Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

No ip addresses on failover firewall? (Pix 6.3(5))

I have a pix firewall with an interface on a /30 network (direct link to a router) so there are only two ip addresses available - the PIX and the router. I now want to add a failover firewall and not assign an ip address to the interface on the failover firewall, just a mac address. My goal is that for this particular interface there will be only one IP address that floats between the two firewalls, instead of two addresses that get swapped between the two firewalls when failover occurs.

I can't find anything that indicates that this would not work, but would appreciate confirmation from the forum experts.

Thanks,

Tim Metzinger

6 REPLIES
New Member

Re: No ip addresses on failover firewall? (Pix 6.3(5))

I don't have a definitive answer, just thoughs

According to Cisco

"The two units send special failover "hello" packets to each other over the failover cable and all interfaces every 15 seconds (excludes those that are administratively shutdown). "

So if your interface is shutdown, it would not be monitored, and it would not bother if it's unreachable. Would have to be tested...

But anyway you would lose part of your failover functionality since if the Primary outside interface go down it would not fail on the Secondary.

An other avenue to explore may be to create another vlan on your outside , one for the Hello packets using a little private subnet the other for your real IP on the Primary..

my 2 cents

New Member

Re: No ip addresses on failover firewall? (Pix 6.3(5))

I tried it with no ip address, and got warnings on the standby firewall about a lack of an ip address. That's actually ok with me, as long as the address fails over properly. I'll have to check and see if failover works the way I anticipate.

and maybe the "hello" packets are using MAC addresses instead of IP...

I'll post the answer when the customer finally lets me install and test it.

Cisco Employee

Re: No ip addresses on failover firewall? (Pix 6.3(5))

No, unfortunately it will not work. The two units must have communication between each other on all the interfaces that are enable. If you don't assign the IP address to the secondary unit there's no way the units can transmit the hello packets which obviusly cause an error. Please check the document below:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

Hope it helps

Franco Zamora

New Member

Re: No ip addresses on failover firewall? (Pix 6.3(5))

I can't read your reference since I'm not a partner. I've done some testing and validated that setting the firewalls up in this way does NOT keep them from working, but I get a warning on the standby firewall about the lack of an IP address. I will have to check failover next week. While failover may not happen if the interface with only one IP fails, I'm still reasonably certain that a hardware/power failure would cause failover and that the single IP address would shift to the standby firewall in that case.

Acid test will be next monday morning, I'll let you know.

New Member

Re: No ip addresses on failover firewall? (Pix 6.3(5))

You need to have a standby IP address configured on the STDBY interface for failover to functions as documented as following are the steps involved in checking state of interface and each requires unique IP addresses on interfaces

NIC Status Test

This test is a Link Up/Down check of the NIC itself. If an interface card is not plugged into an operational network, it is considered failed.

Network Activity Test

This test is a "received network activity" test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the unit performs an ARP test.

ARP Test

In the ARP test, the ARP cache of the unit is read for the ten most recently acquired entries. Then, one at a time, the unit sends ARP requests to these machines, in an attempt to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the unit performs the Ping test.

Ping Test

In order to perform the Ping test, the unit sends out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the testing starts over again with the ARP test.

New Member

Re: No ip addresses on failover firewall? (Pix 6.3(5))

Well, in reality, it works just fine. The one pair of interfaces that I could only assign one address two came up, and failover occurs when the link goes down on the active firewall, or if the primary firewall is reset.

I may not have been quite clear with my first question, these firewalls have three nets plus the status link, and only one of the nets has no failover ip. Here's the SHOW FAILOVER command:

show failover

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 5 seconds

Last Failover at: 06:59:05 EST Mon Feb 27 2006

This host: Primary - Active

Active time: 480 (sec)

Interface sdclan (10.164.4.1): Normal

Interface tcs (10.164.2.30): Normal

Interface dohrcpo (10.75.29.82): Normal (Waiting)

Interface intf3 (0.0.0.0): Link Down (Shutdown)

Interface intf4 (0.0.0.0): Link Down (Shutdown)

Interface fwstate (192.168.99.1): Normal

Other host: Secondary - Standby

Active time: 0 (sec)

Interface sdclan (10.164.4.2): Normal

Interface tcs (10.164.2.29): Normal

Interface dohrcpo (0.0.0.0): Normal (Waiting)

Interface intf3 (0.0.0.0): Link Down (Shutdown)

Interface intf4 (0.0.0.0): Link Down (Shutdown)

Interface fwstate (192.168.99.2): Normal

So the DOHRCPO link only has one address floating between the two firewalls, but it works fine. I do get a warning message that there's no ip address assigned, but I can live with that.

130
Views
0
Helpful
6
Replies