Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
3
Replies

Pix Transparent mode: standby unit

matt.walls
Level 1
Level 1

‎04-15-2010 04:56 PM - edited ‎03-11-2019 10:33 AM

I have a failover pair that are running in transparent mode.  the problem that we are experiencing is that the upstream router (connected to the outside interfaces) are selecting the mac of inside interface.  this causes communication, as we use ssh to monitor the health of the standby unit by ssh'ing into it.

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-16-2010 02:50 AM

Not sure how the router is getting the mac address of the inside.

How is your router connected to the PIX outside interface? ie: can you double check that it is connected to the switchport that has been assigned the same vlan as the PIX outside interface? If you "clear arp" on the router, does it dynamically learn the inside mac address of the PIX? Are you connecting the PIX inside and outside interfaces to the same switch? Can you also confirm if there is no SVI configured at all for the PIX inside vlan.

0 Helpful

matt.walls
Level 1
Level 1
In response to Jennifer Halim

‎04-16-2010 03:13 AM

I was told by tac that this is normal behavior of firewall.  it just takes random interface mac for the management ip.

and that this is also normal, because customers are only interested in managing active firewall... not activly managing standby firewall.

this is not the case for us, as we monitor the health of both firewalls.

so, trying to get creative to solve this issue...

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to matt.walls

‎04-16-2010 07:20 AM

I don't think the statement "it just takes random interface mac for the management ip" is correct at all.

You are hitting this bugID: CSCsh33290:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh33290

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card