cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
327
Views
0
Helpful
3
Replies

PIX/ASA Failover ques

swapnendum
Level 1
Level 1

Can i use the same name/IP address for LAN and statefull link ?

Below is the config, PIX accepts this config, just wanted to confirm if it'll wrk fine this way.

failover lan interface LAN-AND-STATE Ethernet2

failover link LAN-AND-STATE Ethernet2

failover interface ip LAN-AND-STATE 10.10.10.1 255.255.255.252 standby 10.10.10.2

Also, if I use the same physical interface and assign 2 different set of names and different set of IP's , is this fine ..

e.g.

failover lan interface LAN Ethernet2

failover link STATE Ethernet2

failover interface ip LAN 10.1.1.1 255.255.255.252 standby 10.1.1.2

failover interface ip STATE 10.2.2.1 255.255.255.252 standby 10.2.2.2

any comments guys ?

3 Replies 3

mark.j.hodge
Level 3
Level 3

What version of software are you running?

You can do it in PIX V6 but recommendation is against. In V7 is not supportecd at all, from the Reldease notes :-

If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(2) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(2) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html

** Please rate post if helpfull **

I'm using 7.2(2)

Just to clarify yor reply, I'm not sharing the STATEFUL interface with any regular traffic interface, rather i'm sharing it with the LAN Failover interface and PIX is accepting my commands.

So is this acceptable ?

Sorry, my misunderstanding by LAN I thought you meant inside LAN.

Yes you can use the same interface for the satefull and failover link. Cisco have an example of this here :-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

If possible, I would recommend using cable based failover, if this is not possible due to phyical limits, remember the failover link must go through a switch or hub, it cannot be a crossover cable.

** Please rate posts if helpfull **

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: