I'm looking at configuring Failover between two PIX 535s and read about failover MAC addresses. I believe that this would be necessary as I dont want to have to wait for ARP to timeout after a failover...I would like the virtual MAC to be used instead, as this would never change and failover would happen much faster. What I am wondering is if there is any sort of user defined MAC conventions or issues I should be aware of when creating these virutal MACs? Can I just go ahead and create them using any HEX combo? I was thinking of using something along the lines of 0009.8a00.5351 (Pri) and 0009.8a00.5352 (Secondary). Would these be OK?
I don't think you will need to do any messing with virtual MAC addresses. Let's say you're running off the primary right now. When the PIX fails over from primary to secondary, the failover unit takes over both the IP and the MAC address (the primary then takes over the secondary IP and MAC address). The bootom line is, whichever firewall is running, it will always be the same IP and MAC address according to the rest of your networking equipment.
Also, as I understand it, the PIX does not detect failover based on an ARP timeout. Instead, it constantly sends hello packets across all interfaces from one unit to the other.
We have a pair of 535s that failed over once or twice, and have never run into any time issues during a failover event. In fact, it was so transparent that we wouldn't have known it if our syslog server didn't send us the alerts.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...