PIX525: redundacy connection

izani · ‎05-17-2003

We have 2 unit of PIX525 and have been configured as statefull redundancy firewall. The active unit is connected to Cat-6513-A and the standby unit is connected to Cat-6513-B and both are connected to the same VLAN.

We have few occasions whereby the sup-2 of Cat-6513-A (where the active FW is connected) changed to rommon state for unknown reason. The problem is the active FW is not failover when this thing is happened due to the Fast Ethernet Module is up and caused the whole network is down.

My technical manager would like to make an additional NIC for Firewalls so that each FW has connection to both Cat-6513-A and Cat6513-B. In other words, he though that when the sup2 of Cat-6513-A is down, the active firewall should know how to route the traffic via the interface connected to the Cat-6513-B.

My questions are:

1. Has anybody having this type of set up? Should I connect the new NIC to the same VLAN as the old one and should I connect to the new VLAN? How do you handle the routing? Note that the existing interface connected to Cat-6513 is the ‘outside’ interface and this is default gateway for the FW.

2. If this is not the correct solution, how normally we handle this problem?

TIA

\--hrl

jbayuka · ‎05-22-2003

Provisioning one more NIC on the firewall is not going to help you. I just tested in the my lab setup the behaviour of Cat6K when it is in ROMMON mode and I find that it brings down the link. So this failure should be sensed by the Firewall. In your case it looks like the Cat6K is misbehaving and bringing down the Ethernet link when it is in ROMMON.

I would suggest you to troubleshoot the problem with your Cat6K rather than providing some fix for the Firewall design. Just my thoughts. There might be a better solution to this problem. Can someone help?