Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
2
Replies

Pix Failover Senario- What happens?

jogillis
Level 1
Level 1

‎06-01-2007 07:08 AM - edited ‎03-11-2019 03:23 AM

Here is the layout. Two layer 2 switches connected on vlan 2. Each switch has one of a failover pair of pix running 6.3(4) attached on vlan 2. This is the outside interface of the pix. There are also an inside and a dmz on each pix but each pix is attached to the same switch on each of these interfaces. We are using serial failover cable between Pix(s).

Now what happens if the connection between the outside switches goes down but the pix interface to each switch is up. The failover "hello" for the vlan 2 interfaces do not get delivered but all other interfaces are fine. Each actual interface on the Pix in vlan 2 is "ok", they just can not communicate with each other. Each Pix will test its interface and fine it functional. So will they just stay in the same state, that is active will stay active or will the standby try to become active?

jogillis

Labels:
0 Helpful
2 Replies 2

didyap
Level 6
Level 6

‎06-07-2007 01:13 PM

This looks like it could be a problem on the switches, possibly an arp related issue.

Also take a look at the ARP/CAM entries for both Pixes on the switches to make sure they are correct.

Also check switch spanning tree configuration.

Try this Link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html#wp1047043

0 Helpful

Fernando_Meza
Level 7
Level 7

‎06-07-2007 03:52 PM

Hi .. failover takes place after several test .. the failover not only checks physical state but also reachability between the interfaces that belong to the pair. so in your scenario .. the interfaces migth still be UP however, if they can't ping each other .. the the failover will take over.

Below are the test peformed before the failver takes place

Failover uses the following tests to check the status of the units for failure:

■ Link up/down test?If an interface card has a bad network cable or a bad port, is

administratively shut down, or is connected to a failed switch, it is considered failed.

■ Network activity test?The unit counts all received packets for up to 5 seconds. If any

packets are received at any time during this interval, the interface is considered

operational and testing stops. If no traffic is received, the ARP test begins.

■ Address Resolution Protocol test?The unit?s ARP cache is evaluated for the ten most

recently acquired entries. One at a time, the PIX Firewall sends ARP requests to these

machines, attempting to stimulate network traffic. After each request, the unit counts all

received traffic for up to 5 seconds. If traffic is received, the interface is considered

operational. If no traffic is received, an ARP request is sent to the next machine. If at the

end of the list no traffic has been received, the ping test begins.

■ Ping test?A broadcast ping request is sent out. The unit then counts all received packets

for up to 5 seconds. If any packets are received at any time during this interval, the

interface is considered operational and testing stops. If no traffic is received, failover takes place.

I hope it helps .. please rate it if it does !!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card