Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
5
Replies

Can a PIX load balance outbound w/ OSPF?

Randall White
Level 3
Level 3

‎07-29-2003 02:49 PM - edited ‎02-20-2020 10:53 PM

Hi All,

I have a PIX 515 that is dual homed to the Internet through 2 edge routers (1 router per ISP). How can I load balance outbound connections? It doesn't have to be perfect, I just want to utilize the second ISP.

Will this work if I run OSPF between the PIX outside interface and the routers? Also, if one link goes down I want it to fail over to the second link. I am not running BGP, both ISPs are advertising the same subnet.

Any ideas?

Thanks, Randy

0 Helpful
5 Replies 5

sachinraja
Level 9
Level 9

‎08-02-2003 04:16 AM

You cannot run OSPF on PIX. PIX supports only RIP over it.

You cannot also add 2 default routes on the PIX to different destinations.

I dont think load sharing is possible unless you put a load balancer in between the devices.

0 Helpful

r.crist
Level 1
Level 1
In response to g.wrobel

‎08-04-2003 12:12 PM

Interesting.. I didn't think this was possible since the PIX isn't a routing appliance. I wonder if these commands are used to support OSPF through the firewall, and not on it..?

This is worth configuring in a lab/test environment to see what it's all about.

0 Helpful

yusuff
Cisco Employee
Cisco Employee
In response to r.crist

‎08-13-2003 09:23 PM

OSPF was introduced on PIX from ver 6.3

See Release Note below;

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#32159

0 Helpful

jon-sills
Level 1
Level 1

‎08-11-2003 07:16 PM

Yes, you can run OSPF on the PIX and the edge routers. I am actualy lab testing the concept and getting ready to roll the same scenario to production. You will need to insure that your IBR's are sending a default route to the PIX (and that your PIX shows equal cost routes for the default, or whatever routes your trying to load balance. Elsewise adjust at your IBR's until it does).

Caveats:

Upgrade Finesse to 6.3(2)

6.3(1) will work, however it has a bug that will cause endless invalid packet length errors on the LSA's. 6.3(2) fixes this.

Cisco reccomends that you authenticate OSPF neighbors. Unfortunately, should you attempt to configure md5 authentication with the PIX, you will break OSPF. I have had a TAC case open on this for a while now, and it currently looks like it's gonna require a code upgrade to fix it.

When configuring OSPF on the PIX, remember that your network statements have to use standard netmasks (network 10.1.1.0 255.255.255.0 area 0) rather than the reverse dotted decimal that a router would use (network 10.1.1.0 0.0.0.255 area 0).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card