Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX loadbalancing woth CSM - probe problem

2 CSM/CATs on one side (FT)

2 CSM/CATS on other (also FT)

load balancing 2 PIX 535.

probing icmp pings only "direct" pix interface

the opposite interface will never answer to ping.

So switching off int in one pix make real FAILED on one side but other side still have working real and sends traffic to one leg PIX.

How to solve that ?

4 REPLIES
Bronze

Re: PIX loadbalancing woth CSM - probe problem

HI,

just define a probe which is pinging through the pix (e.g the GW on the otherside of the pix) If this ping fails this server will be removed. Make sure that your pix allows this traffic.

Kind Regards,

Joerg

New Member

Re: PIX loadbalancing woth CSM - probe problem

I test that, it should work but when you have 2 pixes

and 2 CSM one both ends.. (CSMs and PIXes are directly connected via CAT Gig/Fe ports)

you need define 2 static routes on every CSM that working fine. But you also need to define statics on "standby" too.

ie:

networks 192.168.27 divded on 2 halves..

.124 - .1 - .129 - 253

.123 - .2 - .130 - 252

alias .125 alias .254

In such situation only "one halve" can works

Bronze

Re: PIX loadbalancing woth CSM - probe problem

Hi,

maybe I understood something wrong. What you are doing is firewall loabalancing (2 active FWs inbetween a CSM and the 2nd CSM for failover) which is partly described in http://www.cisco.com/en/US/products/hw/modules/ps2706

/products_configuration_example09186a008020cd7c.shtml

This works absolutely fine. Unfortunaltey I did not realy get what is not working and why you need two routes. When you talk about the standby, are you having a PIX-failover bunlde or what is it that you want to achieve. Maybe you can attach a drawing what you want to achieve including the topology.

Regards,

Joerg

New Member

Re: PIX loadbalancing woth CSM - probe problem

I thinking about that:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm_3_2/icn/fwldbal.htm#1037625

when Firewall 1 and Firewall 2 are pinged on directly connected interfaces then directly connected probe detect pix problem. But problem with whole PIX device is less typical than one of his interfaces down (ie. fiber patchcord unplug) than one (opposite/working) interface answers with ping and CSM sends traffic to that "real".

Great solution will be pinging opposite pix interface

but this isn't supported by PIX ASA. So i have tried

ping "any" ip behind pix which is currentl ip address of CSM VLAN.

When you had one PIX there is no a problem... but when you had two of them you need check both of them.. you defining static route:

ip_behind_pix VIA ip_pix_direct_int

Then thing not only about ECHO REQ but also on ECHO REPLY - there is no way to put static routing for those devices what active and standbys on both sides will detect pix interface errros...

There is no way to put REPLY on different gate than ECHO REQ...

Think of it drawing 6 icons, giving them 10 ip (2 for pix inside and outside, one for every CSM) adds

and then try set up static route that ping REQ and reply will go the same way. There is no such way...

IMHO 8-)

146
Views
0
Helpful
4
Replies
CreatePlease to create content