Pix Failover Senario- What happens?

Unanswered Question
Jun 1st, 2007

Here is the layout. Two layer 2 switches connected on vlan 2. Each switch has one of a failover pair of pix running 6.3(4) attached on vlan 2. This is the outside interface of the pix. There are also an inside and a dmz on each pix but each pix is attached to the same switch on each of these interfaces. We are using serial failover cable between Pix(s).

Now what happens if the connection between the outside switches goes down but the pix interface to each switch is up. The failover "hello" for the vlan 2 interfaces do not get delivered but all other interfaces are fine. Each actual interface on the Pix in vlan 2 is "ok", they just can not communicate with each other. Each Pix will test its interface and fine it functional. So will they just stay in the same state, that is active will stay active or will the standby try to become active?

jogillis

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Thu, 06/07/2007 - 15:52

Hi .. failover takes place after several test .. the failover not only checks physical state but also reachability between the interfaces that belong to the pair. so in your scenario .. the interfaces migth still be UP however, if they can't ping each other .. the the failover will take over.

Below are the test peformed before the failver takes place

Failover uses the following tests to check the status of the units for failure:

■ Link up/down test?If an interface card has a bad network cable or a bad port, is

administratively shut down, or is connected to a failed switch, it is considered failed.

■ Network activity test?The unit counts all received packets for up to 5 seconds. If any

packets are received at any time during this interval, the interface is considered

operational and testing stops. If no traffic is received, the ARP test begins.

■ Address Resolution Protocol test?The unit?s ARP cache is evaluated for the ten most

recently acquired entries. One at a time, the PIX Firewall sends ARP requests to these

machines, attempting to stimulate network traffic. After each request, the unit counts all

received traffic for up to 5 seconds. If traffic is received, the interface is considered

operational. If no traffic is received, an ARP request is sent to the next machine. If at the

end of the list no traffic has been received, the ping test begins.

■ Ping test?A broadcast ping request is sent out. The unit then counts all received packets

for up to 5 seconds. If any packets are received at any time during this interval, the

interface is considered operational and testing stops. If no traffic is received, failover takes place.

I hope it helps .. please rate it if it does !!!

Actions

This Discussion