cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
658
Views
0
Helpful
5
Replies

CSS Failover issue

sudhir.rai
Level 1
Level 1

Hi All,

We are planning to use two CSS 11506 devices in the Box-Box redundancy method as per our design requirement.

We suspect that the failover does not work if the primary loadbalancer fails and active pixfirewall is still up.as the pix fails to update Gratitious ARP because of its security parameter .

Kindly suggest if any other method is possible to achive 100% redundancy in active -standby failover design.

5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

box-to-box is the least interesting solution.

Better go for interface/vip redundancy.

This method can allow  you to configure stateful redundancy with isc link.

Failover are faster.

More complicated to configure but you get a better control.

Also, if you connect directly the pix/firewall into the CSS, you indeed have problem if one css fails but not the pix.

You need to add a switch between css and firewall.

Or find a way to connect each firewall to each css.

Gilles.

please refer to the document attached ...between firewalls and CSS we have 2 switch , but then too we suspect whether

failover will happen if css fails and primary pix is still up if we go to BOX to box reduandancy.

You need to interconnect the switch

    PIX-1                         Pix-2

      |                                  |

      |                                  |

    Switch-1 -----------------Switch-2

      |                                  |

      |                                  |

    CSS-1 ----------------------- CSS-2

Like this, you can have PIX1 active with CSS-2 active.

Traffic will go from CSS-2 to switch-2 to switch-1 to pix-1.

Gilles.

hi,

Thanks for your reply....

Switch is already interconnected ( sorry for the wrong diag)

But my concern is if When we configure reduandancy of CSS in VRRP mode and in case CSS 1 fails and CSS 2 becomes active its VIP will be same with different mac -id  of CSS2 .

In  above case when the traffic moves from CSS2 to PIX 1 (active via interconnected switch) pix has already has same ip (VIP)  with different mac-id (CSS1) . In this case pix will deny the gratious ARP until it clears its arp cache which is by default 4 hrs. Also we cannot reduce this time as this is will affect the performance .

Please revert if something is missing from my side.......

Looking forward for suggestion or any other method  by you..

The CSS will use the same mac-address for the vip when they are in redundant mode.

So the pix will continue using the same mac.

The CSS that becomes primary will send a G-ARP so that the switch learns the new path to the owner of the virtual mac-address.

So this is covered.

No worries there.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: