CSS Failover issue

Unanswered Question
Sep 13th, 2010
User Badges:

Hi All,

We are planning to use two CSS 11506 devices in the Box-Box redundancy method as per our design requirement.

We suspect that the failover does not work if the primary loadbalancer fails and active pixfirewall is still up.as the pix fails to update Gratitious ARP because of its security parameter .

Kindly suggest if any other method is possible to achive 100% redundancy in active -standby failover design.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 09/13/2010 - 23:40
User Badges:
  • Cisco Employee,

box-to-box is the least interesting solution.

Better go for interface/vip redundancy.

This method can allow  you to configure stateful redundancy with isc link.

Failover are faster.

More complicated to configure but you get a better control.

Also, if you connect directly the pix/firewall into the CSS, you indeed have problem if one css fails but not the pix.

You need to add a switch between css and firewall.

Or find a way to connect each firewall to each css.


sudhir.rai Tue, 09/14/2010 - 00:32
User Badges:

please refer to the document attached ...between firewalls and CSS we have 2 switch , but then too we suspect whether

failover will happen if css fails and primary pix is still up if we go to BOX to box reduandancy.

Gilles Dufour Tue, 09/14/2010 - 01:07
User Badges:
  • Cisco Employee,

You need to interconnect the switch

    PIX-1                         Pix-2

      |                                  |

      |                                  |

    Switch-1 -----------------Switch-2

      |                                  |

      |                                  |

    CSS-1 ----------------------- CSS-2

Like this, you can have PIX1 active with CSS-2 active.

Traffic will go from CSS-2 to switch-2 to switch-1 to pix-1.


sudhir.rai Tue, 09/14/2010 - 02:36
User Badges:


Thanks for your reply....

Switch is already interconnected ( sorry for the wrong diag)

But my concern is if When we configure reduandancy of CSS in VRRP mode and in case CSS 1 fails and CSS 2 becomes active its VIP will be same with different mac -id  of CSS2 .

In  above case when the traffic moves from CSS2 to PIX 1 (active via interconnected switch) pix has already has same ip (VIP)  with different mac-id (CSS1) . In this case pix will deny the gratious ARP until it clears its arp cache which is by default 4 hrs. Also we cannot reduce this time as this is will affect the performance .

Please revert if something is missing from my side.......

Looking forward for suggestion or any other method  by you..

Gilles Dufour Tue, 09/14/2010 - 04:18
User Badges:
  • Cisco Employee,

The CSS will use the same mac-address for the vip when they are in redundant mode.

So the pix will continue using the same mac.

The CSS that becomes primary will send a G-ARP so that the switch learns the new path to the owner of the virtual mac-address.

So this is covered.

No worries there.



This Discussion