Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

when interface testing starts in failover and by which pix

my question is when and which pix does the interface testing. the documentation says that when either of the pix does not receive 2 consecutive hellos over a lan interface it puts the interface in the testing mode.here which pix puts the interface in the testing mode the acitve pix or the standy pix.say the standy pix is getting hellos from the failover cable but not getting hellos from a network interface . then will the standy pix put that interface in the testing mode. cause in the testing mode the interfaces have to wait for any other traffic coming on that interface for 5 seconds. now since this is the standy pix it will not receive any normal traffic on that lan interface. can someone pls explain me the exact procedure. i am really confused abt it.

6 REPLIES
Cisco Employee

Re: when interface testing starts in failover and by which pix

Hi Sebastan,

The way failover works in Pix is ,It sends the hello packets from the failover cable.However it also sends the hello packet from each interface to its peer interface which are configured for failover.

So both active and standby Pix interfaces send hello to its peer interface.

If for some reason interface does not receive the hello from its peer interface ,then it goes into testing mode [Active or standby] [regular traffic has nothing to do with the failover mechanism].

If the interfaces are in Waiting this indicates that monitoring of the other unit's network interfaces has not yet started.

The failover poll command lets you determine how long failover waits before sending special failover "hello" packets between the primary and standby units over all network interfaces and the failover cable. The default is 15 seconds. The minimum value is 3 seconds and the maximum is 15 seconds.

Hope this helps.

Tanveer

New Member

Re: when interface testing starts in failover and by which pix

hi tanveer. thanks for ur response but i guess u haven't got my question. see in the documentation they have mentioned 4 steps of interface testing that the pix follows.

1) link up/down test

2)network activity test

3) arp test

4)ping test

when an interface is put in testing mode it also allows normal traffic to flow.to test whether the interface is working or not. when normal traffic is received on the interface it knows that the interface is operational there is problem on the other end and the other end is not able to send the hellos.so ur statement

[regular traffic has nothing to do with the failover mechanism].

is not right. it plays a major role in indentifying the problem is with which pix interface.

my question was how will the standy pix do the network test cause since it is in standy mode it will not receive any user traffic.i hope now u got my question. thank anyways. waiting for ur reply.

sebastan

Cisco Employee

Re: when interface testing starts in failover and by which pix

Hi sebastan

May be I had stated in worng way.But the regular traffic does not play any role in interface going in testing mode .

The interface will only go into testing mode if the interface does not receive hello from its peer interface.

But pix does the other test as stated by you and which is true only after the interface goes in testing mode to check if any thing is worng with its own interface or connectivity to the device to which pix is connected.

Now your question is if the interface goes in testing mode how will the standy pix do the network test cause since it is in standy mode ?

Well if we see the squence of tests,it will not be able to do network test which is true as stated by you bcoz its in standby mode but it can always do the next test like

1) link up/down test

2) arp test

3)ping test

because if network test fails then pix does other tests as well before it fails over or puts the pix in failed state.

and if other tests on STANDBY also fail then you might have seen the failover status for standby pix shows [standby (failed)] and to bring the standby out of that failed state we use [failover reset] command.

hope that helps

Tanveer

New Member

Re: when interface testing starts in failover and by which pix

hi tanveer thanks once.ok i got it. i have few more clarifications over this. it will be really great if u could help me out.

i understood that the standy pix will not be able to do the second phase of the interface testing.

as u said it will do the arp test and the ping broadcast test.

if is a cable based failover pair.then the active pix will not pass the arp entries created due to the connections to the standy pix . am i right. (question1)

so in a cable based failover the standy pix will not be able to do the 3 phase of interface testing also .(the arp test) am i right. it will only do the broadcast test cause it has it's ip address to do that.(question 2)

basically i am not sure whether the arp entries are passed on to the standy pix in cable based failover.pls tell me this. (question 3)

one last and major question. when the standy pix puts the interface in testing does the ative pix also puts the interface in testing? cause the documentation says before any interface testing starts both the pix reset their interface counters to zero.pls explain if possible.

tanveer i know i am asking too many questions at the same time. but they are all related. thanks for all ur help. waiting for ur reply. see ya and bye

sebastan

Cisco Employee

Re: when interface testing starts in failover and by which pix

Hi Sebastan,

Typical failover communication through the failover cable includes:

MAC addresses exchange [This is NOT the ARP table,this is just to swap the Mac address of the Active pix to standby in case of failover,because the MAC address is swaped from Active to standby when active fails so that Layer 2 communication does not break]

Hello (a keep-alive)

State (Active/Standby)

Network Link Status

Configuration Replication

Only in stateful failover [for which we need a dedicted crossover between two pix exchange the other information.

To answer your last question I will say ,its not nessasary that both the interfaces will go in testing mode,I have seen scenarios were only one of the pix interface goes in testing because it cannot receive the hello packet from peer interface but peer interface can receive his hello.

In that case the other pix is informed through the failover cable that the peer interface is in testing mode that is when both the interface resets the counters on that interface and starts all the tests

they talk to each other through failover cable to let each other know if the tests have failed or not based on that either switchover will happen if active fals the tests or standby will be put in failed state if standby fails the tests.

Hope this helps.

Tanveer

New Member

Re: when interface testing starts in failover and by which pix

I have seen scenarios were only one of the pix interface goes in testing because it cannot receive the hello packet from peer interface but peer interface can receive his hello.

in that case the other pix is informed through the failover cable that the peer interface is in testing mode that is when both the interface resets the counters on that interface and starts all the tests

they talk to each other through failover cable to let each other know if the tests have failed

-----------------------------------------------------

hi tanveer thanks a lot. this is ur above quoted statement.u have mentioned that when interface testing starts the pix notifies the other pix through the failover cable.and the both the pix resets the interface counters."why the other pix is reseting the interface counters" it means the other pix is also testing it's own interface .pls confirm on this.

for the third phase of interface testing that is the arp one.for this test the standy pix needs to have arp entries created in the active pix . upon which the standy pix will start doing the arp queries. my question is in a cable based or a lan based failover are the arp entries sent from the active pix to the standy pix. pls exlpain on this part. thank u tanveer once again . waiting for ur reply. bye

sebastan

106
Views
0
Helpful
6
Replies