I recently installed 2 Cisco Pix 525 in Active/Standby failover mechanism. Both appliances are connected via serial cable to exchange a "Hello" messages to each other. I applied the configuration successfully and everthing worked so fine for 6 months. The "inside" failover interfaces are connected to 3Com 4060 Switch.
Suddenly, i noticed that both appliances were active and the internet connectivity hanged and when i tried to ping the inside interfaces , it gave me request timed out. I checked the failover history but it gave me no accurate reason for this problem. I did restart the primary (active) failover and then everything came back to life and i can ping as well as accessing the internet.
I read about specific vulnerabilities regarding Cisco PIX failover and i knew that there are Dos attacks targeting the failover process whether by ARP spoofing since the secondary (standby) unit sends ARP requests to the primary for testing purposes before failover happens.
But i really want to push away the propability of the Dos attacks since the inside failover interfaces are in different VLAN in the 3Com switch away from other users VLANs. In addition, i did a port security on the inside failover interfaces by adding their MAC addresses manualy in the switch's CAM table. I also increased the failover timer to 75 seconds to give the standby unit the chance to not failover so soon.
This is the configuration:
Pixfirewall(Config-if)#description Outside public network
Pixfirewall(Config-if)# ip address x.x.x.x 255.255.255.0 standby x.x.x.x
"When failover occurs, each unit changes state. The unit that activates assumes the IP and MAC addresses of the previously active unit and begins accepting traffic. The new standby unit assumes the failover IP and MAC addresses of the unit that was previously the active unit. Because network devices see no change in these addresses, no ARP entries change or time out anywhere on the network."
Thank you guys for the fast response regarding my problem and i'd like to inform you that i solved the problem. Yes, i did disable the port security since it was the first part of the problem. The second important part was that the standby (secondary) unit didn't take over of the active role when the primary failed. In other words, when the active (primary) failed, the standby (secondary) unit was still in standby so when you ping the active unit addresses it gave me request timed out and no internet access. The cause of the problem was from the interface policy. I noticed that the previous security engineer did a "failover interface-policy 3" command that hanged everything. I really read about this command but i didn't understand it well. It something like you apply a policy for how many failed interfaces that standby will test before taking the active role but i think it took so long to test those interfaces so i disabled this command :)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :