as the failover link.
    Note If you use the same link for both state and failover, you
    cannot use a crossover cable.

    --
    Jason Kau
    IS FOR EMAIL
    IS FOR SPAM
    http://www.cnd.gatech.edu/~jkau
     
    Jason Kau, Feb 21, 2004
    #3
  4. David Smith

    David Smith Guest

    Thank you both of your input.

    I am confused with cisco guide (using pix failover) chapter 10.

    on page 10-27 step 2:

    "if there are any interface that have not been configued in the
    non-failover setup. config them at this time with an ip address and a
    failover ip address. also leave the unused interface unconnected."

    on page 10-28 after step 6.

    " note:
    Pix firewall requies that unused interfaces be connected to the
    standby unit and that each unused interface be assigned an ip address.
    even if an interface is administatively shutdown, the pix firewall
    will try to send failover check up messages to all internal
    interface."


    On Sat, 21 Feb 2004 05:52:26 +0000 (UTC), Jason Kau
    <> wrote:

    >mcaissie <> wrote:
    >>> 2) for stateful failover, we only need a crossover cable, not the
    >>> failover cable, right?

    >>
    >> No , you always need the failover cable .

    >
    >No you don't. Read the documentation:
    >
    >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#23601
    >
    >Failover Link
    >
    >The two units constantly communicate over a failover link to determine
    >each unit's operating status. Communications over the failover link
    >include:
    >
    > * The unit state (active or standby)
    > * The power status (cable-based failover only)
    > * Hello messages (also sent on all other interfaces)
    > * Configuration synchronization between the two units (see the
    >"Configuration Replication" section for more information).
    >
    >The failover link can be one of the following connections:
    >
    > * Serial failover cable ("cable-based failover").If the two units are
    >within six feet of each other, then we recommend that you use the serial
    >failover cable. Using this cable allows the firewall to sense a power loss
    >of the peer unit, and to differentiate a power loss from an unplugged
    >cable. The cable is a modified RS-232 serial link cable that transfers
    >data at 117,760 bps (115 Kbps). One end is labeled "Primary" and attaches
    >to the primary unit, while the other end is labeled "Secondary" and
    >attaches to the secondary unit. If you purchased a PIX Firewall failover
    >bundle, this cable is included. To order a spare, use part number PIX-FO.
    > * Ethernet connection ("LAN-based failover").You can use any unused
    >Ethernet interface on the device. If the units are further than six feet
    >apart, use this method. We recommend that you connect this link through a
    >dedicated switch. You cannot use a crossover Ethernet cable to link the
    >units directly.
    >
    >The disadvantages of using LAN-based failover include:
    >
    > o The PIX Firewall cannot immediately detect the loss of power
    >of a peer, so the PIX Firewall takes longer to fail over in this case.
    > o You need to configure the failover link on the standby unit
    >before it can communicate with the active unit.
    >
    >In cable-based failover, the standby unit can communicate directly with
    >the active unit, and can receive the entire configuration before enabling
    >any interfaces or setting IP addresses.
    >
    > o The switch between the two units can be another point of
    >hardware failure.
    > o You have to dedicate an Ethernet interface (and switch ports)
    >to the failover link, and the interface cannot be used for regular
    >traffic.
    >
    >The benefits include:
    >
    > o Separation of the units by more than 6 feet.
    > o Faster configuration replication.
    >
    >State Link
    >
    >For Stateful Failover, you must use an Ethernet link to pass state
    >information. The PIX Firewall supports the following Ethernet interface
    >settings for the state link:
    >
    > * Fast Ethernet (100BASE-T) full duplex
    > * Gigabit Ethernet (GE) (1000BASE-T) full duplex
    > Note On a PIX 535 with GE interfaces, you must use a GE
    >interface as the state link.
    >
    >We recommend that you use a crossover cable to directly connect the units.
    >You can also use a switch between the units. No hosts or routers should be
    >on this link.
    >
    >If the two units are more than six feet apart, you can use the same
    >Ethernet state link as the failover link, but we recommend that you use a
    >separate Ethernet link if available. If they are closer than 6 feet, we
    >recommend that you use the serial failover cable as the failover link.
    > Note If you use the same link for both state and failover, you
    >cannot use a crossover cable.
     
    David Smith, Feb 22, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Harrison

    Pix 535 Failover bundle/DSL question

    Mike Harrison, Jul 12, 2003, in forum: Cisco
    Replies:
    2
    Views:
    1,126
  2. Alec Waters
    Replies:
    0
    Views:
    1,575
    Alec Waters
    Jun 9, 2004
  3. Replies:
    1
    Views:
    558
    Walter Roberson
    Sep 11, 2005
  4. Tom Pouce
    Replies:
    6
    Views:
    6,264
  5. Pit
    Replies:
    0
    Views:
    1,204
Loading...

Share This Page