Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
3
Replies

LAN-Based failover and Intermittent Connectivity loss issues

zeu7
Level 1
Level 1

‎03-22-2007 08:29 AM - edited ‎03-11-2019 02:50 AM

Have 2 PIX535s each at remote sites configured for LAN-based failover. There is a VLAN("abc")designed for failover, but in that same VLAN are servers.

My setup is as follows:

PIX535 connects to a DMZ switch using 4 connections: the Inside intf & 3 other intfs.

On that same DMZ switch connects my core switch on the inside network. The core switch is the Root Bridge for the said VLAN ("abc"). It trunks this VLAN, along with others, to the DMZ switch.

On that same DMZ switch are a number of servers that are in this vlan ("abc").

When I configure one of the PIX interfaces to be in this same VLAN and be used for LAN-based failover I get intermittently lose of connectivity to different servers at different times. Its never any one particular server.

When I use another PIX interface, still connecting to this same DMZ switch, but in another VLAN ("xyz"), for LAN-based failover, I dont get any problems.

This other PIX interface is also being used for State failover. The idea is to have two separate interfaces, one each for LAN-based & State failover.

What could be the possible cause of this intermittent loss of connectivity to the servers in VLAN "abc" when I switch LAN-based failover to the PIX interface that connects to a VLAN "abc" port on the DMZ switch.

Labels:
0 Helpful
3 Replies 3

ashleyw
Level 1
Level 1

‎03-22-2007 10:07 AM

For LAN based failover the ports MUST be dedicated for this purpose only. They must be configured as full duplex, and if I remeber correctly, you must have a switch in between the two pix systems. Not so with an ASA, you can have cross over, although I would not recommend this. That is for another discussion.

I suspect the traffic is stopping the keepalives, and if it is probably bursty traffic, this will happen.

Hope this helps.

(I await the flames of those who will correct me) :-)

0 Helpful

zeu7
Level 1
Level 1
In response to ashleyw

‎03-22-2007 10:18 AM

The PIX intf connects to an access port on the switch participating in that VLAN. There is a couple of switches in between the 2 PIXs, and they all trunk that VLAN that the PIX failover intf is in. And also the one that the servers are in. Full duplex is configured, as is portfast

0 Helpful

ashleyw
Level 1
Level 1
In response to zeu7

‎03-22-2007 11:00 AM

OK, but you must have the LAN failover dedicated, i.e. no other VLAN traffic.

If you are on version 7, try a crossover, if V6.xx, then you need a switch in the middle.

The ports on the switch and the PIX must match, 100Mbps F/D, or whatever speed you are running.

Kind regards

Ash.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card