[fw-wiz] (no subject)
From: Elvis (elvis_at_securegateway.org)
Date: 01/23/05
- Previous message: Layer One: "[fw-wiz] LayerOne 2005 CFP Announced"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "firewall-wizards@honor.icsalabs.com" <firewall-wizards@honor.icsalabs.com> Date: Mon, 24 Jan 2005 08:40:56 +1100
Kerry hit the mail on the head below, but there is more
trouble then just failover.
I saw a number of situations were the pix's would
failover, but would not fail back when the failed box
became active again and both pix's would start acting as
if they are the primary - all sort of interesting things
happen in this case.
Some traffic would pass, some would fail, some sessions
would come in one firewall and try to leave VA the other -
it also caused us problems on the switches the firewalls
connected to as the different MACs came up for the
different interfaces with the same ip addresses when they
both tried to use the primary addresses for the
interfaces.
I eventually worked out that the boxes were both trying to
act as Primary, but had to go to site to see this.
I ran about 10 pairs of failover pixes in the last few
years, and two of those experience this problem - we were
advised by cisco to use a switch and the problems did not
re-appear. Versions of code made no difference.
We initially configured them all with x-over cables, but
soon converted them all to go via switches.
Elvis Fizelle
mkrbeck@hushmail.com said:
> I recall reading a detailed technical paper recently on the cisco site where it was recommended that pix stateful interface traffic always be passed thru a switch (as opposed to a x-over cable) between a pair of pix chassis, regardless of whether the deployment is serial cable or LAN failover, however I cannot find it again, would anyone have a link for it or a copy ??
http://www.cisco.com/warp/public/110/failover.html
There is good reasoning behind this. If you have a
crossover cable and one end fails ( or it is disconnected
), then the other end will also see the loss of carrier
and conclude that it has an interface failure.
Kerry
-- Kerry Thompson, CCNA CISSP Information Systems Security Consultant http://www.crypt.gen.nz _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Layer One: "[fw-wiz] LayerOne 2005 CFP Announced"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
