PIX 515E failover

Answered Question
Feb 27th, 2008
User Badges:

I have a pair of PIX 515E (6.3) running in failover mode. They are currently connecting to a single chassis core. We are upgrading our network with dual 6500's at the core. Is there a way to connect each PIX to a separate core (PIX 1 - Core1, PIX 2 - Core2) to allow for a core failure?


Core 1 and Core 2 will have a L2 link between them. If the current active PIX is connected to Core1, and Core 1 dies, this would not cause the failover PIX to take over. All LAN traffic would be going through Core 2, but since it does not have an active path to the active PIX 1, traffic would drop. Is my thinking correct?


Is there a way to connect the PIX's to dual cores running V6.3?


Correct Answer by massimiliano.se... about 9 years 3 months ago

Hi,

If you are using cable-based failover, you can change to LAN based failover.

Read http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1024836

I hope this helps.

Best regards.

Massimiliano.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
rmartinjr24 Thu, 02/28/2008 - 05:53
User Badges:

We are using cable based. I will look into the LAN based.


Thanks

rmartinjr24 Thu, 02/28/2008 - 11:37
User Badges:

When running LAN based failover, I see the statefull link only needs two addresses, so I can use a /30 network.


Will the failover network ever need more than 2 addresses? I'm trying to determine which network to carve up for my failover since we are re-addressing as part of this upgrade.

Jean-Christophe... Thu, 02/28/2008 - 14:01
User Badges:

No.


And in fact you could use any network you want (1.1.1.0/30, 192.168.0.0/24...) as you will (should) never route traffic on that network.


Don't forget to trunk that vlan between the two 6500.

Actions

This Discussion