1. How the standby unit will detect failover in following two cases(if the actual primary unit has been powered Off due to some
1. If we are using a crossover cable to connect the active and standby units
2. If we are connecting active and standby units using a switch
I am asking this is because the standby unit will send the heartbeat to check whether the active unit is up or not and if the standby unit did not receive the answer from primary unit in time then the failover will take place
but if the active unit got powered off then it means the Sync port(used for heartbeat) is also down on primary side
Then how the standby unit will detect whether the active is down because the sync connectivity is lost(because one end of
the sync cable is off at primary side) and standby will not be able to send the heartbeat to check .The failover will
take place when the standby will send the heartbeat and will not get the reply..but here the standby is not even able
to send the heartbeat because to send the heartbeat the other end of the cable should be active.
2. It is mentioned that the MAC exchange will happen between Primary and secondary when failover take place.
How that is possible..Because MAC address is always bind to the ethernet card on the device and it will never change,
IP addresses can interchange in case of Failover.
3.Whether the IKE and IPsec SAs will also get synced in stateful connections.I mean if the primary unit fails then the VPN SAs will also get transferred to standby unit and if yes whether the running VPN connections on active will be maintained on the standby unit.
1. But when the Primary sync port is off(primary PIX is powered off) , how the standby will detect that primary has failed.
2. OK i understand that Virtual MAC is used.But whether the IP addresses of the primary and standby will also get interchanged when the failover occurs OR only the virtual MAC address will get binded to the standby machine--Because we normally configure the routing such that the packet reaching the PIX firewall (internal interface) should hit the IP address of Primary PIX FW and if the IP addresses will not get interchanged then the packet may not get in the Firewall.
3. Yes I understand that we have to configure stateful feature in the Firewall,but I read somewhere that PIX will not support the IPSec SAs to continue to work in case failover happens.May be whatever I read is an old document.I want to know that what are the connections which will not get transferred to standby unit in case of stateful failover.
But now if suppose the Failover cable between Primary and standy has gone bad but actually the primary unit is still active..then whether standby will take over OR will the both units become active in this case.
And whether the standby wil automatically try to send Heartbeat via some other interfaces(may be internal interface treating it as secondary sync interface) to confirm whether it is problem with the primary sync interface or the primary unit OR we have to always define the secondary sync interface.
3. Regarding the stateful failover it is mentioned in the link(which you provided) that "The routing tables" will not get statefully transferred to Standby unit.But if the routing table is not transferred then how the connections will continue because routing is required for most of the connections happening from source to destinatiion through Firewall.If Routing table is not transferred then even all those connection should fail in case stateful failover take place.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :