PIX 515 E ( 2 Nos ) in Fail Over

Unanswered Question
Jan 7th, 2009

Hi,

I having the following PIX 515e firewalls at the Head Office.

1. Active PIX 515 E is having 6.3(5) IOS,16 MB Flash and 128 MB RAM with UR license with Failover .

2.The Standby PIX 515 e is having the 6.3 (5) IOS,16 MB Flash and 128 RAM with FO License.

Now I have 48 small branches accross the country all used to connect to the Head Office through the IPSec tunnel.

Now my problem is Fail Over configuration.

I know two method of configuring the Failover

1. Cable Based Failover

2.LAN based fail over.

My doubt is it possibel to have the Link State in Cale based Failover?If so how t do it?

In LAN based is o.k,e0 interface for OUTSIDE,e1 for INSIDE,e2 for Link STATE and e3 for FAILOVER.

In either case what is the IP address to be given for the OUTSIDE interface,if it not the SAME IP ADDRESS then VPN client connectivity will be problem if the PRIMARY (Active) firewall is down,because the VPN tunnels are established to teh PUBLIC IP address of the PRIMARY firewall,if the Secondary (Standby) fireall's OUTSIDE interface is not having the same IP Address as teh Primary then the VPN Client will not be able to connect through the VPN.

Please guide me to configure failover to meet my requirement that i sall my VPN clients should be able to connect to the seondary file wallif teh Primary firewall fails.

Please helpme.

Best Regards,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Wed, 01/07/2009 - 11:11

Hello Venkat

with cable based failover, u dont hget the state information propagated between the firewalls.. you need to do a stateful failover, by connecting the devices through a cross cable.. Refer to the document I had given before. Here it is again:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml#statefulfailover

As said, the firewall will not replace IP address when doing failover.. It will swap the MAC and IP addresses between the active and failover devices, to maintain all the connectivities related to the failover box.. VPN connections will still refer to the same IP address, as the failover unit will take over the IP address of the primary box, after failure

Hope this helps.. all the best..

Raj

Lavanholy Thu, 01/08/2009 - 21:20

Hi Raj,

Thank you very much.Really it helped me a lot.

Thanks and Regards,

S.Venkataraman

sachinraja Thu, 01/08/2009 - 21:24

No probls Venkat. Let us know if you have any more queries..

all the best.. rate if useful..

Raj

Actions

This Discussion