Re: RIP active standby support in PIX failovers

praveenkrishna · ‎09-08-2003

Does the failover bundle one gets for PIX firewall has support for rip active stand by ??

scoclayton · ‎09-08-2003

I am not 100% sure what you mean by "rip active stand by" but the standby PIX in a failover pair will not participate in the RIP network until a failover occurs and it becomes the active mate in the pair. The standby PIX is limited in the kinds of packets it listens for (failover, ICMP, etc...). This is something we are aware of and are looking to address. This has become more appearant with OSPF but I suspect the "fix" will work with RIP as well.

Scott

praveenkrishna · ‎09-09-2003

hey Scott, With reference to your website , the secondary gets identical configuration as the primary, the case being such , how can the standby PIX is limited in the kind of packets it picks up?. Are u trying to say that inspite of OSPF configuration the standby PIX fails to pick up OSPF hello packets and that there's a "fix" for that ?. Can u please throw some more light on that. thanks

scoclayton · ‎09-09-2003

Essentially, the stand-by PIX drops the OSPF hello packets that are sent to it. When the PIX is in a stand-by mode, only a limited amount (or type) of traffic is accpeted (telnet, icmp, failover messages, etc..). There currently is no fix for this but we are aware of this as a problem. For instance, for management purposes, let's say you need to get to the stand-by PIX from a host that is several hops away. Since you configured OSPF on your primary, all static routes have most likely been removed on both the primary and subsequently the stand-by as well. Because the stand-by does not participate in the OSPF network, he does not have any routes to these remote networks so telnet, SSH, ICMP, etc... will fail. We are evaluating several ideas now to address this limitation.

Does this help.

Scott

praveenkrishna · ‎09-09-2003

Thanks scott, I never knew that standby drops hello packets...however i wonder when the standby becomes active ( assuming that ospf is pre-configured) it should form an adjacency with it's peer right ? I totally understand the point you are making in terms of traffic allowed across standby ....when the same is in standby mode ...however i wanted to know what happens to standby when it becomes active especially if it's a stateful failover ...and say there was an FTP download while the primary fails ....how long will it take for the standby to relearn the routes and restore the FTP connection to complete the downlaod.

scoclayton · ‎09-09-2003

Yes, yet another example of why we need to figure out a way for the stand-by PIX to learn the OSPF routes before a failover occurs. Unfortunately, this is not a trivial task and is why we are looking at several options. When a failover occurs, the whole OSPF process needs to be kicked off again (remember, the IP address changed on the stend-by PIX) to elect the DR, BDR, exchange LSA's, etc... Depending on the size of your network, this process could take upwards of a minute or so. During this delay, your time sensitive sessions could be RST. But in most cases, the TCP protocol is robust enough to continue the connections once the routes are re-established. If doing stateful failover, the connections are maintained (as you undoubtedly know) after a failover.

Again, not the most elegant solution but we are aware of this and are trying to find a way to address it.

Scott