Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can a PIX load balance outbound w/ OSPF?

Hi All,

I have a PIX 515 that is dual homed to the Internet through 2 edge routers (1 router per ISP). How can I load balance outbound connections? It doesn't have to be perfect, I just want to utilize the second ISP.

Will this work if I run OSPF between the PIX outside interface and the routers? Also, if one link goes down I want it to fail over to the second link. I am not running BGP, both ISPs are advertising the same subnet.

Any ideas?

Thanks, Randy


Re: Can a PIX load balance outbound w/ OSPF?

You cannot run OSPF on PIX. PIX supports only RIP over it.

You cannot also add 2 default routes on the PIX to different destinations.

I dont think load sharing is possible unless you put a load balancer in between the devices.

New Member
New Member

Re: Can a PIX load balance outbound w/ OSPF?

Interesting.. I didn't think this was possible since the PIX isn't a routing appliance. I wonder if these commands are used to support OSPF through the firewall, and not on it..?

This is worth configuring in a lab/test environment to see what it's all about.

Cisco Employee

Re: Can a PIX load balance outbound w/ OSPF?

OSPF was introduced on PIX from ver 6.3

See Release Note below;

New Member

Re: Can a PIX load balance outbound w/ OSPF?

Yes, you can run OSPF on the PIX and the edge routers. I am actualy lab testing the concept and getting ready to roll the same scenario to production. You will need to insure that your IBR's are sending a default route to the PIX (and that your PIX shows equal cost routes for the default, or whatever routes your trying to load balance. Elsewise adjust at your IBR's until it does).


Upgrade Finesse to 6.3(2)

6.3(1) will work, however it has a bug that will cause endless invalid packet length errors on the LSA's. 6.3(2) fixes this.

Cisco reccomends that you authenticate OSPF neighbors. Unfortunately, should you attempt to configure md5 authentication with the PIX, you will break OSPF. I have had a TAC case open on this for a while now, and it currently looks like it's gonna require a code upgrade to fix it.

When configuring OSPF on the PIX, remember that your network statements have to use standard netmasks (network area 0) rather than the reverse dotted decimal that a router would use (network area 0).

CreatePlease login to create content