LAN-Based failover and Intermittent Connectivity loss issues

Unanswered Question
Mar 22nd, 2007
User Badges:

Have 2 PIX535s each at remote sites configured for LAN-based failover. There is a VLAN("abc")designed for failover, but in that same VLAN are servers.

My setup is as follows:

PIX535 connects to a DMZ switch using 4 connections: the Inside intf & 3 other intfs.

On that same DMZ switch connects my core switch on the inside network. The core switch is the Root Bridge for the said VLAN ("abc"). It trunks this VLAN, along with others, to the DMZ switch.

On that same DMZ switch are a number of servers that are in this vlan ("abc").

When I configure one of the PIX interfaces to be in this same VLAN and be used for LAN-based failover I get intermittently lose of connectivity to different servers at different times. Its never any one particular server.

When I use another PIX interface, still connecting to this same DMZ switch, but in another VLAN ("xyz"), for LAN-based failover, I dont get any problems.

This other PIX interface is also being used for State failover. The idea is to have two separate interfaces, one each for LAN-based & State failover.

What could be the possible cause of this intermittent loss of connectivity to the servers in VLAN "abc" when I switch LAN-based failover to the PIX interface that connects to a VLAN "abc" port on the DMZ switch.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

For LAN based failover the ports MUST be dedicated for this purpose only. They must be configured as full duplex, and if I remeber correctly, you must have a switch in between the two pix systems. Not so with an ASA, you can have cross over, although I would not recommend this. That is for another discussion.

I suspect the traffic is stopping the keepalives, and if it is probably bursty traffic, this will happen.

Hope this helps.

(I await the flames of those who will correct me) :-)

marksenteza Thu, 03/22/2007 - 10:18
User Badges:

The PIX intf connects to an access port on the switch participating in that VLAN. There is a couple of switches in between the 2 PIXs, and they all trunk that VLAN that the PIX failover intf is in. And also the one that the servers are in. Full duplex is configured, as is portfast


This Discussion