Active/Active Failover Config on PIX-version 7.2

Unanswered Question
Apr 24th, 2007
User Badges:

I want to configure active/active on pix 525 having version 7.2. currently these 2 devices are configured without any failover mode.

I have 2 ISP, isp1 & isp2 . I want any outbound traffic will go via these 2 isp'2 in a load balancing method. means 1st packet will go via isp1 & 2nd from isp2.

I believe there will be only 1 IP on these 2 devices configured in active/active mode. So how the packet flow will be done & the config of the firewall is also required to be discussed.

can someone help me in this regard please??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
opers13 Wed, 04/25/2007 - 02:14
User Badges:

for Active/Active, you must enable Security Context.

do a "sh ver" and check you Security Context licenses...

mark.j.hodge Wed, 04/25/2007 - 02:23
User Badges:
  • Bronze, 100 points or more

Active/Actice failover uses the security contexts so that both firewalls can be operational simultaniously. You need to ensure that you have the appropriate Failover and Context licenses on both devices.

In brief, during normal operation:

Firewall 1 is Active for Context A and Standby for Context B

Firewall 2 is Active for Context B and Standby for Context A

In case of failover, the surviving Firewall becomes Active for both Contexts.

Therefore each device needs to be connected identically to the appropriate LANS. Additioanly you should have a dedicated interface for the statefull traffic.

Also, the contexts must be in routed mode, not transparent for failover to operate.

acharyr123 Wed, 04/25/2007 - 05:31
User Badges:

Thanks Mark. Thats really a good idea that you shared with me. Can u please help me with some config guide for the same or some dummy config steps that i need to follow at the time of configuration.

mark.j.hodge Wed, 04/25/2007 - 05:49
User Badges:
  • Bronze, 100 points or more

Fist of all run "sh ver" on both devices, and ensure that everything is identical, hardware model, number of interfaces, failover licenses, encryption etc.

Cisco provide a basic active/active config here

** please rate posts if helpful **


This Discussion