Pix Failover Senario- What happens?

Unanswered Question
Jun 1st, 2007
User Badges:

Here is the layout. Two layer 2 switches connected on vlan 2. Each switch has one of a failover pair of pix running 6.3(4) attached on vlan 2. This is the outside interface of the pix. There are also an inside and a dmz on each pix but each pix is attached to the same switch on each of these interfaces. We are using serial failover cable between Pix(s).

Now what happens if the connection between the outside switches goes down but the pix interface to each switch is up. The failover "hello" for the vlan 2 interfaces do not get delivered but all other interfaces are fine. Each actual interface on the Pix in vlan 2 is "ok", they just can not communicate with each other. Each Pix will test its interface and fine it functional. So will they just stay in the same state, that is active will stay active or will the standby try to become active?


jogillis

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Thu, 06/07/2007 - 13:13
User Badges:
  • Silver, 250 points or more

This looks like it could be a problem on the switches, possibly an arp related issue.

Also take a look at the ARP/CAM entries for both Pixes on the switches to make sure they are correct.

Also check switch spanning tree configuration.


Try this Link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html#wp1047043



Fernando_Meza Thu, 06/07/2007 - 15:52
User Badges:
  • Gold, 750 points or more

Hi .. failover takes place after several test .. the failover not only checks physical state but also reachability between the interfaces that belong to the pair. so in your scenario .. the interfaces migth still be UP however, if they can't ping each other .. the the failover will take over.


Below are the test peformed before the failver takes place


Failover uses the following tests to check the status of the units for failure:

■ Link up/down test?If an interface card has a bad network cable or a bad port, is

administratively shut down, or is connected to a failed switch, it is considered failed.

■ Network activity test?The unit counts all received packets for up to 5 seconds. If any

packets are received at any time during this interval, the interface is considered

operational and testing stops. If no traffic is received, the ARP test begins.

■ Address Resolution Protocol test?The unit?s ARP cache is evaluated for the ten most

recently acquired entries. One at a time, the PIX Firewall sends ARP requests to these

machines, attempting to stimulate network traffic. After each request, the unit counts all

received traffic for up to 5 seconds. If traffic is received, the interface is considered

operational. If no traffic is received, an ARP request is sent to the next machine. If at the

end of the list no traffic has been received, the ping test begins.

■ Ping test?A broadcast ping request is sent out. The unit then counts all received packets

for up to 5 seconds. If any packets are received at any time during this interval, the

interface is considered operational and testing stops. If no traffic is received, failover takes place.


I hope it helps .. please rate it if it does !!!



Actions

This Discussion