Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

stateful failover with cross-over cable connection between pix

hi there i have a strange doubt probably silly. i have 2 pix 515E everything identical abt them.all the ports are 100mbps . i want to setup stateful failover betwee them. can i connect the 2 pix with a cross-over cable between then and setting their duplex to full. is it possible.or does it require the switch in between as mentioned in the books. pls help me . thank u in advance.

sebastan

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: stateful failover with cross-over cable connection between p

No you do not need a Switch, you can use a crossover cable for the state link and set the duplex and speed as you like.

sincerely

Patrick

Gold

Re: stateful failover with cross-over cable connection between p

the 2 pixes share the same config, and thus i believe all interfaces are participated in the failover.

providig one interface fails on the primary unit, the secondary unit will take over. i.e all traffic will be handled by the secondary unit including other interfaces, not only the affected one.

in order to replicate the config, "wri mem" usuall will do the job. the cisco doc states:

If you enter the write memory command on the active unit, the command is replicated to the standby unit, which proceeds to write its configuration to Flash memory.

for further info, have a look at this:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1056933

12 REPLIES

Re: stateful failover with cross-over cable connection between p

No you do not need a Switch, you can use a crossover cable for the state link and set the duplex and speed as you like.

sincerely

Patrick

New Member

Re: stateful failover with cross-over cable connection between p

hi patrick thank u . cause i read the cisco documentation which mentioned that it does not support using cross-over cable for state-ful failover. i have one more doubt patrick. that is for a failover environment i need to have all the interfaces of both the pixes to be connected via switches right. that is the inside users conecting on the switch and from the switch it connects to the inside interface of both the pix and similarly for the outside and the dmz interfaces also right. pls help me wit this also if possible. thank u for ur help once again .

sebastan

Gold

Re: stateful failover with cross-over cable connection between p

imagine not both pixes inside interface are connected to the same segment, then the stateful failover would not function correctly.

for instance, the primary unit inside interface fails, then all the inside traffic will then be handled by the secondary unit inside interface. if the secondary inside interface is not connected to the same segment, then how would it be possible to start handling the traffic.

i used the word "same segment" because it not necessarily a single switch. i believe cisco recommends to connect both interfaces on a single switch. nonetheless, i did connect these interfaces to 2 4500 switches, which in turns run hsrp.

further, please verify that the pair of pixes are identical, including the os, number of interfaces, and memory etc.

also have a read of this cisco doc,

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1082797

New Member

Re: stateful failover with cross-over cable connection between p

Hi,

I have 2 ASA 5520s with gig ports; I will be using a crossover cable (spec 5e) as the stateful failover link. Just wanted to confirm that this would work. Thanks!

New Member

Re: stateful failover with cross-over cable connection between p

hi jackko for a detailed explaination of this. thanks a lot. just one more query. on the active pix when we specify the failover we do it for all the interfaces like the inside,outside. say if have dmx interface also then i need to configure failover for that also. i am not sure abt this. does the pix check for all the interfaces configured for failover. that is when the inside interface is not working of the primary pix the secondary will become the active. when we add new config to the primary pix is the configuration send to the secondary also at the same time. or we have to specify the command write standy. if possible pls explain. thank u for ur help once again.

sebastan

Gold

Re: stateful failover with cross-over cable connection between p

the 2 pixes share the same config, and thus i believe all interfaces are participated in the failover.

providig one interface fails on the primary unit, the secondary unit will take over. i.e all traffic will be handled by the secondary unit including other interfaces, not only the affected one.

in order to replicate the config, "wri mem" usuall will do the job. the cisco doc states:

If you enter the write memory command on the active unit, the command is replicated to the standby unit, which proceeds to write its configuration to Flash memory.

for further info, have a look at this:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1056933

New Member

Re: stateful failover with cross-over cable connection between p

Hi jackko thank u.thanks a lot once again.

sebastan

New Member

Re: stateful failover with cross-over cable connection between p

hi jackko could u pls tell me why does the pix need to the test to fidn out which pix has failed. cause the active pix knows that he is active then why does it need those tests.in the test they say the pix firewall counts all the packets received on the interface for 5 secs.now the standy pix will never receive any packets cause the active pix is up .i didn't understand how and why are the test needed. one more thing say the active pix is up and has interfaces running.and it stops receiving hellos from the standy pix. will it trigger any test in the active pix firewall. can u pls explain. it will be of great help to me . thank jackko for all ur help. waiting for ur reply.

sebastan

New Member

Re: stateful failover with cross-over cable connection between p

hi jackko my question is when and which pix does the interface testing. the documentation says that when either of the pix does not receive 2 consecutive hellos over a lan interface it puts the interface in the testing mode.here which pix puts the interface in the testing mode the acitve pix or the standy pix.say the standy pix is getting hellos from the failover cable but not getting hellos from a network interface then will the standy pix put that interface in the testing mode. cause in the testing mode the interfaces have to wait for any other traffic coming on that interface for 5 seconds. now since this is the standy pix it will not receive any normal traffic on that lan interface. can someone pls explain me the exact procedure. i am really confused abt it.

Gold

Re: stateful failover with cross-over cable connection between p

agree that the documentation is not that clear. i did a little bit more reading and i found the ciscopress book named "cisco asa and pix firewall handbook" is particular useful.

basically, both active and standy unit sends hello messages to each other over all interfaces, including the failover link (regardless whether a serial or ethernet cable is used).

to trigger the failover,

1. failover link fails

if hello message is not received on the failover link for 3 polling intervals, the unit will think that the other unit fails and attempts to become the active. this is why it is important not to use any network equipment in between the failover link such as a router or switch or even a hub, otherwise failover will be triggered assuming the in between network equipment fails; or

2. any other interface fails

if hello message is not received on an interface other than the failover link for 3 polling intervals, that interface will then be put as the testing mode. the other unit will be notified about the test via the failover link.

regarding the query on standby unit interface in testing mode, the arp and ping test are followed assuming no network activity i.e. no packets are received for a 5-second interval. these tests should work on the standby unit still because each interface of a standby unit has an ip i.e. the ip specified by the command "failover ip address outside"

New Member

Re: stateful failover with cross-over cable connection between p

hi jackko thanks once again. but here's my question i have read in the documentation that when a interface in put in testing both the pix units clear their interface counters of the received packets on that interface.and wait for any received packets on that interface for 5 seconds. now my question is :

say the standy pix inside interface is not receiving hellos from the active pix so it will put it's inside interface in testing mode and tell the active pix that the inside interface has been put in testing mode.

after this message does the active pix also puts the inside interface in testing like the standy pix.

cause the documentation says before any interface testing both the pix should reset the counters of the interfaces. (1st question)

the second test is for receiving any traffic on that interface now since it's the standy pix it will not receive any normal user traffic. so this step will fail at the standy pix as u said right.

in the the arp test the pix starts doing a arp request to the addresses in the arp entry. this arp entry the standy pix will be having because of the state information passed on from the active to the standy pix as connections are made on the active pix.

am i right i am not sure. (2nd question)

one more thing this arp entry test is not possible if failover is done using a failover cable. because cable based failover it not stateful.so no connection entries or arp entry information is passed on to the standy pix. am i right (3rd question)

i am confused abt this part. what exactly happens. pls explain jackoo i have spend many hours in understanding this part of the failover.

i know i have asked u lot of questions on the same topic. but pls help . thank u jackko for all ur help.

sebastan

New Member

Re: stateful failover with cross-over cable connection between p

hi jackko. can u help me out with this issue. thanks . waiting for ur reply.

sebastan

406
Views
0
Helpful
12
Replies
CreatePlease login to create content