Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Active-Active in PIX Ver.7

Hi,

I have a question about Active-Active configuration in PIX Ver.7. After configuring my primary PIX FW with 2 security contexts and with 2 failover-groups, and after applying the needed configuration as illustarted in the online config guide, I connected the serial cable b/ the primary and the secondary firewalls in the correct way and typed the failover command on both firewalls to allow config replication b/ them. The configuration was not replicated though, until I rebooted my primary PIX when the configuration was replicated PARTIALLY from the primary to the secondary; for example only the admin context configuration what was replicated where the ctx1 context configuration wasn't replicated at all!! What surprised me also is that my primary PIX name was overwritten by the name of the secondary!!

Do I need to do anything on the secondary firewall before applying the "failover" command; do I need for example to create a ctx1 context in the secondary PIX? I noticed that I need to switch it to muti-mode, but is there any other configuration that should be applied on the secondary in order for the replication to happen? Please advise!

Regards,

Haitham

  • Other Security Subjects
6 REPLIES
Cisco Employee

Re: Active-Active in PIX Ver.7

you dont need to create the contexts, but both the pix has to have set in multi context mode.

may be the secondary pix's context was active, hence it overwrite the primary pix.

show us your configs and we can better answer

thanks

Nadeem

New Member

Re: Active-Active in PIX Ver.7

Hi Nadeem,

You are right, the secondary PIX admin context was active and configured with a different configuration which might caused the problem, but the strane thing is that the replication happened from the secondary to the primary! Do you have an explanation for this?

After erasing the configuration on the secondary unit, I managed to replicate the configuration correctly from the primary to the secondary and things look OK, only one weird thing I'm getting when I run the "show failover state" command from the primary; it's showing:

Primary | Active |

====Other State===

Secondary | Standby |

====Configuration State===

Sync Done

====Communication State===

Mac set

=========Failed Reason==============

My Fail Reason:

Other Fail Reason:

Comm Failure

Does the comm failure message indicate anything wrong?

One more question, how can I allow the traffic to be balanced equally b/ the 2 firewall units? I understand that this is a matter of routing, but any idea on how can this be achieved?

Thanks alot,

Haitham

Cisco Employee

Re: Active-Active in PIX Ver.7

hi,

I think the failover is configured fine. You should understand that the SYNC process happens from ACTIVE to STANDBY (not from primary to secondary)

configs are always synced up from ACTIVE to STANDBY

As far as load balancing is concerned, all you can do is bring your firewall in multi context mode (2 context) and get the license for active/active

context 1 will be active on one firewall, while context 2 will be active on the other firewall.

but there are addressing things you need to take care of.

It is not routing matter for load balancing.

See this link

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1096075

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1046980

thanks

Nadeem

New Member

Re: Active-Active in PIX Ver.7

Excellent, this makes sense to me that config replication happens from Active to Standby and not from Primary to Secondary. But regarding Load Balancing, the reason why I'm asking this question is because my understanding that the PIX doesnt use a Virtual or a shared IP for its redundant interfaces (e.g. the ip addresse of the outside interface will be different on each FW and there's no shared IP b/ them)... this is for example different from the way how Netscreen is doing it by using the same Physical interfaces for the identical interfaces on the 2 FW units, which causes traffic to be balanced automatically between the 2 Active-Active units.

My design architecture is like this:

Router--->Switch1--->PIX1,PIX2----XSwitch2,Switch3

Each PIX is connected via redundant connections to Switches 2 & 3 to achieve full redundancy. Now due to the fact the ip address of the outside interface on each PIX is different which is the case for the internal interfaces as well, when traffic comes from the router to inside, Switch1 will see 2 different IP addresses for the 2 PIX firewalls, so how will the PIX take from there and load balance the traffic? Assume the addresses of the outside interfaces on each PIX as follows: 192.168.1.1 & 192.168.1.2

Thanks again,

Haitham

Cisco Employee

Re: Active-Active in PIX Ver.7

yes that is right, PIX doesnt load balance like netscreen. there is no capability of virtual address at the moment. this type of load balancing will not work.

All you can do is use the pix pair in failover mode, have two contexts in each pix, each context will be active on one of the pix.

basically the idea is to have two separate firewalls serving two different subnets etc.

this way you can achive load balancing.

New Member

Re: Active-Active in PIX Ver.7

Thanks Nadeem,

Any suggestions to work around this by deploying a load banalancer device that can create a VIP in such a scenario?

Rgrds,

Haitham

107
Views
0
Helpful
6
Replies