PIX failover and hello messages

Discussion in 'Cisco' started by kate0104, Nov 19, 2005.

  1. kate0104

    kate0104 Guest

    Does failover work if two PIX are connected via one or more routers
    (say on internal interfaces in high availability configurations for
    example) or is it mandatory to have layer 2 links between the two
    firewalls?

    Thank you
     
    kate0104, Nov 19, 2005
    #1
    1. Advertisements

  2. :Does failover work if two PIX are connected via one or more routers
    :(say on internal interfaces in high availability configurations for
    :example) or is it mandatory to have layer 2 links between the two
    :firewalls?

    I never went very far into failover, so the following might be
    inaccurate.

    My recollection is that if you are using the network failover instead
    of the serial-cable failover, that it -must- be layer 2 links with
    no routing.

    It is possible that this changed in PIX 7.0; I don't have information
    on that point.
     
    Walter Roberson, Nov 19, 2005
    #2
    1. Advertisements

  3. kate0104

    DigitalVinyl Guest

    Even though you assign IP addresses to the fialovers (which might make
    you think they could withstand layer 3 routing), i think the timeout
    tolerances are VERY low (milliseconds definitely <1 second). I found
    a dumb setup on a pix where one side of the pix backhauled through
    media converters to a switch in a different building. So the heartbeat
    had to hop through 2 media convertors ride fiber back to another
    building (a football field away)go through a switch to ride fiber and
    2 more media convertors back to the original building to get to the
    fialover's twin interface. every 20 to 40 seconds we had an interface
    failure, which recovered the next second(when it re-attempted). That
    was layer 2, but the delays were enough to cause a problem.

    DiGiTAL_ViNYL (no email)
     
    DigitalVinyl, Nov 19, 2005
    #3
  4. kate0104

    kate0104 Guest

    I'm asking this question because I saw some uncommented network
    diagrams where the two PIX seem to be in failover but each one has the
    internal interface connected to a different router.
     
    kate0104, Nov 19, 2005
    #4
  5. Kate,

    How the PIX failower works: You have two different IP addresses on the
    Active and Standby firewalls. But when failower event happens, PIX firewall
    SWAP ip addresses, so Standby firewall takes IP addresses which wwere
    previously assigned to the Active firewall, and another firewall takes
    Standby IP addresses. And hosts which are using firewalls do not see a
    difference. Theoretically "statefull failower" interface may be in the
    different subnet, but there is no reason to put them that way since all
    interfaces in the Active should have L2 link to the corresponding interfaces
    on the Standby firewall.

    Mike
    www.ciscoheadsetadapter.com
     
    CiscoHeadsetAdapter.com, Nov 20, 2005
    #5
  6. kate0104

    DigitalVinyl Guest

    Yeah, actually engaging the brain when thinking about it more, the two
    interfaces MUST be in the same VLAN.

    The diagram may have shown them connecting to a hybrid router/switch.
    Switches like the 4006 and 6500 are often both router and switch in a
    single chassis. They on one physical box but the router resides on a
    blade installed in it. On a normal router you could configure two
    interfaces to bridge things. I'm not sure why they would go with that
    more complex setup.

    Our pixes are distributed across two separate 6509's. Each 6509 is a
    router and a switch. However the same vlan is trunked across both
    units, so the interfaces do end up on the same vlan. This setup
    provides redundancy.


    DiGiTAL_ViNYL (no email)
     
    DigitalVinyl, Nov 20, 2005
    #6
  7. kate0104

    kate0104 Guest

    That's what I was thinking too, or maybe that particular diagram was
    simply wrong. I've always been used to seeing couples of firewalls
    connected through plain switches or L3 switches. Thank you.
     
    kate0104, Nov 20, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.