Regarding PIX Failover

palsukh2002 · ‎12-28-2008

1. How the standby unit will detect failover in following two cases(if the actual primary unit has been powered Off due to some

reason ):

1. If we are using a crossover cable to connect the active and standby units

2. If we are connecting active and standby units using a switch

I am asking this is because the standby unit will send the heartbeat to check whether the active unit is up or not and if the standby unit did not receive the answer from primary unit in time then the failover will take place

but if the active unit got powered off then it means the Sync port(used for heartbeat) is also down on primary side

Then how the standby unit will detect whether the active is down because the sync connectivity is lost(because one end of

the sync cable is off at primary side) and standby will not be able to send the heartbeat to check .The failover will

take place when the standby will send the heartbeat and will not get the reply..but here the standby is not even able

to send the heartbeat because to send the heartbeat the other end of the cable should be active.

2. It is mentioned that the MAC exchange will happen between Primary and secondary when failover take place.

How that is possible..Because MAC address is always bind to the ethernet card on the device and it will never change,

IP addresses can interchange in case of Failover.

3.Whether the IKE and IPsec SAs will also get synced in stateful connections.I mean if the primary unit fails then the VPN SAs will also get transferred to standby unit and if yes whether the running VPN connections on active will be maintained on the standby unit.

Collin Clark · ‎12-29-2008

1. The standby will fail over even if the link is down (back-to-back).

2. It uses a virtual MAC, like HSRP does.

3. You will have to configure stateful fail-over to transfer the sessions.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Hope that helps.

palsukh2002 · ‎12-29-2008

Thanks

1. But when the Primary sync port is off(primary PIX is powered off) , how the standby will detect that primary has failed.

2. OK i understand that Virtual MAC is used.But whether the IP addresses of the primary and standby will also get interchanged when the failover occurs OR only the virtual MAC address will get binded to the standby machine--Because we normally configure the routing such that the packet reaching the PIX firewall (internal interface) should hit the IP address of Primary PIX FW and if the IP addresses will not get interchanged then the packet may not get in the Firewall.

3. Yes I understand that we have to configure stateful feature in the Firewall,but I read somewhere that PIX will not support the IPSec SAs to continue to work in case failover happens.May be whatever I read is an old document.I want to know that what are the connections which will not get transferred to standby unit in case of stateful failover.

Collin Clark · ‎12-30-2008

1. The heartbeats will fail. The interface may be down but it will still try and send the heartbeat.

2. The IP address moves as well.

3. Check the link I provided, it lists everything that is replicated.

palsukh2002 · ‎12-30-2008

OK Thanks

But now if suppose the Failover cable between Primary and standy has gone bad but actually the primary unit is still active..then whether standby will take over OR will the both units become active in this case.

And whether the standby wil automatically try to send Heartbeat via some other interfaces(may be internal interface treating it as secondary sync interface) to confirm whether it is problem with the primary sync interface or the primary unit OR we have to always define the secondary sync interface.

3. Regarding the stateful failover it is mentioned in the link(which you provided) that "The routing tables" will not get statefully transferred to Standby unit.But if the routing table is not transferred then how the connections will continue because routing is required for most of the connections happening from source to destinatiion through Firewall.If Routing table is not transferred then even all those connection should fail in case stateful failover take place.

Sorry for asking too many questions