Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 6.3(4) failover strangeness with VLANs

I have a 535 failover pair running 6.3(4) and have experienced some strange things while trying to get stateful failover to work. We are using the serial cable for failover and a dedicated GE for the state traffic via a directly connected x-over cable. We have a mix of standard non-VLAN'ed interfaces as well as one physical i/f that include ~10 VLANs. We are well under the limit of i/f's allowed on the PIX so that isn't a problem. Also the

VLAN'ed i/f's on both firewalls connect via a 802.1q trunk on the same Procurve 9315 switch. All required VLANs are configured as tagged on both ports of the switch.

The problem we had been experiencing was that all the VLAN-based interfaces as well as the physical i/f associated with these VLANs were perpetually in the (waiting) state and we had no stats under the stateful section of the "show fail" command, implying to me that stateful failover was not actually working. Failover itself is working and traffic passes successfully regardless of which firewall unit is active.

Based upon stuff I've read I concluded that the problem was likely to be that the "hello" messages weren't being seen on each VLAN. So I did a bunch of captures on the various VLAN i/f's of the PIX expecting to see outbound hellos from the local unit, but saw nothing. I then had a thought that maybe they were being sent out untagged on the physical i/f, so I did a capture on that and also got nothing other than hellos outbound for the physical interface.

So what we did that fixed this was to add the physical VLAN to the list of allowed tagged VLANs on the firewall connected ports of the switch. Magically the physical i/f transitioned to the Normal state, as did all the VLAN interfaces, and we started getting stats on the stateful section of the show fail command output.

And yet a capture on any of the VLAN interfaces still does not show any hellos, and a capture on the physical now shows bi-directional hellos for the physical lan. Weird.

So my questions are:

1>Why are the VLAN interfaces dependent upon their physical i/f for failover. I was told that you don't even need to have any IP or nameif configured for the physical i/f it just has to be enabled for the VLAN i/fs to work.

2>How are the VLAN i/f's passing hellos to each other.

I can include my config if that helps.

Peter

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: PIX 6.3(4) failover strangeness with VLANs

Peter,

1) Why is a good question. All I know is that according to the doc (same link below)

"When configuring failover for a VLAN interface, hello packets are sent over the physical interface, so the physical interface must be configured with an ip address."

2) I don't believe they are:

From one of the guides

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

"Note Failover is supported with VLAN interfaces. But the failover lan interface command does not support VLAN interfaces or the failover link commands. "

So basically it sounds like helo packets are only being sent out the physical interfaces (and dumped onto whatever vlan you put them on), and the vlans will 'failover' if the pix does, but if you had a failure of a particular vlan the pix wouldn't notice it until the vlan the physical interface was assigned to failed.

Of course, this works in the equivalent level of FWSM code - but FWSM never had physical interfaces.

The 7.x train supports subinterfaces, of course.

--Jason

Please rate this message if it helps!

2 REPLIES
Bronze

Re: PIX 6.3(4) failover strangeness with VLANs

Peter,

1) Why is a good question. All I know is that according to the doc (same link below)

"When configuring failover for a VLAN interface, hello packets are sent over the physical interface, so the physical interface must be configured with an ip address."

2) I don't believe they are:

From one of the guides

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

"Note Failover is supported with VLAN interfaces. But the failover lan interface command does not support VLAN interfaces or the failover link commands. "

So basically it sounds like helo packets are only being sent out the physical interfaces (and dumped onto whatever vlan you put them on), and the vlans will 'failover' if the pix does, but if you had a failure of a particular vlan the pix wouldn't notice it until the vlan the physical interface was assigned to failed.

Of course, this works in the equivalent level of FWSM code - but FWSM never had physical interfaces.

The 7.x train supports subinterfaces, of course.

--Jason

Please rate this message if it helps!

New Member

Re: PIX 6.3(4) failover strangeness with VLANs

Jason:

Thanks for the reply. I missed the first note in the docs, it seems pretty clear that an IP address is required on the physical interface for failover to work.

thanks again,

Peter

104
Views
0
Helpful
2
Replies
This widget could not be displayed.