I have a question about Active-Active configuration in PIX Ver.7. After configuring my primary PIX FW with 2 security contexts and with 2 failover-groups, and after applying the needed configuration as illustarted in the online config guide, I connected the serial cable b/ the primary and the secondary firewalls in the correct way and typed the failover command on both firewalls to allow config replication b/ them. The configuration was not replicated though, until I rebooted my primary PIX when the configuration was replicated PARTIALLY from the primary to the secondary; for example only the admin context configuration what was replicated where the ctx1 context configuration wasn't replicated at all!! What surprised me also is that my primary PIX name was overwritten by the name of the secondary!!
Do I need to do anything on the secondary firewall before applying the "failover" command; do I need for example to create a ctx1 context in the secondary PIX? I noticed that I need to switch it to muti-mode, but is there any other configuration that should be applied on the secondary in order for the replication to happen? Please advise!
You are right, the secondary PIX admin context was active and configured with a different configuration which might caused the problem, but the strane thing is that the replication happened from the secondary to the primary! Do you have an explanation for this?
After erasing the configuration on the secondary unit, I managed to replicate the configuration correctly from the primary to the secondary and things look OK, only one weird thing I'm getting when I run the "show failover state" command from the primary; it's showing:
Primary | Active |
Secondary | Standby |
My Fail Reason:
Other Fail Reason:
Does the comm failure message indicate anything wrong?
One more question, how can I allow the traffic to be balanced equally b/ the 2 firewall units? I understand that this is a matter of routing, but any idea on how can this be achieved?
Excellent, this makes sense to me that config replication happens from Active to Standby and not from Primary to Secondary. But regarding Load Balancing, the reason why I'm asking this question is because my understanding that the PIX doesnt use a Virtual or a shared IP for its redundant interfaces (e.g. the ip addresse of the outside interface will be different on each FW and there's no shared IP b/ them)... this is for example different from the way how Netscreen is doing it by using the same Physical interfaces for the identical interfaces on the 2 FW units, which causes traffic to be balanced automatically between the 2 Active-Active units.
Each PIX is connected via redundant connections to Switches 2 & 3 to achieve full redundancy. Now due to the fact the ip address of the outside interface on each PIX is different which is the case for the internal interfaces as well, when traffic comes from the router to inside, Switch1 will see 2 different IP addresses for the 2 PIX firewalls, so how will the PIX take from there and load balance the traffic? Assume the addresses of the outside interfaces on each PIX as follows: 192.168.1.1 & 192.168.1.2
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...